Overview
| Table of Contents |
|---|
Certificate manager is used to:
- collecting all certificates inside the router;
- manage and create self-signed certificates;
- manage CRL;
- control and set SCEP-related configuration.
Starting from RouterOS version 6, certificate validity is shown using local time zone offset. In previous versions, it was UTF.
General Menu
| Code Block | ||
|---|---|---|
| ||
/certificate |
...
Certificate Template
Certificate templates are used to prepare a desired certificate for signing.
A ertificate template is deleted right after a certificate is signed or a certificate request command is executed
| Code Block | ||
|---|---|---|
| ||
/certificate
add name=CA-Template common-name=CAtemp key-usage=key-cert-sign,crl-sign
add name=Server common-name=server
add name=Client common-name=client |
Let`s To print out certificates:
| Code Block | ||
|---|---|---|
| ||
[admin@4k11] /certificate> print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 name="CA-Template" key-type=rsa common-name="CAtemp" key-size=2048 subject-alt-name="" days-valid=365 key-usage=key-cert-sign,crl-sign
1 name="Server" key-type=rsa common-name="server" key-size=2048 subject-alt-name="" days-valid=365
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client
2 name="Client" key-type=rsa common-name="client" key-size=2048 subject-alt-name="" days-valid=365
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client |
...
Certificate properties
...
| Property | Description |
|---|---|
| common-name (string) | Certificate common name |
| copy-from (name) | Certificate name from which to copy general settings |
| country (string) | Certificate issuer country |
| days-valid (days Default: 365) | Days certificate will be valid after signing |
| digest-algorithm (md5 | sha1 | sha256 | sha384 | sha512 Default: sha256) | Certificate public key algorithm |
| key-size (1024 | 1536 | 2048 | 4096 | 8192 | prime256v1 | secp384r1 | secp521r1 Default: 2048) | Certificate public key size |
key-usage (code-sign | crl-sign | decipher-only | dvcs | encipher-only key-cert-sign | ocsp-sign | tls-client | content-commitment | data-encipherment | digital-signature | email-protect | key-agreement | key-encipherment | timestamp | tls-server Default: digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client) | Certificate usage |
locality (string) | Certificate issuer locality |
name (string) | Certificate name |
organization (string) | Certificate issuer organization |
state (string) | Certificate issuer state |
subject-alt-name (DNS: | IP: | email:) | Certificate subject alternative name |
trusted (no| yes Default: ) | |
unit (string) | Certificate issuer organizational unit |
...
To import certificates, certificates must upload uploaded to a device using one of the file upload methods.
Certificates are impossible to import using GUI or CLImust be imported as a file.
| Property | Description |
|---|---|
| name (string Default: file-name_number) | A certificate name that will be shown in the certificate manager |
| file-name (string) | A file name that will be imported |
| passphrase (string Default: none) | File passphrase if there is such |
...
Note that the DNS name must point to the router and port TCP/80 must be available from the WAN. If the dns-name is not specified, it will default to the automatically generated /ip cloud name (ie. http://example.sn.mynetname.net)
...