Difference between revisions of "Manual:System/Certificates"

From MikroTik Wiki
Jump to: navigation, search
(SCEP)
(General Menu)
 
(48 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Versions | v6.0 +}}
+
{{Versions | v6.12 +}}
 
__TOC__
 
__TOC__
  
Line 9: Line 9:
 
</p>
 
</p>
  
Certificate manager is used to collect all certificates inside router, to manage and create serlf-signed certificates and to control and set SCEP related configuration.
+
 
 +
Certificate manager is used to collect all certificates inside router, to manage and create self-signed certificates and to control and set SCEP related configuration.
 +
 
 +
{{Note | Starting from v6 certificate validity is shown using local time zone offset. In previous versions it was UTF.}}
 +
 
 +
{{Warning | RSA Key length must be at least 472 bits if certificate is used by [[M:Interface/SSTP | SSTP]]. Shorter keys are considered as security threats.}}
 +
 
 +
Starting from v6rc10, CRL will be automatically renewed every hour for certificates which have "trusted=yes" using http protocol (ldap and ftp is currently unsupported). Segmented CRL is also currently unsupported.
 +
 
 +
RouterOS allows to manage and create self-signed CAs. Implementation was made based on RFC 5280 and all certificates are X.509 v3.
 +
 
 +
 
 +
All certificate fingerprints are SHA1. Starting from v6.18 sha256 is used for certificate fingerprints and hashes. All private keys and CA export passphrase are stored encrypted with hardware ID. CA CRL renewal happens at every certificate revocation and after 24hours.
 +
 
 +
{{Warning | even if all trust chain is imported, crl may not work in cases when CRL is signed with a different certificate, not the one from trust chain (for example '''Verisign''' is doing that)! }}
 +
 
 +
{{Note | Time and date on routers MUST be correct}}
  
 
==General Menu==
 
==General Menu==
Line 15: Line 31:
 
<p id="shbox"> <b>Sub-menu:</b> <code>/certificate</code><br /></p>
 
<p id="shbox"> <b>Sub-menu:</b> <code>/certificate</code><br /></p>
  
 +
 +
General menu is used to manage certificates, add templates, issue certificates and manage SCEP Clients.
 +
{{Note | Certificate templates are deleted right after certificate issue or certificate request command is executed}}
 +
{{Note | If CA certificate is removed then all issued certificates in chain are also removed}}
  
  
Line 24: Line 44:
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=alias
+
|arg=common-name
|type=
+
|type=string
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=ca
+
|arg=copy-from
|type=yes {{!}} no
+
|type=string
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=decrypted-private-key
+
|arg=country
|type=yes {{!}} no
+
|type=string
|desc=Whether private key is decrypted
+
|default=
 +
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=dsa
+
|arg=days-valid
|type=yes {{!}} no
+
|type=integer [0..4294967295]
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=email
+
|arg=key-size
|type=string
+
|type=1024 {{!}} 1536 {{!}} 2048 {{!}} 4096 {{!}} 8192
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=invalid-after
+
|arg=key-usage
|type=date
+
|type=list of [digital-signature {{!}} content-commitment {{!}} key-encipherment {{!}} data-encipherment {{!}} key-agreement {{!}} key-cert-sign {{!}} crl-sign {{!}} encipher-only {{!}} decipher-only]
|desc=The date after which certificate wil be invalid.
+
|default=
 +
|desc=Detailed key usage descriptions can be found in RFC 5280
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=invalid-before
+
|arg=locality
|type=date
 
|desc=The date before which certificate is invalid.
 
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=issuer
 
 
|type=string
 
|type=string
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
 
|arg=name
 
|arg=name
 
|type=string
 
|type=string
 +
|default=
 
|desc=Name of the certificate. Name can be edited.
 
|desc=Name of the certificate. Name can be edited.
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=private-key
+
|arg=organization
|type=yes {{!}} no
+
|type=string
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=rsa
+
|arg=state
|type=yes {{!}} no
+
|type=string
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-table
|arg=serial-number
+
|arg=subject-alt-name
 
|type=string
 
|type=string
|desc=
+
|default=
 +
|desc=contact email address
 +
}}
 +
 
 +
{{Mr-arg-table
 +
|arg=trusted
 +
|type=yes {{!}} no
 +
|default=
 +
|desc=If set to '''yes''' certificate is included "in trusted certificate chain"
 
