Manual:System/Certificates: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 97: | Line 97: | ||
|arg=expired | |arg=expired | ||
|type=yes {{!}} no | |type=yes {{!}} no | ||
|desc= | |desc=Whether CA is expired. | ||
}} | }} | ||
| Line 109: | Line 109: | ||
|arg=invalid-after | |arg=invalid-after | ||
|type=date | |type=date | ||
|desc= | |desc=The date after which CA wil be invalid. | ||
}} | }} | ||
| Line 115: | Line 115: | ||
|arg=invalid-before | |arg=invalid-before | ||
|type=date | |type=date | ||
|desc= | |desc=The date before which CA is invalid. | ||
}} | }} | ||
| Line 133: | Line 133: | ||
|arg=name | |arg=name | ||
|type=string | |type=string | ||
|desc= | |desc=Name of the certificate. Name can be edited. | ||
}} | }} | ||
| Line 145: | Line 145: | ||
|arg=self-signed | |arg=self-signed | ||
|type=yes {{!}} no | |type=yes {{!}} no | ||
|desc= | |desc=Whether CA is self signed | ||
}} | }} | ||
| Line 196: | Line 196: | ||
<p id="shbox"> <b>Sub-menu:</b> <code>/certificate ca certificate</code><br /></p> | <p id="shbox"> <b>Sub-menu:</b> <code>/certificate ca certificate</code><br /></p> | ||
'''Properties''' | |||
{{Mr-arg-table-h | |||
|prop=Property | |||
|desc=Description | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=ca | |||
|type=string | |||
|desc=Name of the CA certificate stored in [[#Self-Signed CA Management | Self-Signed CAs menu]] | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=common-name | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=country | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=email | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=expired | |||
|type=yes {{!}} no | |||
|desc=Whether certificate is expired | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=fingerprint | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=invalid-after | |||
|type=date | |||
|desc=Date after which certificate will be invalid | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=invalid-before | |||
|type=date | |||
|desc=Date before which certificate is invalid | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=locality | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=name | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=organization | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=revoked | |||
|type=date | |||
|desc=Date and time when certificate was last revoked | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=serial-number | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table | |||
|arg=state | |||
|type=string | |||
|desc= | |||
}} | |||
{{Mr-arg-ro-table-end | |||
|arg=unit | |||
|type=string | |||
|desc= | |||
}} | |||
'''Commands''' | '''Commands''' | ||
Revision as of 10:22, 25 April 2012
Applies to RouterOS: v6.0 +
Summary
Sub-menu: /certificate
Package required: security
Standards: RFC 5280, draft-nourse-scep-22
(needs editing)
General Menu
Sub-menu: /certificate
Properties
(needs editing) ca email issuer name subject
Read-only: alias decrypted-private-key dsa invalid-after invalid-before private-key rsa serial-number
Commands (needs editing) create-certificate-request decrypt import reset-certificate-cache
Self-Signed CA Management
Sub-menu: /certificate ca
Starting from RouterOS version 6 it is possible to manage and create self-signed CAs. It is not possible to import self signed CAs here. Implementation was made based on RFC 5280 and all certificates are X.509 v3.
All certificate fingerprints are SHA1. All private keys and CA export passphrase are stored encrypted with hardware ID. CRL renewal happens at every certificate revocation and after 24hours.
Note: Time and date on routers MUST be correct
Properties
| Property | Description |
|---|---|
| alias () | |
| common-name (string) | |
| country (string) | |
| crl-host (string) | |
| email (string) | |
| expired (yes | no) | Whether CA is expired. |
| fingerprint (string) | |
| invalid-after (date) | The date after which CA wil be invalid. |
| invalid-before (date) | The date before which CA is invalid. |
| issuer (string) | |
| locality (string) | |
| name (string) | Name of the certificate. Name can be edited. |
| organization (string) | |
| self-signed (yes | no) | Whether CA is self signed |
| serial-number (string) | |
| state (string) | |
| unit (string) |
Commands
| Command | Description |
|---|---|
| create-self-signed-ca () | Creates self signed CA and generates key. Required extensions are export passphrase (which is used to protect private key when user tries to export it), validity period and IP address. |
| export (name or number of cert) | Exports certificate and private key which is encrypted with provided passphrase. |
| remove (name or number of cert) | Remove specified CA and all linked certificates. |
Self-signed Certificates
Sub-menu: /certificate ca certificate
Properties
| Property | Description |
|---|---|
| ca (string) | Name of the CA certificate stored in Self-Signed CAs menu |
| common-name (string) | |
| country (string) | |
| email (string) | |
| expired (yes | no) | Whether certificate is expired |
| fingerprint (string) | |
| invalid-after (date) | Date after which certificate will be invalid |
| invalid-before (date) | Date before which certificate is invalid |
| locality (string) | |
| name (string) | |
| organization (string) | |
| revoked (date) | Date and time when certificate was last revoked |
| serial-number (string) | |
| state (string) | |
| unit (string) |
Commands
| Command | Description |
|---|---|
| create-certificate () | |
| sign-certificate-request () | |
| revoke () | |
| export (name or number of cert) | Export certificate and private key. Difference from CA export is that private key is protected with passphrase specified during the export process. Everyone ho has rights to export can access private keys. |