Manual:Create Certificates: Difference between revisions
Line 33: | Line 33: | ||
{{ Note | Common Name (CN) in server certificate should match the the IP address of your server otherwise you will get <b>"domain mismatch"</b> message and for example Windows [[Manual:Interface/SSTP | SSTP]] client will not be able to connect to the server. If clients are only Windows machines then CN can be a DNS name, too.}} | {{ Note | Common Name (CN) in server certificate should match the the IP address of your server otherwise you will get <b>"domain mismatch"</b> message and for example Windows [[Manual:Interface/SSTP | SSTP]] client will not be able to connect to the server. If clients are only Windows machines then CN can be a DNS name, too.}} | ||
{{ Note | If you are using "My ID user FQDN" in [[M:IP/IPsec | IpSec]] config then "subjectaltname" extension should be set on certificate, and must match the value set on remote peers "My ID user FQDN".}} | |||
Revision as of 16:56, 19 December 2012
Following is a step-by-step guide to creating your own CA (Certificate Authority) with openssl on Linux.
Generate certificates
Note: Starting from v5.15 RouterOS supports pkcs8 key format. If you are using older versions, to import keys in pkcs8 format run command:
openssl rsa -in myKey.key -text
and write key output to new file. Upload new file to RouterOS and import
- First step is to build the CA private key and CA certificate pair.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
During the process you will have to fill few entries (Common Name (CN), Organization, State or province .. etc). Created CA certificate/key pair will be valid for 10 years (3650 days).
- Now create private-key/certificate pair for the server
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys are considered as security threats.
And again during the process you will have to fill some entries. When filling CN remember that it must not match on CA and server certificate otherwise later naming collision will occur.
Note: Common Name (CN) in server certificate should match the the IP address of your server otherwise you will get "domain mismatch" message and for example Windows SSTP client will not be able to connect to the server. If clients are only Windows machines then CN can be a DNS name, too.
Note: If you are using "My ID user FQDN" in IpSec config then "subjectaltname" extension should be set on certificate, and must match the value set on remote peers "My ID user FQDN".
- Client key/certificate pair creation steps are very similar to server. Remember to Specify unique CN.
openssl genrsa -des3 -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
To examine certificate run following command:
openssl x509 -noout -text -in server.crt -purpose
Import certificates
To import newly created certificates to your router, first you have to upload server.crt and server.key files to the router via FTP.
Now go to /certificate
submenu and run following commands:
[admin@test_host] /certificate> import file-name=server.crt passphrase: certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0 [admin@test_host] /certificate> import file-name=server.key passphrase: certificates-imported: 0 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
If everything is imported properly then certificate should show up with KR flag.
[admin@test_host] /certificate> print Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 0 KR name="cert1" subject=C=LV,ST=RI,L=Riga,O=MT,CN=server,emailAddress=xxx@mt.lv issuer=C=LV,ST=RI,L=Riga,O=MT,CN=MT CA,emailAddress=xxx@mt.lv serial-number="01" email=xxx@mt.lv invalid-before=jun/25/2008 07:24:33 invalid-after=jun/23/2018 07:24:33 ca=yes
Note: If you want to use server certificates for OVPN or SSTP and use client certificate verification, then CA certificate must be imported, too.
[ Top | Back to Content ]