Certificate manager is used to:
Starting from RouterOS version 6 certificate validity is shown using local time zone offset. In previous versions it was UTF.
/certificate |
General menu is used to manage certificates, add templates, issue certificates and manage SCEP Clients.
Certificate templates are deleted right after certificate issue or certificate request command is executed:
/certificate add name=CA-Template common-name=CAtemp key-usage=key-cert-sign,crl-sign add name=Server common-name=server add name=Client common-name=client |
Let`s print out certificates:
[admin@4k11] /certificate> print detail Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted 0 name="CA-Template" key-type=rsa common-name="CAtemp" key-size=2048 subject-alt-name="" days-valid=365 key-usage=key-cert-sign,crl-sign 1 name="Server" key-type=rsa common-name="server" key-size=2048 subject-alt-name="" days-valid=365 key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client 2 name="Client" key-type=rsa common-name="client" key-size=2048 subject-alt-name="" days-valid=365 key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client |
If CA certificate is removed then all issued certificates in the chain are also removed. |
Certificates should be signed. In the following example, we will sign certificates and add CRL URL for the server certificate:
/certificate sign CA-Template /certificate sign Client /certificate sign Server ca-crl-host=192.168.88.1 name=ServerCA |
Let`s check is certificates are signed:
[admin@MikroTik] /certificate> print Flags: K - private-key; L - crl; A - authority; T - trusted Columns: NAME, COMMON-name, FINGERPRINT # NAME COMMON FINGERPRINT 0 K AT CA-Template CAtemp 0c7aaa7607a4dde1bbf33deaae6be7bac9fe4064ba47d64e8a73dcefad6cfc38 1 K AT Client client b3ff25ecb166ea41e15733a7493003f3ea66310c10390c33e98fe32364c3659f 2 KLAT ServerCA server 152b88c9d81f4b765a59e2302e01efd1fbf11ceeed6e59f4974e87787a5bb980 |
The time of the key signing process depends on key-size of a specific certificate. With values 4k and higher, it might take a substantial time to sign this specific certificate on less powerful CPU based devices. |
It is possible to export client certificates with keys and CA certificate:
/certificate export-certificate CA-Template /certificate export-certificate ServerCA export-passphrase=yourpassphrase /certificate export-certificate Client export-passphrase=yourpassphrase |
Exported certificates are available under /file section:
[admin@MikroTik] > file print Columns: NAME, TYPE, SIZE, CREATION-TIME # NAME TYPE SIZE CREATION-TIME 0 skins directory jan/19/2019 00:00:04 1 flash directory jan/19/2019 01:00:00 2 flash/rw directory jan/19/2019 01:00:00 3 flash/rw/disk directory jan/19/2019 01:00:00 4 pub directory jan/19/2019 02:42:16 5 cert_export_CA-Template.crt .crt file 1119 jan/19/2019 04:15:21 6 cert_export_ServerCA.crt .crt file 1229 jan/19/2019 04:15:42 7 cert_export_ServerCA.key .key file 1858 jan/19/2019 04:15:42 8 cert_export_Client.crt .crt file 1164 jan/19/2019 04:15:55 9 cert_export_Client.key .key file 1858 jan/19/2019 04:15:55 |