}}
 
}}
  
{{Mr-arg-ro-table-end
+
{{Mr-arg-table-end
|arg=subject
+
|arg=unit
 
|type=string
 
|type=string
 +
|default=
 
|desc=
 
|desc=
 
}}
 
}}
  
  
'''Commands'''
+
'''Read-only Properties'''
  
 
{{Mr-arg-table-h
 
{{Mr-arg-table-h
|prop=Command
+
|prop=Property
 
|desc=Description
 
|desc=Description
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=create-certificate-request
+
|arg=authority
 
|type=
 
|type=
|desc=Creates certificate request file and key.
+
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=decrypt
+
|arg=ca
 
|type=
 
|type=
|desc=Decrypt private key.
+
|desc=
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=import
 
|type=file-name
 
|desc=File name of certificate or key to be imported.
 
}}
 
 
 
{{Mr-arg-ro-table-end
 
|arg=reset-certificate-cache
 
|type=
 
|desc=Resets certificate cache after this private keys must be decrypted.
 
}}
 
 
 
==Self-Signed CA Management==
 
 
 
<p id="shbox"> <b>Sub-menu:</b> <code>/certificate ca</code><br /></p>
 
 
 
 
 
Starting from RouterOS version 6 it is possible to manage and create self-signed CAs. It is not possible to import self signed CAs here. Implementation was made based on RFC 5280 and all certificates are X.509 v3.
 
 
 
 
 
All certificate fingerprints are SHA1. All private keys and CA export passphrase are stored encrypted with hardware ID. CRL renewal happens at every certificate revocation and after 24hours.
 
 
 
{{Note | Time and date on routers MUST be correct}}
 
 
 
'''Properties'''
 
 
 
{{Mr-arg-table-h
 
|prop=Property
 
|desc=Description
 
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=alias
+
|arg=ca-crl-host
 
|type=
 
|type=
 
|desc=
 
|desc=
Line 160: Line 162:
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=common-name
+
|arg=ca-fingerprint
|type=string
+
|type=
 
|desc=
 
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=country
+
|arg=crl
|type=string
+
|type=
 
|desc=
 
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=crl-host
+
|arg=dsa
|type=string
+
|type=yes {{!}} no
|desc=
 
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=email
 
|type=string
 
 
|desc=
 
|desc=
 
}}
 
}}
Line 186: Line 182:
 
|arg=expired
 
|arg=expired
 
|type=yes {{!}} no
 
|type=yes {{!}} no
|desc=Whether CA is expired.
+
|desc=Set to true if certificate is expired
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
 
|arg=fingerprint
 
|arg=fingerprint
|type=string
+
|type=
 
|desc=
 
|desc=
 
}}
 
}}
Line 198: Line 194:
 
|arg=invalid-after
 
|arg=invalid-after
 
|type=date
 
|type=date
|desc=The date after which CA wil be invalid.
+
|desc=The date after which certificate wil be invalid.
 
}}
 
}}
  
Line 204: Line 200:
 
|arg=invalid-before
 
|arg=invalid-before
 
|type=date
 
|type=date
|desc=The date before which CA is invalid.  
+
|desc=The date before which certificate is invalid.  
 +
}}
 +
 
 +
{{Mr-arg-ro-table
 +
|arg=issued
 +
|type=
 +
|desc=
 
}}
 
}}
  
Line 214: Line 216:
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=locality
+
|arg=private-key
|type=string
+
|type=yes {{!}} no
 
|desc=
 
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=name
+
|arg=req-fingerprint
|type=string
+
|type=
|desc=Name of the certificate. Name can be edited.
+
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=organization
+
|arg=revoked
|type=string
+
|type=
 
|desc=
 
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=self-signed
+
|arg=scep-url
|type=yes {{!}} no
+
|type=string
|desc=Whether CA is self signed
+
|desc=
 
}}
 
}}
  
Line 244: Line 246:
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=state
+
|arg=smart-card-key
 
|type=string
 
|type=string
 
|desc=
 
|desc=
Line 250: Line 252:
  
