Manual:System/Certificates: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
← Older editNewer edit →
No edit summary
Line 17: Line 17:


Starting from v6rc10, CRL will be automatically renewed every hour for certificates which have "trusted=yes" using http protocol (ldap and ftp is currently unsupported). Segmented CRL is also currently unsupported.
Starting from v6rc10, CRL will be automatically renewed every hour for certificates which have "trusted=yes" using http protocol (ldap and ftp is currently unsupported). Segmented CRL is also currently unsupported.
RouterOS allows to manage and create self-signed CAs. Implementation was made based on RFC 5280 and all certificates are X.509 v3.
All certificate fingerprints are SHA1. All private keys and CA export passphrase are stored encrypted with hardware ID. CA CRL renewal happens at every certificate revocation and after 24hours.
{{Note | Time and date on routers MUST be correct}}


==General Menu==
==General Menu==
Line 309: Line 317:
|type=
|type=
|desc=Sign CA certificate from created template. When signing CA you can specify <var>ca-crl-host</var> if crl should be used.
|desc=Sign CA certificate from created template. When signing CA you can specify <var>ca-crl-host</var> if crl should be used.
}}
{{Mr-arg-ro-table
|arg=sign-certificate-request
|type=
|desc=Sign certificate from certificate request and CA
}}
{{Mr-arg-ro-table-end
|arg=sign-issued
|type=
|desc=Sign issued certificate (client, server..etc) from CA and template
}}
==Self-Signed CA Management==
<p id="shbox"> <b>Sub-menu:</b> <code>/certificate ca</code><br /></p>
'''Properties'''
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
{{Mr-arg-ro-table
|arg=alias
|type=
|desc=
}}
{{Mr-arg-ro-table
|arg=common-name
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=country
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=crl-host
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=email
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=expired
|type=yes {{!}} no
|desc=Whether CA is expired.
}}
{{Mr-arg-ro-table
|arg=fingerprint
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=invalid-after
|type=date
|desc=The date after which CA wil be invalid.
}}
{{Mr-arg-ro-table
|arg=invalid-before
|type=date
|desc=The date before which CA is invalid.
}}
{{Mr-arg-ro-table
|arg=issuer
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=locality
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=name
|type=string
|desc=Name of the certificate. Name can be edited.
}}
{{Mr-arg-ro-table
|arg=organization
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=self-signed
|type=yes {{!}} no
|desc=Whether CA is self signed
}}
{{Mr-arg-ro-table
|arg=serial-number
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=state
|type=string
|desc=
}}
{{Mr-arg-ro-table-end
|arg=unit
|type=string
|desc=
}}
'''Commands'''
{{Mr-arg-table-h
|prop=Command
|desc=Description
}}
{{Mr-arg-ro-table
|arg=create-self-signed-ca
|type=
|desc=Creates self signed CA and generates key. Required extensions are export passphrase (which is used to protect private key when user tries to export it), validity period and IP address.
}}
{{Mr-arg-ro-table
|arg=export
|type=name or number of cert
|desc=Exports certificate and private key which is encrypted with provided passphrase.
}}
{{Mr-arg-ro-table-end
|arg=remove
|type=name or number of cert
|desc=Remove specified CA and all linked certificates.
}}
===Issued Certificates===
<p id="shbox"> <b>Sub-menu:</b> <code>/certificate ca certificate</code><br /></p>
'''Properties'''
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
{{Mr-arg-ro-table
|arg=ca
|type=string
|desc=Name of the CA certificate stored in [[#Self-Signed CA Management | Self-Signed CAs menu]]
}}
{{Mr-arg-ro-table
|arg=common-name
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=country
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=email
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=expired
|type=yes {{!}} no
|desc=Whether certificate is expired
}}
{{Mr-arg-ro-table
|arg=fingerprint
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=invalid-after
|type=date
|desc=Date after which certificate will be invalid
}}
{{Mr-arg-ro-table
|arg=invalid-before
|type=date
|desc=Date before which certificate is invalid
}}
{{Mr-arg-ro-table
|arg=locality
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=name
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=organization
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=revoked
|type=date
|desc=Date and time when certificate was revoked
}}
{{Mr-arg-ro-table
|arg=serial-number
|type=string
|desc=
}}
{{Mr-arg-ro-table
|arg=state
|type=string
|desc=
}}
{{Mr-arg-ro-table-end
|arg=unit
|type=string
|desc=
}}
'''Commands'''
{{Mr-arg-table-h
|prop=Command
|desc=Description
}}
{{Mr-arg-ro-table
|arg=create-certificate
|type=
|desc=Generate certificate and key assigned from specified CA. User manually provides standard certificate parameters.
}}
}}


Line 591: Line 329:
}}
}}


{{Mr-arg-ro-table
{{Mr-arg-ro-table-end
|arg=revoke
|arg=sign-issued
|type=name or number of cert
|type=
|desc=Certificate can't be deleted. You can only revoke it. After revoke is executed certificate is added to CRL and CRL is renewed.
|desc=Sign issued certificate (client, server..etc) from CA and template
}}
}}


{{Mr-arg-ro-table-end
|arg=export
|type=name or number of cert
|desc=Export certificate and private key. Difference from CA export is that private key is protected with passphrase specified during the export process. Everyone ho has rights to export can access private keys.
}}


==SCEP==
==SCEP==

Revision as of 17:12, 14 November 2013

Applies to RouterOS: v6.0 +

Summary

Sub-menu: /certificate
Package required: security
Standards: RFC 5280, draft-nourse-scep-22


Certificate manager is used to collect all certificates inside router, to manage and create serlf-signed certificates and to control and set SCEP related configuration.

