SSL Certificate setup

From MikroTik Wiki
Jump to: navigation, search

To setup an SSL certificate, the following works:

run

 /certificate create-certificate-request

and answer the questions. I suggest using something other than the default filenames so you know what system the certicate files are for at a later date.

e.g. Instead of certificate-request.pem, I might use 2008usermanager-request.pem

After answering the questions, ftp into the router and get the files it has created.

You will need the request file it creates to order a certificate. There are many choices for SSL certificates, such as rapidssl, godaddy, register, opensrs, thawte, and others for varying amounts of money. This route means no certificate warnings in end user browsers.

You can also use openssl on a *nix computer to self-sign and create a private certificate. This will encrypt your traffic and work, but causes a certificate warning as it there is no means of verifying the authenticity of the certificate. You can find instructions to do this rather easily in google.

I had success with opensrs. You sign up for the certificate, copy and paste the contents of the request file, select other for webserver type, and submit this request through the vendor's website. Respond to their emails and you get a certificate. Paste the text of the certificate into a file.

I then created a file, pasted in the private key that is ftp'd from the router, the certificate request which can be ftp'd from the router or copied from the certificate application, and the newly received certificate. This one file can be ftp uploaded to the mikrotik. Save this file as 200usermanager

in the mikrotik, do:

 /certificate import file-name=2008usermanager

It will ask for a password which you should enter if you used one when creating the certificate request. Upon success from importing the file, it should show up under

/certificate print with a name created the mikrotik such as cert1.

In /ip service you can now set www-ssl to use cert1 with this example command.

 /ip service set www-ssl certificate=cert1

test the certificate by visiting the usermanager URL in your browser.