Manual:System/Certificates

From MikroTik Wiki
Jump to navigation Jump to search

Applies to RouterOS: v6.0 +

Summary

Sub-menu: /certificate
Package required: security
Standards: RFC 5280, draft-nourse-scep-22

(needs editing)

General Menu

Sub-menu: /certificate


Properties

(needs editing) ca email issuer name subject

Read-only: alias decrypted-private-key dsa invalid-after invalid-before private-key rsa serial-number


Commands (needs editing) create-certificate-request decrypt import reset-certificate-cache


Self-Signed CA Management

Sub-menu: /certificate ca


Starting from RouterOS version 6 it is possible to manage and create self-signed CAs. It is not possible to import self signed CAs here. Implementation was made based on RFC 5280 and all certificates are X.509 v3.


All certificate fingerprints are SHA1. All private keys and CA export passphrase are stored encrypted with hardware ID. CRL renewal happens at every certificate revocation and after 24hours.

Note: Time and date on routers MUST be correct


Properties

Property Description
alias ()
common-name (string)
country (string)
crl-host (string)
email (string)
expired (yes | no) Whether CA is expired.
fingerprint (string)
invalid-after (date) The date after which CA wil be invalid.
invalid-before (date) The date before which CA is invalid.
issuer (string)
locality (string)
name (string) Name of the certificate. Name can be edited.
organization (string)
self-signed (yes | no) Whether CA is self signed
serial-number (string)
state (string)
unit (string)


Commands

Command Description
create-self-signed-ca () Creates self signed CA and generates key. Required extensions are export passphrase (which is used to protect private key when user tries to export it), validity period and IP address.
export (name or number of cert) Exports certificate and private key which is encrypted with provided passphrase.
remove (name or number of cert) Remove specified CA and all linked certificates.


Self-signed Certificates

Sub-menu: /certificate ca certificate


Properties

Property Description
ca (string) Name of the CA certificate stored in Self-Signed CAs menu
common-name (string)
country (string)
email (string)
expired (yes | no) Whether certificate is expired
fingerprint (string)
invalid-after (date) Date after which certificate will be invalid
invalid-before (date) Date before which certificate is invalid
locality (string)
name (string)
organization (string)
revoked (date) Date and time when certificate was last revoked
serial-number (string)
state (string)
unit (string)


Commands

Command Description
create-certificate () Generate certificate and key assigned from specified CA. User manually provides standard certificate parameters.
sign-certificate-request (ca, days-valid, file-name, key-bits) Generates certificate and key, except that standard parameters are taken from certificate request. Command takes four parameters:
  • ca - name of the CA certificate
  • days-valid - validity period
  • file-name - certificate request filename
  • key-bits - RSA key bits
revoke (name or number of cert) Certificate can't be deleted. You can only revoke it. After revoke is executed certificate is added to CRL and CRL is renewed.
export (name or number of cert) Export certificate and private key. Difference from CA export is that private key is protected with passphrase specified during the export process. Everyone ho has rights to export can access private keys.