mikrotik help please

Soldato
Joined
9 Mar 2012
Posts
10,083
Location
West Sussex, England
Am looking to set this up properly (add ike2 vpn server) since having some time on my hands and need to create some self signed certs.

I know how to do most of this cert stuff but when signing my created certificate authority cert the mikrotik wiki mentions specifying a ca-crl-host? It mentions using the IP address of the server, is that the same as my public IP address and what if this is dynamic, can I specify a DDNS url for this?

https://wiki.mikrotik.com/wiki/Manual:Create_Certificates


Does this also mean I have to have port 80 / IP Services 'www' enabled for the crl to be reachable?

Any help much appreciated...

Newer guide to setting up ike2 found on the web so thought I'd see if I could get it working in the hope we'd one day be working remotely again...

https://mum.mikrotik.com/presentations/MY19/presentation_7008_1560543676.pdf
 
HTTP is normally on port 80, HTTPS will be on Port 443 usually, so if you want to use HTTPS you’ll need to assign it to port 443 and leave the CA and CA Host empty if using the GUI.

Again, for the VPN, assign it to the port you’re using and leave CA and CA Host empty because it’s self-signed. It should work, assuming you used the Mikrotik tool to generate your self-signed certificate.
 
HTTP is normally on port 80, HTTPS will be on Port 443 usually, so if you want to use HTTPS you’ll need to assign it to port 443 and leave the CA and CA Host empty if using the GUI.

Again, for the VPN, assign it to the port you’re using and leave CA and CA Host empty because it’s self-signed. It should work, assuming you used the Mikrotik tool to generate your self-signed certificate.

Thanks, the https bit on port 443 is in regards to logging in to the router itself I believe, I can do that bit once I have the server cert created / signed by my CA, this can be selected in the IP > Services menu for the www-ssl service. However, it was the crl host part that has confused me, I guess if it's left blank you wouldn't have any certificate revocation abilities and would have to recreate a new self signed CA and all new client certs again for those you wanted if you wanted to end an issued cert(s) on the old CA?
 
I’m a bit confused. You are saying that you’re using self-signed certificates, and then you say you’re using a certificate authority. If you’re using a certificate authority then you enter the name of the CA in CA and the IP address or URL of the CA in the CA Host box. If you’ve self-signed, these are left blank. Does that make sense?
 
Yes, you can revoke the certificate, just go into the certificate tool and revoke it.
 
I’m a bit confused. You are saying that you’re using self-signed certificates, and then you say you’re using a certificate authority. If you’re using a certificate authority then you enter the name of the CA in CA and the IP address or URL of the CA in the CA Host box. If you’ve self-signed, these are left blank. Does that make sense?

I was following the instructions in the Create Certificates wiki link above which starts by creating your own CA cert.
 
Yes, you can revoke the certificate, just go into the certificate tool and revoke it.

But I don't think that will do anything if the crl isn't reachable and am guessing that requires a ca-crl-host to be specified. The thing is I don't know if this has to be an IP address or it can be an FQDN. If it relates to the public IP of the router does the router serve up the crl or does the location of the crl have to be on some web server somewhere?
 
The wiki is.... interesting. There is this a term that is used frequently in regard to anything Mikrotik - Latvian Logic. I sometimes think that the wiki was written by someone who only had access to the script interface and never saw the GUI. And the scripting is always incredibly full and elaborate. This does make some sense, but it’s not always that helpful.
 
But I don't think that will do anything if the crl isn't reachable and am guessing that requires a ca-crl-host to be specified. The thing is I don't know if this has to be an IP address or it can be an FQDN. If it relates to the public IP of the router does the router serve up the crl or does the location of the crl have to be on some web server somewhere?

I really think you’re over-complicating this. YOU are the only person who would trust your own certificate. No-one else in their right mind would accept your self-signed certificate. But it still works perfectly for your site-to-site VPN. You already know the CA host - it’s you. So when you revoke the certificate you already know the location of the CA host. Don’t over-complicate a self-signed certificate. The CA and CA host only matter if you actually have a CA to verify your certificate.
 
I really think you’re over-complicating this. YOU are the only person who would trust your own certificate. No-one else in their right mind would accept your self-signed certificate. But it still works perfectly for your site-to-site VPN. You already know the CA host - it’s you. So when you revoke the certificate you already know the location of the CA host. Don’t over-complicate a self-signed certificate. The CA and CA host only matter if you actually have a CA to verify your certificate.

I would like to reply to this in a Latvian accent lol.

Are you saying I can create client certs without creating my own CA cert or just that I should not mention ca-crl-host when signing the ca-template?
 
When you create a certificate you either specify a certificate authority (in which case you need a certificate authority and you enter the IP address or URL of the certificate authority) or you don’t - and that’s a self-signed certificate in which case there is no certificate authority or certificate authority host. You can set yourself up as a CA, in which case you need a different type of certificate.
 
Back
Top Bottom