 
{{Mr-arg-ro-table-end
 
{{Mr-arg-ro-table-end
|arg=unit
+
|arg=status
|type=string
+
|type=
|desc=
+
|desc=Shows current status of scep client
 
}}
 
}}
 +
  
  
Line 264: Line 267:
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=create-self-signed-ca
+
|arg=add
 
|type=
 
|type=
|desc=Creates self signed CA and generates key. Required extensions are export passphrase (which is used to protect private key when user tries to export it), validity period and IP address.
+
|desc=Adds new certificate template.
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=export
+
|arg=add-scep
|type=name or number of cert
+
|type=ca-identity name on-smart-card scep-url template
|desc=Exports certificate and private key which is encrypted with provided passphrase.
+
|desc=Add scep client. Command takes four parameters:
}}
+
* '''ca-identity''' - allows to change SCEP CA identity;
 
+
* '''name''' - display name of scep client;
{{Mr-arg-ro-table-end
+
* '''on-smart-card''' - whether to use smart card;
|arg=remove
+
* '''scep-url''' - URL to the server, must contain both CGI-PATH and CGI-PROG if used on the server;
|type=name or number of cert
+
* '''template''' - which template to use from template list.
|desc=Remove specified CA and all linked certificates.
 
}}
 
 
 
 
 
===Self-signed Certificates===
 
 
 
<p id="shbox"> <b>Sub-menu:</b> <code>/certificate ca certificate</code><br /></p>
 
 
 
 
 
'''Properties'''
 
 
 
{{Mr-arg-table-h
 
|prop=Property
 
|desc=Description
 
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=ca
+
|arg=ca-set-passphrase
|type=string
+
|type=
|desc=Name of the CA certificate stored in [[#Self-Signed CA Management | Self-Signed CAs menu]]
 
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=common-name
 
|type=string
 
 
|desc=
 
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=country
+
|arg=card-reinstall
|type=string
+
|type=
 
|desc=
 
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=email
+
|arg=card-verify
|type=string
+
|type=
 
|desc=
 
|desc=
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=expired
+
|arg=create-certificate-request
|type=yes {{!}} no
+
|type=
|desc=Whether certificate is expired
+
|desc=Create certificate request from specified template.
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=fingerprint
+
|arg=export-certificate
|type=string
+
|type=
|desc=
+
|desc=Export certificate to file. When <var>export-passphrase</var> is specified, certificate will be exported with encrypted key. Certificates can be exported in two formats <b>pem</b> and <b>pkcs12</b>, by default pem is used, to export pkcs specify <var>type=pkcs12</var>. In case of pkcs12 if certificate is issued on the same router, then exporter will create certificate bundle containing CA and selected certificate.
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=invalid-after
+
|arg=import
|type=date
+
|type=file-name
|desc=Date after which certificate will be invalid
+
|desc=File name of certificate or key to be imported.
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=invalid-before
+
|arg=issued-revoke
|type=date
+
|type=
|desc=Date before which certificate is invalid
+
|desc=Revoke issued certificate
 
}}
 
}}
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
|arg=locality
+
|arg=scep-renew
|type=string
+
|type=
|desc=
 
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=name
 
|type=string
 
|desc=
 
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=organization
 
|type=string
 
|desc=
 
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=revoked
 
|type=date
 
|desc=Date and time when certificate was last revoked
 
}}
 
 
 
{{Mr-arg-ro-table
 
|arg=serial-number
 
|type=string
 
 
|desc=
 
|desc=
 
}}
 
}}
  
{{Mr-arg-ro-table
 
|arg=state
 
|type=string
 
|desc=
 
}}
 
 
{{Mr-arg-ro-table-end
 
|arg=unit
 
|type=string
 
|desc=
 
}}
 
 
 
'''Commands'''
 
 
{{Mr-arg-table-h
 
|prop=Command
 
|desc=Description
 
}}
 
 
{{Mr-arg-ro-table
 
|arg=create-certificate
 
|type=
 
|desc=Generate certificate and key assigned from specified CA. User manually provides standard certificate parameters.
 
