Archive for August, 2015

MikroTik – how to generate SSL certificate and enable HTTPS

Tuesday, August 11th, 2015

I am quite fascinated with what MikroTik has produced so far. So much functionality for normal price, and no licensing extortion practices – once you buy the HW, upgrades come for free. There are license levels, but usually your hardware will stumble before you will reach these limits (number of VPN tunnels, for example). The other thing that I value is stability. Since trying out MikroTik devices, I have not even bothered looking at other options for home use (Do you remember the practice of choosing home routers/wifi hotspots by checking the DD-WRD website/database whether particular item can be flashed or not?:)

Since their primary management interface is called WinBox, and since I am a desktop Linux user, no dice here (well, I might be mistaken). So I mainly use CLI and WebFig. But it turned out that creating and singing certificates in WebFig is totally unintuitive, this is my braindump on how to do it in CLI as fast as possible.

As it turns out, you need to create CA certificate. Then, you can either use this CA certificate directly as HTTPS certificate, but Chrome will reject it with error NET::ERR_CERT_INVALID and will not even offer you an option to continue to “unsafe place”.
Therefore CA must be used to sign regular certificate that is then used for HTTPS communication. Let me show you how I do it in the following steps:

1. Create CA certificate first:

2. Sign the CA certificate:

3. Now create a regular certificate for HTTPS access:

4. Sign it with CA from steps 1&2:

OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:):

5. And finally, assign the new certificate to HTTPS service:

And that is it.

The unfortunate thing is: once set up, you can login, but web interface STILL does not work in Chrome. I’ve noted similar issue with HP switches where Firefox just works too.

Credits:

Thanks goes to GarĂ°ar Arnarsson to point out missing “key-usage=tls-server” in step #3 which fixes Chrome TLS issue. Thanks also for reaching out to me and pointing out that Captcha was not working!