MikroTik – how to generate SSL certificate and enable HTTPS

August 11th, 2015 by bostjan

I am quite fascinated with what MikroTik has produced so far. So much functionality for normal price, and no licensing extortion practices – once you buy the HW, upgrades come for free. There are license levels, but usually your hardware will stumble before you will reach these limits (number of VPN tunnels, for example). The other thing that I value is stability. Since trying out MikroTik devices, I have not even bothered looking at other options for home use (Do you remember the practice of choosing home routers/wifi hotspots by checking the DD-WRD website/database whether particular item can be flashed or not?:)

Since their primary management interface is called WinBox, and since I am a desktop Linux user, no dice here (well, I might be mistaken). So I mainly use CLI and WebFig. But it turned out that creating and singing certificates in WebFig is totally unintuitive, this is my braindump on how to do it in CLI as fast as possible.

As it turns out, you need to create CA certificate. Then, you can either use this CA certificate directly as HTTPS certificate, but Chrome will reject it with error NET::ERR_CERT_INVALID and will not even offer you an option to continue to “unsafe place”.
Therefore CA must be used to sign regular certificate that is then used for HTTPS communication. Let me show you how I do it in the following steps:

1. Create CA certificate first:

2. Sign the CA certificate:

3. Now create a regular certificate for HTTPS access:

4. Sign it with CA from steps 1&2:

OPTIONAL: Mark it as trusted (I did not need to do this, but internets beg to differ:):

5. And finally, assign the new certificate to HTTPS service:

And that is it.

The unfortunate thing is: once set up, you can login, but web interface STILL does not work in Chrome. I’ve noted similar issue with HP switches where Firefox just works too.


Thanks goes to GarĂ°ar Arnarsson to point out missing “key-usage=tls-server” in step #3 which fixes Chrome TLS issue. Thanks also for reaching out to me and pointing out that Captcha was not working!

5 Responses to “MikroTik – how to generate SSL certificate and enable HTTPS”

  1. mtiker says:

    how to force ssl using for webfig?

  2. bostjan says:

    I do not think you can ATM.

    Usually I just disable HTTP service once I can reach it via HTTPS and SSH.


    PS: I am by no means quotable on this one, mikrotik form would be the right place to ask about this and get more definitive answer. Also, some forwarding magic could be done, where redirection is performed by external server, but I do not think this is the solution you are looking for.

  3. Viktor says:

    Thanks! This helped me set up https webfig. A few additional notes.

    After you have created and signed the ca cert, export it and add it to your systems root store. Then it will work correctly in both IE on windows and Chrome on windows/linux/osx.

    Firefox has its own root store. So you will have to add it to that as well.

    To export the root ca certificate run: /certificate export-certificate my-rtr-ca
    Then you can download it from the router via ftp or winbox.

    You might want to set a bit longer expiration date on the ca cert since all certs generated by it will also expire when that one does.

  4. Gideon says:

    Thank you, helpful post.

    Readers need to be aware that these instructions work very well for recent version of RouterOS, but the syntax differs on some old versions.

  5. mplx says:

    Thanks for you post.

    You can skip step 5 – instead of the number you can use the service name.

    /ip service set www-ssl certificate=my-rtr

Leave a Reply