Generate certificates on RouterOS
RouterOS version 6 allows to create, store and manage certificates in certificate store. Following example demonstrates how to easily manage certificates in RouterOS:
Make certificate templates
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign add name=server-template common-name=server add name=client1-template common-name=client1 add name=client2-template common-name=client2
Sign certificates and add CRL url. We will use IP address of the server as CRL URL.
/certificate sign ca-template ca-crl-host=10.5.101.16 name=myCa sign server-template ca=myCa name=server sign client1-template ca=myCa name=client1 sign client2-template ca=myCa name=client2
If certificate does not have T flag then you need to set it as trusted before using it:
/certificate set myCa trusted=yes set server trusted=yes
Export client certificates with keys and CA certificate:
/certificate export-certificate myCa /certificate export-certificate client1 export-passphrase=xxxxxxxx /certificate export-certificate client2 export-passphrase=xxxxxxxx
Now these exported files can be imported on client machines.
If everything went well you should have something like this:
[admin@pe0] /certificate> print Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME FINGERPRINT 0 K L A T myCa myCa 7fa636e6576495fe78f1a4... 1 K I T server server cf0650a291bf4685f2fbd3... 2 K I client1 client1 26233de30e89b203b946ab... 3 K I client2 client2 cf172b62201befaf8d8966...
Generate certificates with OpenSSL
Following is a step-by-step guide to creating your own CA (Certificate Authority) with openssl on Linux.
- First step is to build the CA private key and CA certificate pair.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
During the process you will have to fill few entries (Common Name (CN), Organization, State or province .. etc). Created CA certificate/key pair will be valid for 10 years (3650 days).
- Now create private-key/certificate pair for the server
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
And again during the process you will have to fill some entries. When filling CN remember that it must not match on CA and server certificate otherwise later naming collision will occur.
- Client key/certificate pair creation steps are very similar to server. Remember to Specify unique CN.
openssl genrsa -des3 -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
To examine certificate run following command:
openssl x509 -noout -text -in server.crt -purpose
To import newly created certificates to your router, first you have to upload server.crt and server.key files to the router via FTP.
Now go to
/certificate submenu and run following commands:
[admin@test_host] /certificate> import file-name=server.crt passphrase: certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0 [admin@test_host] /certificate> import file-name=server.key passphrase: certificates-imported: 0 private-keys-imported: 1 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
If everything is imported properly then certificate should show up with KT flag.