}}
 
  
 
{{Mr-arg-ro-table
 
{{Mr-arg-ro-table
Line 408: Line 342:
 
}}
 
}}
  
{{Mr-arg-ro-table
+
{{Mr-arg-ro-table-end
|arg=revoke
+
|arg=sign
|type=name or number of cert
+
|type=ca, ca-crl-host, ca-on-smart-card, name, template
|desc=Certificate can't be deleted. You can only revoke it. After revoke is executed certificate is added to CRL and CRL is renewed.
+
|desc=Sign certificates. Command takes 5 parameters:
}}
+
* '''template''' - which template to use. Required.
 
+
* '''ca''' - which CA to use if signing issued certificates
 +
* '''ca-crl-host''' - CRL host if issuing CA certificate
 +
* '''ca-on-smart-card''' -
 +
* '''name''' - what name to assign to issued certificate.
  
{{Mr-arg-ro-table-end
+
CA certificates are created if '''key-usage=key-cert-sign''' set in the template.
|arg=export
 
|type=name or number of cert
 
|desc=Export certificate and private key. Difference from CA export is that private key is protected with passphrase specified during the export process. Everyone ho has rights to export can access private keys.
 
 
}}
 
}}
 
 
  
 
==SCEP==
 
==SCEP==
Line 432: Line 364:
 
Simple Certificate Enrollment protocol (SCEP) was developed based on [[draft-nourse-scep-22]].
 
Simple Certificate Enrollment protocol (SCEP) was developed based on [[draft-nourse-scep-22]].
  
The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates.
+
The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates.  
 
 
  
 
'''How SCEP works'''
 
'''How SCEP works'''
Line 442: Line 373:
 
* CA - certification authority (server)
 
* CA - certification authority (server)
  
SCP is using HTTP protocol and base64 encoded GET requests.
+
{{ Warning | RA certificate must not contain CA flag}}
 +
 
 +
 
 +
SCEP is using HTTP protocol and base64 encoded '''GET''' requests. Most of requests are without authentication and cipher, however important ones can be protected if necessary (ciphered or signed using received public key).
  
 +
SCEP client in RouterOS will:
 +
* get CA certificate from CA server or RA (if used);
 +
* user should compare fingerprint of the CA certificate or if it comes from the right server;
 +
* generate self-signed certificate with temporary key;
 +
* sends certificate request to the server;
 +
* if server respond with status '''x''', then client keeps requesting until server sends an error or approval.
  
{{TODO}}
 
  
 +
SCEP server supports issue of one certificate only. RouterOS supports also renew and next-ca options:
 +
* '''renew''' - possibility to renew old certificate automatically with the same CA.
 +
* '''next-ca''' - possibility to change current CA certificate to the new one. Client polls the server for any changes, if server advertise that next-ca is available, then client may request next CA or wait until CA almost expires and then request next-ca.
 +
 +
 +
RouterOS client by default will try to use '''POST''', '''AES''' and '''SHA256''' if server advertises that.
 +
If above algorithms are not supported, then client will try to use '''3DES''', '''DES''' and '''SHA1''', '''MD5'''.
  
===Client===
 
  
<p id="shbox"><b>Sub-menu:</b> <code>/certificate scep client</code><br /></p>
 
  
  
 
===Server===
 
===Server===
  
<p id="shbox"><b>Sub-menu:</b> <code>/certificate scep server</code><br /></p>
+
<p id="shbox"><b>Sub-menu:</b> <code>/certificate scep-server</code><br /></p>
 +
 
 +
 
 +
 
 +
 
 +
====OTP====
 +
 
 +
<p id="shbox"><b>Sub-menu:</b> <code>/certificate scep-server otp</code><br /></p>
 +
 
 +
 
 +
 
 +
====RA====
 +
 
 +
<p id="shbox"><b>Sub-menu:</b> <code>/certificate scep-server ra</code><br /></p>
 +
 
 +
 
 +
====Requests====
 +
 
 +
<p id="shbox"><b>Sub-menu:</b> <code>/certificate scep-server requests</code><br /></p>
 +
 
 +
==Configuration Examples==
 +
 
 +
===Basic SCEP Example===
 +
 
 +
In this example we will show how to use SCEP to automatically sign certificate for the client in very basic configuration.
  
