Certificate Management

Document revision 2.1 (09-Oct-2003)
This document applies to MikroTik RouterOS™ V2.7

General Information

Summary

In MikroTik RouterOS certificates are used for SSL security protocol

Specifications

Packages required: security
License required: Any
Submenu level: /certificate
Hardware usage: high CPU usage

Certificates

Submenu level: /certificate

Property Description

name (name) - reference name

subject (read-only: text) - subject of the certificate

issuer (read-only: text) - issuer of the certificate

serial-number (read-only: text) - serial number of the certificate

invalid-before (read-only: date) - date the certificate is valid from

invalid-after (read-only: date) - date the certificate is valid until

ca (yes | no; default: yes) - whether the certificate is used for building or verifying certificate chains (as Certificate Authority)

Command Description

import - install new certificates

Input parameters:

file-name - import only this file (all files are searched for certificates by default)
passphrase - passphrase for the found encrypted private key

Output parameters:

certificates-imported - how many new certificates were successfully imported
private-keys-imported - how many private keys for existing certificates were successfully imported
files-imported - how many files contained at least one item that was successfully imported
decryption-failures - how many files could not be decrypted
keys-with-no-certificate - how many public keys were successfully decrypted, but did not have matching certificate already installed

reset-certificate-cache - delete all cached decrypted public keys and rebuild the certificate cache

decrypt - decrypt and cache public keys

Input parameters:

passphrase - passphrase for the found encrypted private key

Output parameters:

keys-decrypted - how many keys were successfully decrypted and cached

Notes

Server certificates may have ca property set to no, but Certificate Authority certificates must have it set to yes

Certificates and encrypted private keys are imported from and exported to the router's FTP server. Public keys are not stored on a router in unencrypted form. Cached decrypted private keys are stored in encrypted form, using key that is derived from the router ID. Passphrases are not stored on router.

Configuration backup does not include cached decrypted private keys. After restoring backup all certificates with private keys must be decrypted again, using decrypt command with the correct passphrase.

Examples

To import a certificate and the respective private key already uploaded on the router:

[admin@MikroTik] certificate> import
passphrase: xxxx
       certificates-imported: 1
       private-keys-imported: 1
              files-imported: 2
         decryption-failures: 0
    keys-with-no-certificate: 1
[admin@MikroTik] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
  0 QR name="cert1" subject=C=LV,ST=.,O=.,CN=cert.test.mt.lv
       issuer=C=LV,ST=.,O=.,CN=third serial-number="01"
       invalid-before=sep/17/2003 11:56:19 invalid-after=sep/16/2004 11:56:19
       ca=yes

[admin@MikroTik] certificate> decrypt
passphrase: xxxx
    keys-decrypted: 1
[admin@MikroTik] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
  0 KR name="cert1" subject=C=LV,ST=.,O=.,CN=cert.test.mt.lv
       issuer=C=LV,ST=.,O=.,CN=third serial-number="01"
       invalid-before=sep/17/2003 11:56:19 invalid-after=sep/16/2004 11:56:19
       ca=yes

[admin@MikroTik] certificate>

Now the certificate may be used by HotSpot servlet:

[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
  #   NAME                                 PORT  ADDRESS            CERTIFICATE
  0   telnet                               23    0.0.0.0/0
  1   ftp                                  21    0.0.0.0/0
  2   www                                  8081  0.0.0.0/0
  3   hotspot                              80    0.0.0.0/0
  4   ssh                                  22    0.0.0.0/0
  5   hotspot-ssl                          443   0.0.0.0/0          none

[admin@MikroTik] ip service> set hotspot-ssl certificate=
cert1  none
[admin@MikroTik] ip service> set hotspot-ssl certificate=cert1
[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
  #   NAME                                 PORT  ADDRESS            CERTIFICATE
  0   telnet                               23    0.0.0.0/0
  1   ftp                                  21    0.0.0.0/0
  2   www                                  8081  0.0.0.0/0
  3   hotspot                              80    0.0.0.0/0
  4   ssh                                  22    0.0.0.0/0
  5   hotspot-ssl                          443   0.0.0.0/0          cert1

[admin@MikroTik] ip service>