own CA certificates not importing in RouterOS 7
Hello, I have been still using RouterOS 6 on important routers. I am using my own root CA (imported on all computers and devices in organization) and some intermediary CAs without any issues in RouterOS 6. Now I tried to import my CA to RouterOS 7.8 (and some older RouterOS 7.7, 7.6, 7.5), but it is not importing - not saying anything, neither in log with debug enabled. Could somebody check, what's wrong? Here is one of my CAs in the attachment - this one is used just for my students.
You do not have the required permissions to view the files attached to this post.
CA certificates with critical nameConstraints not importing in RouterOS 7
Well, I have isolated the problem - RouterOS 7 is not accepting CA certificates with nameConstraints property, if this property is marked as critical.
See the attachments - critical file cannot be imported. Why? Is it a bug?
You can play with generation in a Linux machine:
See the attachments - critical file cannot be imported. Why? Is it a bug?
You can play with generation in a Linux machine:
Code: Select all
openssl req -newkey rsa:2048 -keyout CA.key -utf8 -subj "/CN=test CA" -out CA.csr
# set password
echo -e "subjectKeyIdentifier=hash\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,digitalSignature,keyCertSign\nnameConstraints=critical,permitted;DNS:my.test" > CA.ext
openssl x509 -req -days 1461 -in CA.csr -extfile CA.ext -signkey CA.key -out CA.crt
# put password
rm CA.csr CA.extYou do not have the required permissions to view the files attached to this post.
Re: own CA certificates not importing in RouterOS 7
This bug is fixed now in RouterOS 7.11 (https://mikrotik.com/download/changelog ... 5f6795bbd4).
Re: own CA certificates not importing in RouterOS 7
Thanks man, you saved my day!
Regards, DNAT
Regards, DNAT
Who is online
Users browsing this forum: Ahrefs [Bot], Bing [Bot], GoogleOther [Bot] and 26 guests