 +
First thing we need to do is create CA template on the '''server''' and sign it.
 +
<pre>
 +
/certificate
 +
add common-name=ca name=ca-tpl
 +
sign ca-tpl name=ca
 +
</pre>
 +
 +
Now we have valid CA that can be used to issue certificates:
 +
<pre>
 +
[admin@MikroTik] /certificate> print
 +
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
 +
I - issued, R - revoked, E - expired, T - trusted
 +
#          NAME  COM.. SUBJECT-ALT-NAME                                  FIN..
 +
0 K  A  T ca    ca                                                      fb7..
 +
</pre>
 +
 +
Next step is to create SCEP server:
 +
<pre>
 +
/certificate scep-server add ca-cert=ca path=/scep/test
 +
</pre>
 +
 +
 +
Now on '''client''' router we can add SCEP client:
 +
<pre>
 +
/certificate
 +
add common-name=tst-client name=tpl_1
 +
add-scep template=tpl_1 scep-url="http://10.5.101.231/scep/test"
 +
</pre>
 +
 +
{{Warning | scep-url must contain both CGI-PATH and CGI-PROG, for example, if CA is using "pkiclient.exe" it must be included in the URL <var>scep-url</var><b><nowiki>=http://scep_server/cgi-bin/pkiclient.exe</nowiki></b>}}
 +
 +
<pre>
 +
[admin@MikroTik] /certificate> print detail
 +
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
 +
I - issued, R - revoked, E - expired, T - trusted
 +
0 K      T name="tpl_1" issuer=CN=tst-client common-name="tst-client"
 +
            key-size=2048 days-valid=365 trusted=yes key-usage=key-cert-sign
 +
            scep-url=http://10.5.101.231/scep/test serial-number="1B05992DC13289A9"
 +
            fingerprint="a2c0194bf67a12b8902fab45539e157396d2f8fd15f895399da856f64d
 +
            6e50c7"
 +
            req-fingerprint="e5131662a8c11cfa363c907a49b7f65f9e0e378fc8c8a6d35ae949
 +
                3f21fa25be"
 +
            ca-fingerprint="fb7b92de75d5e8a90489b4bf9e9ed1808fdcba1e644152cc791f717
 +
              cb6b283e2"
 +
            invalid-before=apr/01/2016 14:53:34
 +
            invalid-after=apr/01/2017 14:53:34
 +
            challenge-password="85f5ed5c5b5ea2d336c2"
 +
            status="requesting-pending-certificate"
 +
 +
1    A  T name="tpl_1_CA" issuer=CN=ca common-name="ca" key-size=2048
 +
            days-valid=365 trusted=yes
 +
            key-usage=digital-signature,key-encipherment,data-encipherment,key-
 +
          cert-sign,crl-sign,tls-server,tls-client
 +
            serial-number="130D81F32DBD8BF2"
 +
            fingerprint="fb7b92de75d5e8a90489b4bf9e9ed1808fdcba1e644152cc791f717cb6
 +
            b283e2"
 +
            invalid-before=apr/01/2016 15:25:14
 +
            invalid-after=apr/01/2017 15:25:14
 +
</pre>
 +
 +
As you can see SCEP client status shows "requesting-pending-certificate", which means that we manually must grant certificate on the '''server''':
 +
<pre>
 +
[admin@MikroTik] /certificate scep-server requests> print
 +
# AUTHORITY      STATUS    COMMON-NAME                    CREATED           
 +
0 ca              pending    tst-client                    apr/01/2016 12:29:55
 +
 +
[admin@MikroTik] /certificate scep-server requests> grant 0       
 +
[admin@MikroTik] /certificate scep-server requests> print
 +
# AUTHORITY      STATUS    COMMON-NAME                    CREATED           
 +
0 ca              granted    tst-client                    apr/01/2016 12:29:55
 +
</pre>
 +
 +
After status change to "granted", you will see new issued certificate on the '''server''':
 +
<pre>
 +
[admin@MikroTik] /certificate> print detail
 +
 +
1      I  name="issued_2" common-name="tst-client" key-size=2048 days-valid=1
 +
            trusted=no key-usage=digital-signature,key-encipherment,data-encipherment,
 +
          key-cert-sign,crl-sign,tls-server,tls-client
 +
            ca=ca serial-number="66071C63F77EB672"
 +
            fingerprint="89b0000ab75375e887b80ca45e829dfb6e683f6429069242c83063798ad8698
 +
            1"
 +
            invalid-before=apr/01/2016 15:31:58 invalid-after=apr/02/2016 15:31:58
 +
</pre>
 +
 +
And a working certificate on the '''client''':
 +
<pre>
 +
[admin@MikroTik] /certificate> print
 +
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
 +
I - issued, R - revoked, E - expired, T - trusted
 +
#          NAME    COM.. SUBJECT-ALT-NAME                                  FIN..
 +
0 K      T tpl_1    tst..                                                    a2c..
 +
1    A  T tpl_1_CA ca                                                      fb7..
 +
</pre>
 +
 +
==FAQ==
 +
 +
; Router prints an error "CRL size exceeds free memory". What to do?
 +
: Required free RAM to load CRL is 4MB+10*<CRL_size>. If you have low budget boards with about 7MB free RAM, then in most cases you will have to disable CRLs or get a router with more RAM.
 +
 +
; Why I can't remove issued certificates?
 +
: If certificate is issued by RouterOS it cannot be removed for security reasons. Whenever certificate is revoked it must stay in the list. Issued certificates are removed only when issuer CA is removed.
  
