Hello,
starting with RouterOS 7.7 i am not able to import a certificate key. The certificate is created with EasyRSA that we use a long time ago. I can import the certicate successfuly but not the key. With ROS 7.6 it works without any problems.
I got no error, it does nothing.
There are changes to certificate import in the changelog. Could it be a bug? How can i find out, where the problem is?
Tell me if you need some more details.
Thans a lot!
Best regards
Frank
-
-
kalderista
just joined
- Posts: 1
- Joined:
Re: Certificate Key Import not possible on v7.7
Hi,
I have same issue too.
Regards
I have same issue too.
Regards
Re: Certificate Key Import not possible on v7.7
What kind of algorithms do you use? Starting from the RouterOS v7.7 some of the very old mechanisms as, for example, pkcs#7 encryption method "pbeWithSHA1And40BitRC2", are not supported, since nowadays they can not be considered as "secure".
Re: Certificate Key Import not possible on v7.7
Hi,
thanks for your reply. We are using "sha256RSA"
Best regards
Frank
thanks for your reply. We are using "sha256RSA"
Best regards
Frank
Re: Certificate Key Import not possible on v7.7
Works for me... So this is not a general problem with RouterOS 7.7. Can you give more detail on your certificate?
Re: Certificate Key Import not possible on v7.7
I can, but tell me what you need. If it's not clear, we have no issues with the certificate, only with the Key.Works for me... So this is not a general problem with RouterOS 7.7. Can you give more detail on your certificate?
Re: Certificate Key Import not possible on v7.7
We were seeing the same problems with certificates generated by EasyRSA. Up to v7.6 no issues, starting the v7.7 they refuse to import. The output is:
EasyRSA uses OpenSSL to generate the p12 files with the default PKCS#12 algorithms. This gives:
As stated above pbeWithSHA1And40BitRC2-CBC is no longer supported in v7.7. The solution is to change the ciphers in the OpenSSL pkcs12 export:
For EasyRSA you can set this in the appropriate line of the easyrsa script:
Code: Select all
> /certificate import file-name="test.p12" name="test" passphrase=1234
certificates-imported: 0
private-keys-imported: 0
files-imported: 0
decryption-failures: 1
keys-with-no-certificate: 0Code: Select all
# openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44
friendlyName: my test
subject=/CN=test
issuer=/CN=test CA
Code: Select all
$ openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES ....
$ openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44
friendlyName: my test
subject=/CN=test
issuer=/CN=test CA
Code: Select all
pkcs_opts="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES"
Re: Certificate Key Import not possible on v7.7
We do not have PKCS12, we use x509 Certificate with RSA key.
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Re: Certificate Key Import not possible on v7.7
For me it's working again with routeros-7.8beta3.
Thanks!
Thanks!
Re: Certificate Key Import not possible on v7.7
That's good news. Looks like I found a case where it is failing for me as well... Any chance we will see this in something like version 7.7.2?
-
-
depth0cert
just joined
- Posts: 21
- Joined:
Re: Certificate Key Import not possible on v7.7
What kind of algorithms do you use? Starting from the RouterOS v7.7 some of the very old mechanisms as, for example, pkcs#7 encryption method "pbeWithSHA1And40BitRC2", are not supported, since nowadays they can not be considered as "secure".
SUP-106766 private-keys-imported: 0
NETINSTALLED 7.8beta3
Code: Select all
[admin@MikroTik] > /certificate add common-name=r1-ca days-valid=3652 key-size=prime256v1 key-usage=key-cert-sign,crl-sign name=r1-ca subject-alt-name=email:r1-ca
[admin@MikroTik] > :do {/certificate sign [find name=r1-ca] name=r1-ca} on-error={:delay 3}
progress: done
[admin@MikroTik] > /certificate export-certificate r1-ca file-name=r1-ca export-passphrase=passphrase type=pem
[admin@MikroTik] > /certificate remove r1-ca
[admin@MikroTik] > /certificate import file-name=r1-ca.crt name=r1-ca passphrase=passphrase
certificates-imported: 1
private-keys-imported: 0
files-imported: 0
decryption-failures: 0
keys-with-no-certificate: 0
Code: Select all
[admin@MikroTik] > /certificate import file-name=r1-ca.key name=r1-ca passphrase=passphrase
certificates-imported: 0
private-keys-imported: 0
files-imported: 0
decryption-failures: 0
keys-with-no-certificate: 0
Re: Certificate Key Import not possible on v7.7
I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Re: Certificate Key Import not possible on v7.7
This worked for me as well!I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Re: Certificate Key Import not possible on v7.7
I was also having problems importing certificates+key in PKCS#12 format, using a file generated by OpenSSL from PEM files with key and certificate (Lets Encrypt - using a script that is a few years old).
