Trust your Enterprise Certificate Authority (PKI) with MikroTik RouterOS

Introduction

For anything serious regarding TLS, you will need valid certificates. My recommended way of achieving that, would be to have a PKI infrastructure set up (e.g. with Windows Server Certification Authority) and then trust the Root and Intermediate certificates in your MikroTik devices and all your clients and servers. Obviously, if you have an Active Directory Domain, accomplishing that trust level is way easier than having to import the certificates to each and every client.

In this article we are going to assume that…

• …you have a PKI infrastructure set up and ready to go
• …you have your public key certificate files of your PKI servers handy (Base64 encoded), do not export the private keys!
• …all your clients and servers are already trusting your PKI
• …your CRL infrastructure is working, i.e. all clients and servers which are accessing resources which are using our TLS certificates, can access the CRL (including our MikroTik router)
• …you don’t need public or foreign clients to trust your certificate. This guide is for a scenario where you want trusted certificates for clients and servers which are member of a private network

At the end we will have achieved the following:

• Our MikroTik router will be trusting our PKI
• Our MikroTik router will be checking certificates against the CRL of our PKI
• We will have created a TLS certificate for the web interface of our MikroTik router and have bound it to the www-ssl service

Importing our PKI certificates

Importing trusted Root certificates is rather easy, just upload the Base64-encoded .cer file which contains the public key of your root certificate authority to your Router (e.g. using WinBox -> Files node) and import it with the following command:

/certificate import file-name=myRootCA.cer passphrase=""

If you have a two-tier PKI consisting of a root CA and an intermediate (issuing) CA, just copy the contents of both Base64-encoded files together into one file and upload and import it like above.

If everything went well, you’ll end up with something like this:

Trusted certificate authorities (two-tier)

Note that the “T” flag is present, which stands for “trusted”. Our MikroTik router now trusts all certificates which have been issued by this PKI.

Creating a new certificate for our MikroTik router

Usually, to create a new certificate for some device, we first need to create a certificate signing request (CSR), which will then be sent over to our PKI. The PKI signs the request and we import the signed request (i.e. the response) into our router.

With MikroTik routers we first need to create a so-called template, from which we subsequentially will derive our CSR:

/certificate add common-name=mymikrotik.mydomain.lan country=LV locality=Riga organization=ACMELabs state=Riga subject-alt-name=DNS:mymikrotik.mydomain.lan name=www-ssl-Template key-size=2048

Note the subject-alt-name parameter. This is needed for current web browsers to not show any warnings or error messages when connecting to the service. If you need more subject alternative names, just comma-separate your entries (without any spaces).

Note that the chosen name must be DNS-resolvable and that it must be the actual name you are using when accessing your router using the web interface, otherwise your browser will keep throwing certificate warnings at you.

Let’s now create our CSR.

/certificate create-certificate-request template=www-ssl-Template key-passphrase=myRandomPassword

Choose something different instead of “myRandomPassword”. This is the password for the private key of your certificate. You want to keep it secret and secured.

Sign the certificate request using your PKI

Now you need to download the “certificate-request.pem” file which has now been created from your MikroTik router and sign it using your PKI. I will not be showing this here because covering every PKI solution would be out of scope for this post and I’m just going to assume that you know how to operate your PKI if you have one.

Upload and import

Upload the signed certificate file to your MikroTik (let’s assume it is called certificate.cer) and import it using the following command:

/certificate import file-name=certificate.cer name=www-ssl-Server

Import the private key (which has been generated when we created our CSR) and use the same passphrase as before:

/certificate import file-name=certificate-request_key.pem passphrase=myRandomPassword

Configure www-ssl service

Now we need to configure the www-ssl service to use the new certificate and then enable it.

/ip service set www-ssl certificate=www-ssl-Server disabled=no

Also, don’t forget to restrict access to only specific source addresses (that applies to ALL services!):

/ip service set www-ssl address=1.2.3.0/24,2.3.4.0/24

Note, that you can specify multiple IP addresses and ranges by separating them using commas, like in the example above.

Conclusion

We have now configured our MikroTik router to trust our Enterprise PKI and we have created a trusted TLS certificate for the www-ssl service of our router so you a) don’t get any more warnings when accessing the web interface and b) you notice immediately if there is any man in the middle attack (aka SSL inspection) going on.

This procedure can be used to create certificates for any service with TLS support on the MikroTik router, like SSTP VPN server for example.