Note: Starting from v6 certificate validity is shown using local time zone offset. In previous versions it was UTF.


Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys are considered as security threats.


Starting from v6rc10, CRL will be automatically renewed every hour for certificates which have "trusted=yes" using http protocol (ldap and ftp is currently unsupported). Segmented CRL is also currently unsupported.

RouterOS allows to manage and create self-signed CAs. Implementation was made based on RFC 5280 and all certificates are X.509 v3.


All certificate fingerprints are SHA1. All private keys and CA export passphrase are stored encrypted with hardware ID. CA CRL renewal happens at every certificate revocation and after 24hours.

Note: Time and date on routers MUST be correct



General Menu

Sub-menu: /certificate

Properties

Property Description
common-name (string; Default: )
country (string; Default: )
days-valid (integer [0..4294967295]; Default: )
email (string; Default: )
key-size (1024 | 1536 | 2048 | 4096 | 8192; Default: )
key-usage (list of [digital-signature | content-commitment | key-encipherment | data-encipherment | key-agreement | key-cert-sign | crl-sign | encipher-only | decipher-only]; Default: )
locality (string; Default: )
name (string; Default: ) Name of the certificate. Name can be edited.
organization (string; Default: )
state (string; Default: )
trusted (yes | no; Default: ) If set to yes certificate is included "in trusted certificate chain"
unit (string; Default: )


Read-only Properties

Property Description
authority ()
ca ()
ca-crl-host ()
ca-fingerprint ()
crl ()
dsa (yes | no)
expired (yes | no) Set to true if certificate is expired
fingerprint ()
invalid-after (date) The date after which certificate wil be invalid.
invalid-before (date) The date before which certificate is invalid.
issued ()
issuer (string)
private-key (yes | no)
req-fingerprint ()
revoked ()
scep-url (string)
serial-number (string)
smart-card-key (string)
status ()


Commands

Command Description
add () Adds new certificate template.
add-scep ()
ca-set-passphrase ()
card-reinstall ()
card-verify ()
create-certificate-request () Create certificate request from specified template.
export () Export certificate to file. When export-passphrase is specified, certificate will be exported with encrypted key.
import (file-name) File name of certificate or key to be imported.
issued-revoke () Revoke issued certificate
scep-renew ()
sign-ca () Sign CA certificate from created template. When signing CA you can specify ca-crl-host if crl should be used.
sign-certificate-request (ca, days-valid, file-name, key-bits) Generates certificate and key, except that standard parameters are taken from certificate request. Command takes four parameters:
  • ca - name of the CA certificate
  • days-valid - validity period
  • file-name - certificate request filename
  • key-bits - RSA key bits
sign-issued () Sign issued certificate (client, server..etc) from CA and template


SCEP

Sub-menu: /certificate
Standards: draft-nourse-scep-22

Simple Certificate Enrollment protocol (SCEP) was developed based on draft-nourse-scep-22.

The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates.


How SCEP works

Topology: CL ---- RA ---- CA

  • CL - client
  • RA - registration authority (proxy)
  • CA - certification authority (server)


SCEP is using HTTP protocol and base64 encoded GET requests. Most of requests are without authentication and cipher, however important ones can be protected if necessary (ciphered or signed using received public key).

SCEP client in RouterOS will:

  • get CA certificate from CA server or RA (if used);
  • user should compare fingerprint of the CA certificate or if it comes from the right server;
  • generate self-signed certificate with temporary key;
  • sends certificate request to the server;
  • if server respond with status x, then client keeps requesting until server sends an error or approval.


SCEP server supports issue of one certificate only. RouterOS supports also renew and next-ca options:

  • renew - possibility to renew old certificate automatically with the same CA.
  • next-ca - possibility to change current CA certificate to the new one. Client polls the server for any changes, if server advertise that next-ca is available, then client may request next CA or wait until CA almost expires and then request next-ca.


RouterOS Server also supports POST' operation, 3DES cipher and SHA1 hashing. If client does not support these features then http GET, DES cipher and MD5 hashing is used.


RouterOS client by default will try to use POST, 3DES and SHA1 if server advertises that.


Client

Sub-menu: /certificate scep client


Properties

Property Description
ca-identity (string; Default: DummyCAIdentity)
challenge-password (string; Default: "") OTP password on the server used to grant certificate automatically after request.
common-name (string; Default: )
country (string; Default: )
disabled (yes | no; Default: no)
email (string; Default: )
fingerprint-algorithm (md5 | sha1; Default: sha1)
key-bits (1024 | 2048 | 4096; Default: 1024)
locality (string; Default: )
name (string; Default: ) Short descriptive name of an item
organziation (string; Default: )
path (string; Default: ) Path of certificate located on the server. If server is RouterOS then you should add "scep/"+path since certificates on server are stored in "scep" dir.
serial-number (string; Default: )
server (IP | IPv6; Default: ) IP or IPv6 address of the SCEP server
state (string; Default: )
store-name (string; Default: ) Name of the certificate which will be used after importing into certificate store.
unit (string; Default: )


Status Properties

Property Description
ca-fingerprint (string)
req-fingerprint (string)
status (string) Shows the current status of the client. Idle, pending, requesting etc.


Commands

Command Description
renew (ca_client_name) Renew Ca certificate of specified CA client Name.


Server

Sub-menu: /certificate scep server



OTP

Sub-menu: /certificate scep server otp


Transactions

Sub-menu: /certificate scep server transactions



[ Top | Back to Content ]

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:System/Certificates&oldid=25849"