I can confirm that the by default OpenSSL will use pbeWithSHA1And40BitRC2 unless RC2 is disabled or -descert option is used. By using -descert the resulting PKCS#12 file uses pbeWithSHA1And3-KeyTripleDES that is (still) accepted by ROS 7.7.
Knowing that pbeWithSHA1And40BitRC2 is no longer accepted was key. A small fix in my script and voila!
I can confirm that the by default OpenSSL will use pbeWithSHA1And40BitRC2 unless RC2 is disabled or -descert option is used. By using -descert the resulting PKCS#12 file uses pbeWithSHA1And3-KeyTripleDES that is (still) accepted by ROS 7.7.
Knowing that pbeWithSHA1And40BitRC2 is no longer accepted was key. A small fix in my script and voila!
Re: Certificate Key Import not possible on v7.7
I'm having the same problem. just implemented two new Mikrotiks freshly done with netinstall to v7.8.
I'm using the Posh-ACME service (targeting ZeroSSL) to generate the certificates on another machine and those are being put onto the units to be imported. I have updated to the latest version and have added the "-UseModernPfxEncryption" to the certificate generation process, but I am still running into the issue.
When I import the certificate files (pfx full chain + key file) it gives me this output:
Where am I going wrong?
PS: key file imports, its the pfx that is now not importing (did on previous versions).
I'm using the Posh-ACME service (targeting ZeroSSL) to generate the certificates on another machine and those are being put onto the units to be imported. I have updated to the latest version and have added the "-UseModernPfxEncryption" to the certificate generation process, but I am still running into the issue.
When I import the certificate files (pfx full chain + key file) it gives me this output:
Code: Select all
certificates-imported: 0
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 1PS: key file imports, its the pfx that is now not importing (did on previous versions).
Re: Certificate Key Import not possible on v7.7
Lets Encrypt client 0.38 le64.exeI had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
The created crt does indeed have 2 blank lines at the very end
That was not a problem ever up to 6.48.7
Now upgraded to RB4011 which came with factory 7.8 and these 2 lines cause issue of not importing crt (but also not failing explicitly)
Once removed, the import works again. IMO that is a bug
sebus
Re: Certificate Key Import not possible on v7.7
I cloud not import the root ca cert of let's encrypt (ISRG Root X1). In my case I had to covert the file to unix line endings, the downloaded one had windows.
This can be done in any good editor, in my case vim
to save and quit in vim
Code: Select all
model: RB960PGS
revision: r2
firmware-type: qca9550L
factory-firmware: 6.44.6
current-firmware: 7.10.1
upgrade-firmware: 7.10.1
This can be done in any good editor, in my case vim
Code: Select all
:set fileformat=unixto save and quit in vim
Code: Select all
:xRe: Certificate Key Import not possible on v7.7
Same problem here. Will try to update to v7.11 where some certificate bugs are fixed (as mentioned in changelog).I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Re: Certificate Key Import not possible on v7.7
Error that RouterOS v. 7.13.1 does not import certificate with CRLF line endings (in editor visible as ^M$) seems to be persist. My *.pem file was downloaded with Firefox browser on linux system.
I've converted line endings with vim and all is ok.
I've converted line endings with vim and all is ok.
Re: Certificate Key Import not possible on v7.7
I switched to a full chain cer+key instead of my original full chain pfx+key, this solved my issues on all versions I have tried it on (old and new).PS: key file imports, its the pfx that is now not importing (did on previous versions).
I have not tested yet on v13.5 (or newer), but I'm confident my problem is no more.
Re: Certificate Key Import not possible on v7.7
On 7.14.3, I could not import a default openssl-generated RSA private key. I first had to import the certificate. My 2 cents.
Who is online
Users browsing this forum: No registered users and 39 guests