  
 
{{cont}}
 
{{cont}}
 
  
 
[[Category:Manual|C]]
 
[[Category:Manual|C]]
 
[[Category:System|C]]
 
[[Category:System|C]]

Latest revision as of 13:24, 2 May 2019

Version.png

Applies to RouterOS: v6.12 +

Summary

Sub-menu: /certificate
Package required: security
Standards: RFC 5280, draft-nourse-scep-22


Certificate manager is used to collect all certificates inside router, to manage and create self-signed certificates and to control and set SCEP related configuration.

Icon-note.png

Note: Starting from v6 certificate validity is shown using local time zone offset. In previous versions it was UTF.


Icon-warn.png

Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys are considered as security threats.


Starting from v6rc10, CRL will be automatically renewed every hour for certificates which have "trusted=yes" using http protocol (ldap and ftp is currently unsupported). Segmented CRL is also currently unsupported.

RouterOS allows to manage and create self-signed CAs. Implementation was made based on RFC 5280 and all certificates are X.509 v3.


All certificate fingerprints are SHA1. Starting from v6.18 sha256 is used for certificate fingerprints and hashes. All private keys and CA export passphrase are stored encrypted with hardware ID. CA CRL renewal happens at every certificate revocation and after 24hours.

Icon-warn.png

Warning: even if all trust chain is imported, crl may not work in cases when CRL is signed with a different certificate, not the one from trust chain (for example Verisign is doing that)!


Icon-note.png

Note: Time and date on routers MUST be correct


General Menu

Sub-menu: /certificate


General menu is used to manage certificates, add templates, issue certificates and manage SCEP Clients.

Icon-note.png

Note: Certificate templates are deleted right after certificate issue or certificate request command is executed


Icon-note.png

Note: If CA certificate is removed then all issued certificates in chain are also removed



Properties

Property Description
common-name (string; Default: )
copy-from (string; Default: )
country (string; Default: )
days-valid (integer [0..4294967295]; Default: )
key-size (1024 | 1536 | 2048 | 4096 | 8192; Default: )
key-usage (list of [digital-signature | content-commitment | key-encipherment | data-encipherment | key-agreement | key-cert-sign | crl-sign | encipher-only | decipher-only]; Default: ) Detailed key usage descriptions can be found in RFC 5280
locality (string; Default: )
name (string; Default: ) Name of the certificate. Name can be edited.
organization (string; Default: )
state (string; Default: )
subject-alt-name (string; Default: ) contact email address
trusted (yes | no; Default: ) If set to yes certificate is included "in trusted certificate chain"
unit (string; Default: )


