Manual:System/Certificates: Difference between revisions
| Line 432: | Line 432: | ||
Simple Certificate Enrollment protocol (SCEP) was developed based on [[draft-nourse-scep-22]]. | Simple Certificate Enrollment protocol (SCEP) was developed based on [[draft-nourse-scep-22]]. | ||
The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates. | The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates. | ||
| Line 443: | Line 443: | ||
SCEP is using HTTP protocol and base64 encoded GET requests. | SCEP is using HTTP protocol and base64 encoded '''GET''' requests. Most of requests are without authentication and cipher, however important ones can be protected if necessary (ciphered or signed using received public key). | ||
SCEP client in RouterOS will: | |||
* get CA certificate from CA server or RA (if used); | |||
* user should compare fingerprint of the CA certificate or if it comes from the right server; | |||
* generate self-signed certificate with temporary key; | |||
* sends certificate request to the server; | |||
* if server respond with status '''x''', then client keeps requesting until server sends an error or approval. | |||
SCEP server supports issue of one certificate only. RouterOS supports also renew and next-ca options: | |||
* '''renew''' - possibility to renew old certificate automatically with the same CA. | |||
* '''next-ca''' - possibility to change current CA cartificate to the new one. Server notifies client about changes before CA expires, then client requests new certificate from the new CA. When old certificate expires Client automatically change certificate to the new one. | |||
RouterOS Server also supports ''POST''' operation, '''3DES''' cipher and '''SHA1''' hashing. If client does not support these features then http '''GET''', '''DES''' cipher and '''MD5''' hashing is used. | |||
RouterOS client by default will try to use POST, 3DES and SHA1. | |||
Revision as of 15:55, 25 April 2012
Applies to RouterOS: v6.0 +
Summary
Sub-menu: /certificate
Package required: security
Standards: RFC 5280, draft-nourse-scep-22
Certificate manager is used to collect all certificates inside router, to manage and create serlf-signed certificates and to control and set SCEP related configuration.
General Menu
Sub-menu: /certificate
Properties
| Property | Description |
|---|---|
| alias () | |
| ca (yes | no) | |
| decrypted-private-key (yes | no) | Whether private key is decrypted |
| dsa (yes | no) | |
| email (string) | |
| invalid-after (date) | The date after which certificate wil be invalid. |
| invalid-before (date) | The date before which certificate is invalid. |
| issuer (string) | |
| name (string) | Name of the certificate. Name can be edited. |
| private-key (yes | no) | |
| rsa (yes | no) | |
| serial-number (string) | |
| subject (string) |
Commands
| Command | Description |
|---|---|
| create-certificate-request () | Creates certificate request file and key. |
| decrypt () | Decrypt private key. |
| import (file-name) | File name of certificate or key to be imported. |
| reset-certificate-cache () | Resets certificate cache after this private keys must be decrypted. |
Self-Signed CA Management
Sub-menu: /certificate ca
Starting from RouterOS version 6 it is possible to manage and create self-signed CAs. It is not possible to import self signed CAs here. Implementation was made based on RFC 5280 and all certificates are X.509 v3.
All certificate fingerprints are SHA1. All private keys and CA export passphrase are stored encrypted with hardware ID. CRL renewal happens at every certificate revocation and after 24hours.
Note: Time and date on routers MUST be correct
Properties
| Property | Description |
|---|---|
| alias () | |
| common-name (string) | |
| country (string) | |
| crl-host (string) | |
| email (string) | |
| expired (yes | no) | Whether CA is expired. |
| fingerprint (string) | |
| invalid-after (date) | The date after which CA wil be invalid. |
| invalid-before (date) | The date before which CA is invalid. |
| issuer (string) | |
| locality (string) | |
| name (string) | Name of the certificate. Name can be edited. |
| organization (string) | |
| self-signed (yes | no) | Whether CA is self signed |
| serial-number (string) | |
| state (string) | |
| unit (string) |
Commands
| Command | Description |
|---|---|
| create-self-signed-ca () | Creates self signed CA and generates key. Required extensions are export passphrase (which is used to protect private key when user tries to export it), validity period and IP address. |
| export (name or number of cert) | Exports certificate and private key which is encrypted with provided passphrase. |
| remove (name or number of cert) | Remove specified CA and all linked certificates. |
Self-signed Certificates
Sub-menu: /certificate ca certificate
Properties
| Property | Description |
|---|---|
| ca (string) | Name of the CA certificate stored in Self-Signed CAs menu |
| common-name (string) | |
| country (string) | |
| email (string) | |
| expired (yes | no) | Whether certificate is expired |
| fingerprint (string) | |
| invalid-after (date) | Date after which certificate will be invalid |
| invalid-before (date) | Date before which certificate is invalid |
| locality (string) | |
| name (string) | |
| organization (string) | |
| revoked (date) | Date and time when certificate was last revoked |
| serial-number (string) | |
| state (string) | |
| unit (string) |
Commands
| Command | Description |
|---|---|
| create-certificate () | Generate certificate and key assigned from specified CA. User manually provides standard certificate parameters. |
| sign-certificate-request (ca, days-valid, file-name, key-bits) | Generates certificate and key, except that standard parameters are taken from certificate request. Command takes four parameters:
|
| revoke (name or number of cert) | Certificate can't be deleted. You can only revoke it. After revoke is executed certificate is added to CRL and CRL is renewed. |
| export (name or number of cert) | Export certificate and private key. Difference from CA export is that private key is protected with passphrase specified during the export process. Everyone ho has rights to export can access private keys. |
SCEP
Sub-menu: /certificate
Standards: draft-nourse-scep-22
Simple Certificate Enrollment protocol (SCEP) was developed based on draft-nourse-scep-22.
The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates.
How SCEP works
Topology: CL ---- RA ---- CA
- CL - client
- RA - registration authority (proxy)
- CA - certification authority (server)
SCEP is using HTTP protocol and base64 encoded GET requests. Most of requests are without authentication and cipher, however important ones can be protected if necessary (ciphered or signed using received public key).
SCEP client in RouterOS will:
- get CA certificate from CA server or RA (if used);
- user should compare fingerprint of the CA certificate or if it comes from the right server;
- generate self-signed certificate with temporary key;
- sends certificate request to the server;
- if server respond with status x, then client keeps requesting until server sends an error or approval.
SCEP server supports issue of one certificate only. RouterOS supports also renew and next-ca options:
- renew - possibility to renew old certificate automatically with the same CA.
- next-ca - possibility to change current CA cartificate to the new one. Server notifies client about changes before CA expires, then client requests new certificate from the new CA. When old certificate expires Client automatically change certificate to the new one.
RouterOS Server also supports POST' operation, 3DES cipher and SHA1 hashing. If client does not support these features then http GET, DES cipher and MD5 hashing is used.
RouterOS client by default will try to use POST, 3DES and SHA1.
Client
Sub-menu: /certificate scep client
Server
Sub-menu: /certificate scep server
[ Top | Back to Content ]