This consists of the root key (ca.key.pem) and root certificate (ca.cert.pem). This pair forms the identity of your CA. Typically, the root CA does not sign server or client certificates directly. The root CA is only ever used to create one or more intermediate CAs, which are trusted by the root CA to sign certificates on their behalf.
Generate certificates on RouterOS
RouterOS version 6 allows to create, store and manage certificates in certificate store. Following example demonstrates how to easily manage certificates in RouterOS:
Make certificate templates
Sign certificates and add CRL url.We will use IP address of the server as CRL URL.
Note: If signing certificates on mipbe cpu based devices(RB7xx,RB2011,RB9xx) then this process might take a while depending on key-size of specific certificate. With values 4k and higher it might take a substantial time to sign this specific certificate.
Generate Client Certificate From Private Key
If certificate does not have T flag then you need to set it as trusted before using it:
Export client certificates with keys and CA certificate:
Now these exported files can be imported on client machines.
If everything went well you should have something like this:
Note: Templates are automatically removed after signing certificate
Generate Client Certificate With Ca Keyboard
Generate certificates with OpenSSL
Following is a step-by-step guide to creating your own CA (Certificate Authority) with openssl on Linux.
Note: Starting from v5.15 RouterOS supports pkcs8 key format. If you are using older versions, to import keys in pkcs8 format run command:
openssl rsa -in myKey.key -text and write key output to new file. Upload new file to RouterOS and import
- First step is to build the CA private key and CA certificate pair.
During the process you will have to fill few entries (Common Name (CN), Organization, State or province .. etc).Created CA certificate/key pair will be valid for 10 years (3650 days).
Warning: If certificates are generated without key usage, you need to edit openssl.cnf file and specify what key usage to use, or create a new config file and use -config option while generating certificate.
- Now create private-key/certificate pair for the server
Warning: RSA Key length must be at least 472 bits if certificate is used by SSTP. Shorter keys are considered as security threats.
And again during the process you will have to fill some entries. When filling CN remember that it must not match on CA and server certificate otherwise later naming collision will occur.
Note: Common Name (CN) in server certificate should match the the IP address of your server otherwise you will get 'domain mismatch' message and for example Windows SSTP client will not be able to connect to the server. If clients are only Windows machines then CN can be a DNS name, too.
Note: If you are using 'My ID user FQDN' in IpSec config then 'subjectaltname' extension should be set on certificate, and must match the value set on remote peers 'My ID user FQDN'.
- Client key/certificate pair creation steps are very similar to server. Remember to Specify unique CN.
To examine certificate run following command:
To import newly created certificates to your router, first you have to upload server.crt and server.key files to the router via FTP.Now go to
/certificate submenu and run following commands:
If everything is imported properly then certificate should show up with KT flag.
Note: If you want to use server certificates for OVPN or SSTP and use client certificate verification, then CA certificate must be imported, too.
[Top Back to Content]