Pki Card Print Cannot Read the Certificate From the Ic Card

We demand certificates for specific VPN technologies, including Microsoft SSTP and OpenVPN tunnels. For small installations, we will employ the self-signed CA infrastructure. Moreover, this process is the aforementioned regardless how we obtain those certificates.

The procedure described hither is the same for any version of Mikrotik RouterOS, from 3.30 to 6.36.iii. We can work from the command line or from WinBox GUI.

(Update 06.04.2020.) If you need instructions for other platforms, you can cheque the following documents:

• Windows vii/Server 2008 R2
• Windows viii Server 2012 R2 and after

What nosotros need?

Our listing of the ingredients is very brusk. We need:

• A CA root certificate
• A individual (device) certificate
• A key for the private certificate

We will never use a private central for the root CA certificate. It is sensitive and nosotros never share it. More importantly, if we are working with a third party CA root document we will never have access to it.

We need to upload those files on the router; we can utilize the Mikrotik WinBox built-in file transfer adequacy or FTP session with the router.

Importing from the command line

If yous prefer to work from the command line or if working over a tiresome link, y'all tin can finish the whole job with a few commands. I volition import in this example the root CA certificate from the command line.

Control for importing certificates is:

certificate import file-name=certname.crt

where the certname.crt is the name of the certificate we need to import. In our case that name is ca.crt. Therefore, our command will exist:

certificate import file-proper name=ca.crt

As we protected our CA document with a countersign (or fifty-fifty improve passphrase), we must provide the correct password to enable importing of the document. The rest of the process is automatic.

Withal, if something is wrong (format of the file or the password), then the import of the document will neglect. Therefore, read advisedly the response from the command. You should see in that location that one certificate is imported.

When yous want to check for an already installed certificates just type post-obit command:

certificate print

The router will impress the list of all installed certificates. The output can exist very disruptive every bit the columns are truncated on predefined widths.

Still, even such poor view can be helpful when working with pocket-sized number of certificates.

Importing from the WinBox

We can utilize the WinBox tool when we want to work more comfortably. This way we will have more than details in the view and nosotros can use the graphical dialogs to perform the whole operation.

Although nosotros are using the certificate control directly from the root in the control line, this command is placed in the WinBox inside the System card.

We can see all the already installed certificates when we open the window for the Certificates service. In our example, we can come across the root CA certificate which we have just imported.

Equally you can run into, we tin take more than details on display and we can adapt the column widths. The name of the certificate is always a combination of the file name, underscore sign and ordinal number. That means that we can have more than one certificate with the same file proper name and Mikrotik will generate unlike names for them.

Now we need to import the device certificate. In our example, this is server.crt. We will click on the push button [ Import ] and a new dialog window will appear. We have a pull downward list with the names of all files found inside the router.

We will choose our device certificate. Think that you need to import first the certificate then the key.

Before we go whatsoever further, I have a play a joke on question for you. What is incorrect with this screenshot? I will provide the answer later.

We chose our certificate from the listing. If the certificate hasn't got the countersign, you can only click on the [ Import ] button.

Even so, if in that location is a countersign and you did not provide it, at that place will be no fault bulletin. Therefore, you lot will run into event in the bones dialog. If our new certificate appears at that place, so everything is fine.

Y'all should come across all parameters. The most important one is the Common Name. This name must be correct. We already discussed that in the section about server certificates inside this mail service.

To have the device handle SSL communications it must also have the private key for its certificate. Therefore, nosotros need to import information technology. The procedure is the aforementioned as with the certificate file. We will choose the primal file from the list, enter the password and click on the button [ Import ].

Oh, yes, the respond. I chose the wrong file in in starting time identify. Instead of the key file (server.key) I chose the certificate asking file (server.csr).

Again, if y'all did not provide the countersign or passphrase, the key will not import and there volition not be an fault message. You lot must check again the list of the certificates.

When the import of the individual fundamental is successful, you tin can come across that that certificate will have a letter K in the first column. This letter of the alphabet is short from private Key and indicates that the import was successful.

We tin can check any certificate's details; Just open information technology with a double click.

We tin see all the details nosotros provided during the creation procedure. Furthermore, we tin can assign a new name to it. Every bit this name is the text field, we can blazon a meaningful name hither.

Using this document

We have our certificate imported and ready to be used. As we mentioned at the outset of this article, we can utilize this document with some VPN technologies. I will quickly demonstrate association between the device document and the SSTP VPN server.

As yous can see, nosotros chose our server certificate from the driblet down list. Subsequently this step, nosotros will import at least the root CA certificate on the SSTP client machine and then SSTP VPN tin exist established betwixt them.

For greater security, we tin can build a larger CA infrastructure that as well includes the client side certificates. Nosotros can run into on this screenshot that nosotros tin force verification of the customer side certificates.

Stay tuned.

maxwellhillowitich.blogspot.com

Source: https://mivilisnet.wordpress.com/2016/09/15/how-to-import-certificates-into-mikrotik-routeros/

Share this post