Read-only Properties

Property Description
authority ()
ca ()
ca-crl-host ()
ca-fingerprint ()
crl ()
dsa (yes | no)
expired (yes | no) Set to true if certificate is expired
fingerprint ()
invalid-after (date) The date after which certificate wil be invalid.
invalid-before (date) The date before which certificate is invalid.
issued ()
issuer (string)
private-key (yes | no)
req-fingerprint ()
revoked ()
scep-url (string)
serial-number (string)
smart-card-key (string)
status () Shows current status of scep client


Commands

Command Description
add () Adds new certificate template.
add-scep (ca-identity name on-smart-card scep-url template) Add scep client. Command takes four parameters:
  • ca-identity - allows to change SCEP CA identity;
  • name - display name of scep client;
  • on-smart-card - whether to use smart card;
  • scep-url - URL to the server, must contain both CGI-PATH and CGI-PROG if used on the server;
  • template - which template to use from template list.
ca-set-passphrase ()
card-reinstall ()
card-verify ()
create-certificate-request () Create certificate request from specified template.
export-certificate () Export certificate to file. When export-passphrase is specified, certificate will be exported with encrypted key. Certificates can be exported in two formats pem and pkcs12, by default pem is used, to export pkcs specify type=pkcs12. In case of pkcs12 if certificate is issued on the same router, then exporter will create certificate bundle containing CA and selected certificate.
import (file-name) File name of certificate or key to be imported.
issued-revoke () Revoke issued certificate
scep-renew ()
sign-certificate-request (ca, days-valid, file-name, key-bits) Generates certificate and key, except that standard parameters are taken from certificate request. Command takes four parameters:
  • ca - name of the CA certificate
  • days-valid - validity period
  • file-name - certificate request filename
  • key-bits - RSA key bits
sign (ca, ca-crl-host, ca-on-smart-card, name, template) Sign certificates. Command takes 5 parameters:
  • template - which template to use. Required.
  • ca - which CA to use if signing issued certificates
  • ca-crl-host - CRL host if issuing CA certificate
  • ca-on-smart-card -
  • name - what name to assign to issued certificate.
CA certificates are created if key-usage=key-cert-sign set in the template.

SCEP

Sub-menu: /certificate
Standards: draft-nourse-scep-22

Simple Certificate Enrollment protocol (SCEP) was developed based on draft-nourse-scep-22.

The protocol is designed so that any user can request certificate as simple as possible. The protocol allows to issue and revoke certificates.

How SCEP works

Topology: CL ---- RA ---- CA

  • CL - client
  • RA - registration authority (proxy)
  • CA - certification authority (server)
Icon-warn.png

Warning: RA certificate must not contain CA flag



SCEP is using HTTP protocol and base64 encoded GET requests. Most of requests are without authentication and cipher, however important ones can be protected if necessary (ciphered or signed using received public key).

SCEP client in RouterOS will:

  • get CA certificate from CA server or RA (if used);
  • user should compare fingerprint of the CA certificate or if it comes from the right server;
  • generate self-signed certificate with temporary key;
  • sends certificate request to the server;
  • if server respond with status x, then client keeps requesting until server sends an error or approval.


SCEP server supports issue of one certificate only. RouterOS supports also renew and next-ca options:

  • renew - possibility to renew old certificate automatically with the same CA.
  • next-ca - possibility to change current CA certificate to the new one. Client polls the server for any changes, if server advertise that next-ca is available, then client may request next CA or wait until CA almost expires and then request next-ca.


RouterOS client by default will try to use POST, AES and SHA256 if server advertises that. If above algorithms are not supported, then client will try to use 3DES, DES and SHA1, MD5.



Server

Sub-menu: /certificate scep-server



OTP

Sub-menu: /certificate scep-server otp


RA

Sub-menu: /certificate scep-server ra


Requests

Sub-menu: /certificate scep-server requests

Configuration Examples

Basic SCEP Example

In this example we will show how to use SCEP to automatically sign certificate for the client in very basic configuration.

First thing we need to do is create CA template on the server and sign it.

/certificate 
add common-name=ca name=ca-tpl
sign ca-tpl name=ca

Now we have valid CA that can be used to issue certificates:

[admin@MikroTik] /certificate> print 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, 
I - issued, R - revoked, E - expired, T - trusted 
 #          NAME   COM.. SUBJECT-ALT-NAME                                   FIN..
 0 K   A  T ca     ca                                                       fb7..

