Overview
Table of Contents |
---|
Certificate manager is used to:
- collecting all certificates inside the router;
- manage and create self-signed certificates;
- control and set SCEP-related configuration.;
Starting from RouterOS version 6, certificate validity is shown using local time zone offset. In previous versions, it was UTF.
General Menu
Code Block | ||
---|---|---|
| ||
/certificate |
The general menu is used to manage certificates, add templates, issue certificates, and manage CRL and SCEP Clients.
Certificate Template
Certificate templates are used to prepare a desired certificate for signing.
Certificate template is deleted right after
...
a certificate
...
is signed or a certificate request command is executed
...
Code Block | ||
---|---|---|
| ||
/certificate
add name=CA-Template common-name=CAtemp key-usage=key-cert-sign,crl-sign
add name=Server common-name=server
add name=Client common-name=client |
Let`s To print out certificates:
Code Block | ||
---|---|---|
| ||
[admin@4k11] /certificate> print detail Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted 0 name="CA-Template" key-type=rsa common-name="CAtemp" key-size=2048 subject-alt-name="" days-valid=365 key-usage=key-cert-sign,crl-sign 1 name="Server" key-type=rsa common-name="server" key-size=2048 subject-alt-name="" days-valid=365 key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client 2 name="Client" key-type=rsa common-name="client" key-size=2048 subject-alt-name="" days-valid=365 key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client |
Certificate properties
Property | Description |
---|---|
common-name (string) | Certificate common name |
copy-from (name) | Certificate name from which to copy general settings |
country (string) | Certificate issuer country |
days-valid (days Default: 365) | Days certificate will be valid after signing |
digest-algorithm (md5 | sha1 | sha256 | sha384 | sha512 Default: sha256) | Certificate public key algorithm |
key-size (1024 | 1536 | 2048 | 4096 | 8192 | prime256v1 | secp384r1 | secp521r1 Default: 2048) | Certificate public key size |
key-usage (code-sign | crl-sign | decipher-only | dvcs | encipher-only key-cert-sign | ocsp-sign | tls-client | content-commitment | data-encipherment | digital-signature | email-protect | key-agreement | key-encipherment | timestamp | tls-server Default: digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client) | Certificate usage |
locality (string) | Certificate issuer locality |
name (string) | Certificate name |
organization (string) | Certificate issuer organization |
state (string) | Certificate issuer state |
subject-alt-name (DNS: | IP: | email:) | Certificate subject alternative name |
trusted (no| yes Default: ) | |
unit (string) | Certificate issuer organizational unit |
Certificate read-only properties
After a certificate is signed, most of a certificate template properties are converted to read-only (except name and trusted)
Property | Description |
---|---|
serial-number | Certificate serial number |
fingerprint | |
akid | Certificate authority ID |
skid | Certificate subject ID |
invalid-before | Date and time before which a certificate expired |
invalid-after | Date and time after which a certificate expired |
expires-after | |
key-type | |
ca | Certificate authority common name |
Note |
---|
If the CA certificate is removed then , all issued certificates in the chain are also removed. |
...
Code Block | ||
---|---|---|
| ||
[admin@MikroTik] /certificate> print
Flags: K - private-key; L - crl; A - authority; T - trusted
Columns: NAME, COMMON-name, FINGERPRINT
# NAME COMMON FINGERPRINT
0 K AT CA-Template CAtemp 0c7aaa7607a4dde1bbf33deaae6be7bac9fe4064ba47d64e8a73dcefad6cfc38
1 K AT Client client b3ff25ecb166ea41e15733a7493003f3ea66310c10390c33e98fe32364c3659f
2 KLAT ServerCA server 152b88c9d81f4b765a59e2302e01efd1fbf11ceeed6e59f4974e87787a5bb980
|
Note |
---|
The time of the key signing process depends on the key size of a specific certificate. With values of 4k and higher, it might take a substantial time to sign this specific certificate on less powerful CPU-based devices. |
...
Code Block | ||
---|---|---|
| ||
[admin@MikroTik] > file print Columns: NAME, TYPE, SIZE, CREATION-TIME # NAME TYPE SIZE CREATION-TIME 0 skins directory jan/19/2019 00:00:04 1 flash directory jan/19/2019 01:00:00 2 flash/rw directory jan/19/2019 01:00:00 3 flash/rw/disk directory jan/19/2019 01:00:00 4 pub directory jan/19/2019 02:42:16 5 cert_export_CA-Template.crt .crt file 1119 jan/19/2019 04:15:21 6 cert_export_ServerCA.crt .crt file 1229 jan/19/2019 04:15:42 7 cert_export_ServerCA.key .key file 1858 jan/19/2019 04:15:42 8 cert_export_Client.crt .crt file 1164 jan/19/2019 04:15:55 9 cert_export_Client.key .key file 1858 jan/19/2019 04:15:55 |
Note |
---|
Exporting certificates requires "sensitive" user policy. |
Import Certificate
To import certificates, certificates must uploaded to a device using one of the file upload methods.
Certificates must be imported as a file.
Property | Description |
---|---|
name (string Default: file-name_number) | A certificate name that will be shown in the certificate manager |
file-name (string) | A file name that will be imported |
passphrase (string Default: none) | File passphrase if there is such |
Code Block | ||
---|---|---|
| ||
[admin@MikroTik] > /certificate/import file-name=certificate_file_name name=name_example passphrase=file_passphrase
certificates-imported: 2
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MikroTik] > /certificate/print
Flags: K - PRIVATE-KEY; T - TRUSTED
Columns: NAME, COMMON-NAME
# NAME COMMON-NAME
0 KT name_example cert
1 T name_example_1 ca |
Let's Encrypt certificates
...
Note that the DNS name must point to the router and port TCP/80 must be available from the WAN. If the dns-name is not specified, it will default to the automatically generated /ip cloud name (ie. http://example.sn.mynetname.net)
Different acme servers
Support has been added starting from 7.15beta7, you can use not only Let's Encrypt certificate service, but any other you like.
Server properties
Property | Description |
---|---|
directory-url (string) | ACME directory url. |
eab-hmac-key (string) | HMAC key for ACME External Account Binding (optional). |
eab-kid (string) | Key identifier (optional). |
Example:
Code Block | ||
---|---|---|
| ||
/certificate/enable-ssl-certificate directory-url=https://acme.zerossl.com/v2/DV90 dns-name=mydomain.abc eab-hmac-key=4ac7xuxAdV4mIncwIIEhLjExsFZ4v1rWgDkX4SKXD25pMVtF85GZJYSF8UKXUOjzSr2g3-v4lhL57NHFaQ42Ff eab-kid=GHWaP2_Ghx73vcU8ricAKU |
SCEP
SCEP is using HTTP protocol and base64 encoded GET requests. Most of the requests are without authentication and cipher, however, important ones can be protected if necessary (ciphered or signed using a received public key).
...
SCEP certificates are renewed when 3/4 of their validity time has passed.
Import Certificate
To import certificates, certificates must upload to a device using one of the file upload methods.
Certificates are impossible to import using GUI or CLI.
...
language | ros |
---|
...