Certificates on Mikrotik’s RouterOS can be managed through the web interface or the Winbox software. Below are basic guidelines for configuring a CA to get you started.
Configure the CA
Firstly, create a certificate to be used for the CA (Certificate Authority) signing, then self sign it:
System -> Certificates -> Add New ->
Name = myCA
Country = …
State = …
Organization = …
CN = mydomain.net
These values will be the template for all other certificates signed on this CA. Use a real domain in the CN if this CA will issue certificates where your devices will access your services via public domain names, e.g. portal.mydomain.net. If the certificates are *only* used for VPN authentication the domain name does not need to be real or registered, but should be consistent across the certificates.
After saving, click the new certificate, and click “Sign”.
Create a Server Certificate
Add a “Server” certificate to be used for tasks on the Router (optional, you can just use the CA cert.):
System -> Certificate -> Add New …
Name = router
CN = router.mydomain.net
Now sign it with myCA:
System -> Certificates -> click on certificate -> Sign
Certificate = router
CA = myCA
The certificate is approved and signed immediately.
This certificate can now be used for services on the router.
Create client certificates as required for VPN’s, etc:
System -> Certificates -> Add New
– use the same values as myCA, except CN: CN = client1.mydomain.net
Sign each certificate using myCA:
System -> Certificates -> click certificate -> Sign
Certificate = …
CA = myCA
(CRL Host leave blank)
System -> Certificate -> click certificate -> Export
Export the certificate in the required formats with an optional passphrase (better security).
The exported certificates are available for download from the Files menu.
After configuring and testing clients the client certificates should be deleted under Files and Certificates to prevent them being utilized in the case of a compromised router.
SCEP Servers (optional)
Simple Certificate Enrollment Protocol (SCEP) can be used to automate certificate management to a degree (renewals and CRLs – Certificate Revocation Lists).
System -> Certificates -> SCEP Servers -> Add New
CA Certificate = myCA
Path = /scep/myCA
System -> Certificates -> Add New -> … -> Sign via SCEP
Certificate = clientX
SCEP URL = http://192.168.1.1/scep/myCA
“Sign via SCEP”
System -> Certificates -> Requests -> click certificate -> “Grant”
(appears to create 2 certificates, one with FQDN and another with SCEP URL for renewals).
*Note: The SCEP URL must be constantly accessible, i.e. not DHCP, because the SCEP clients will regularly access the CA to verify the certificate. If the URL becomes inaccessible this will log messages like: “scep client failure: requesting-ca-capabilities-failed“.