Next step is to create SCEP server:

/certificate scep-server add ca-cert=ca path=/scep/test


Now on client router we can add SCEP client:

/certificate
add common-name=tst-client name=tpl_1
add-scep template=tpl_1 scep-url="http://10.5.101.231/scep/test" 
Icon-warn.png

Warning: scep-url must contain both CGI-PATH and CGI-PROG, for example, if CA is using "pkiclient.exe" it must be included in the URL scep-url=http://scep_server/cgi-bin/pkiclient.exe


[admin@MikroTik] /certificate> print detail 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, 
I - issued, R - revoked, E - expired, T - trusted 
 0 K      T name="tpl_1" issuer=CN=tst-client common-name="tst-client" 
            key-size=2048 days-valid=365 trusted=yes key-usage=key-cert-sign 
            scep-url=http://10.5.101.231/scep/test serial-number="1B05992DC13289A9" 
            fingerprint="a2c0194bf67a12b8902fab45539e157396d2f8fd15f895399da856f64d
            6e50c7" 
            req-fingerprint="e5131662a8c11cfa363c907a49b7f65f9e0e378fc8c8a6d35ae949
                3f21fa25be" 
            ca-fingerprint="fb7b92de75d5e8a90489b4bf9e9ed1808fdcba1e644152cc791f717
               cb6b283e2" 
            invalid-before=apr/01/2016 14:53:34 
            invalid-after=apr/01/2017 14:53:34 
            challenge-password="85f5ed5c5b5ea2d336c2" 
            status="requesting-pending-certificate" 

 1     A  T name="tpl_1_CA" issuer=CN=ca common-name="ca" key-size=2048 
            days-valid=365 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-
          cert-sign,crl-sign,tls-server,tls-client 
            serial-number="130D81F32DBD8BF2" 
            fingerprint="fb7b92de75d5e8a90489b4bf9e9ed1808fdcba1e644152cc791f717cb6
            b283e2" 
            invalid-before=apr/01/2016 15:25:14 
            invalid-after=apr/01/2017 15:25:14 

As you can see SCEP client status shows "requesting-pending-certificate", which means that we manually must grant certificate on the server:

[admin@MikroTik] /certificate scep-server requests> print 
 # AUTHORITY       STATUS     COMMON-NAME                    CREATED             
 0 ca              pending    tst-client                     apr/01/2016 12:29:55

[admin@MikroTik] /certificate scep-server requests> grant 0        
[admin@MikroTik] /certificate scep-server requests> print 
 # AUTHORITY       STATUS     COMMON-NAME                    CREATED             
 0 ca              granted    tst-client                     apr/01/2016 12:29:55

After status change to "granted", you will see new issued certificate on the server:

[admin@MikroTik] /certificate> print detail 

 1      I   name="issued_2" common-name="tst-client" key-size=2048 days-valid=1 
            trusted=no key-usage=digital-signature,key-encipherment,data-encipherment,
          key-cert-sign,crl-sign,tls-server,tls-client 
            ca=ca serial-number="66071C63F77EB672" 
            fingerprint="89b0000ab75375e887b80ca45e829dfb6e683f6429069242c83063798ad8698
            1" 
            invalid-before=apr/01/2016 15:31:58 invalid-after=apr/02/2016 15:31:58 

And a working certificate on the client:

[admin@MikroTik] /certificate> print 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, 
I - issued, R - revoked, E - expired, T - trusted 
 #          NAME     COM.. SUBJECT-ALT-NAME                                   FIN..
 0 K      T tpl_1    tst..                                                    a2c..
 1     A  T tpl_1_CA ca                                                       fb7..

FAQ

Router prints an error "CRL size exceeds free memory". What to do?
Required free RAM to load CRL is 4MB+10*<CRL_size>. If you have low budget boards with about 7MB free RAM, then in most cases you will have to disable CRLs or get a router with more RAM.
Why I can't remove issued certificates?
If certificate is issued by RouterOS it cannot be removed for security reasons. Whenever certificate is revoked it must stay in the list. Issued certificates are removed only when issuer CA is removed.


[ Top | Back to Content ]