Well, I have isolated the problem - RouterOS 7 is not accepting CA certificates with
nameConstraints property,
if this property is marked as critical.
See the attachments - critical file cannot be imported. Why? Is it a bug?
You can play with generation in a Linux machine:
openssl req -newkey rsa:2048 -keyout CA.key -utf8 -subj "/CN=test CA" -out CA.csr
# set password
echo -e "subjectKeyIdentifier=hash\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,digitalSignature,keyCertSign\nnameConstraints=critical,permitted;DNS:my.test" > CA.ext
openssl x509 -req -days 1461 -in CA.csr -extfile CA.ext -signkey CA.key -out CA.crt
# put password
rm CA.csr CA.ext
You do not have the required permissions to view the files attached to this post.