Certificates on Mikrotik’s RouterOS can be managed through the web interface or the Winbox software. Below are basic guidelines for configuring a CA to get you started.

Configure the CA

Firstly, create a certificate to be used for the CA (Certificate Authority) signing, then self sign it:

System -> Certificates -> Add New ->
 Name = myCA
 Country = …
 State = …
 Organization = …
 CN = mydomain.net

These values will be the template for all other certificates signed on this CA. Use a real domain in the CN if this CA will issue certificates where your devices will access your services via public domain names, e.g. portal.mydomain.net. If the certificates are *only* used for VPN authentication the domain name does not need to be real or registered, but should be consistent across the certificates.

After saving, click the new certificate, and click “Sign”.

Create a Server Certificate

Add a “Server” certificate to be used for tasks on the Router (optional, you can just use the CA cert.):

System -> Certificate -> Add New …

 Name = router
 CN = router.mydomain.net

Now sign it with myCA:
 System -> Certificates -> click on certificate -> Sign
 Certificate = router
 CA = myCA
-> Start

The certificate is approved and signed immediately.
This certificate can now be used for services on the router.

Client Certificates

Create client certificates as required for VPN’s, etc:

System -> Certificates -> Add New
– use the same values as myCA, except CN: CN = client1.mydomain.net

Sign each certificate using myCA:
 System -> Certificates -> click certificate -> Sign
 Certificate = …
 CA = myCA
 (CRL Host leave blank)

System -> Certificate -> click certificate -> Export
Export the certificate in the required formats with an optional passphrase (better security).

The exported certificates are available for download from the Files menu.
After configuring and testing clients the client certificates should be deleted under Files and Certificates to prevent them being utilized in the case of a compromised router.

SCEP Servers (optional)

Simple Certificate Enrollment Protocol (SCEP) can be used to automate certificate management to a degree (renewals and CRLs – Certificate Revocation Lists).

System -> Certificates -> SCEP Servers -> Add New
 CA Certificate = myCA
 Path = /scep/myCA
 “OK”

System -> Certificates -> Add New -> … -> Sign via SCEP
 Certificate = clientX
 SCEP URL = http://192.168.1.1/scep/myCA
 “Sign via SCEP”

System -> Certificates -> Requests -> click certificate -> “Grant”
(appears to create 2 certificates, one with FQDN and another with SCEP URL for renewals).

*Note: The SCEP URL must be constantly accessible, i.e. not DHCP, because the SCEP clients will regularly access the CA to verify the certificate. If the URL becomes inaccessible this will log messages like: “scep client failure: requesting-ca-capabilities-failed“.