Community discussions

MikroTik App
  4. RouterOS
  5. General

Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Post Reply
 
ipavlik
just joined
Topic Author
Posts: 19
Joined: Thu Dec 22, 2016 3:47 pm

Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Thu Nov 14, 2024 2:19 pm

Hello,

I'm facing a problem with certificate signing on RouterOS 7.16.
I have CLIENT-tpl template certificate with defined days valid attribute (e.g. 365days)
I have valid CA certificate, not expired.

I created and signed certificate with commands:
Code: Select all
/certificate add name=vpnuser01 copy-from="CLIENT-tpl" common-name="vpnuser01"
/certificate sign vpnuser01 ca="CA" name="vpnuser01"
After signing process was done, certificate was expired with attribute values:
  • Invalid Before: Jan/01/1970 02:00:00
  • Invalid After: Jan/01/1970 02:00:00
My clock is synchronized with NTP server and time is correct.
Recently, I was generating my certificates exactly same way with no issues.
Am I facing a bug?

Thanks
Top
 
carrotik
just joined
Posts: 8
Joined: Mon Nov 11, 2024 12:12 am

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Sat Nov 16, 2024 3:15 pm

You should describe what you're trying to do. From what I understand, you're trying to sign a client certificate from the Routers CA.

From the little I played with the Mikrotik so far, this should be working fine.
I followed the docs:
https://help.mikrotik.com/docs/spaces/R ... rtificates
and more or less copy&pasted:
Code: Select all
/certificate
add name=CA-Template common-name=CAtemp key-usage=key-cert-sign,crl-sign
add name=Server common-name=server
add name=Client common-name=client
sign Server name=ServerCA (yes that makes no sense here in practice, testing :) )
sign Client ca=ServerCA name=testtest

print 
Flags: K - PRIVATE-KEY; A - AUTHORITY; T - TRUSTED
Columns: NAME, COMMON-NAME, SKID
#     NAME         COMMON-NAME  SKID                                    
0 KAT test         test         8edeb8371f2d99b45bc78499776159852bd1c81a
1 KA  test2        test2        23220e94100e7740f7f1283965030f58fa14be0b
2     CA-Template  CAtemp                                               
3 KAT ServerCA     server       66505d111a6b5e96bdf928ca3b52884b438812de
4 KA  testtest     client       ce977beb05b8b2782a970e1a8004462b68ee6bfa
my certificate came out to be

Code: Select all
 4 K  A    name="testtest" digest-algorithm=sha256 key-type=rsa common-name="client" key-size=2048 subject-alt-name="" days-valid=365 trusted=no key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca=ServerCA 

           serial-number="1A6A093FBDF8D2F9" fingerprint="d5c8cb725e03a281cef352f9a6c8275979b3f6a8463be2efc5079a24b494979e" akid=66505d111a6b5e96bdf928ca3b52884b438812de skid=ce977beb05b8b2782a970e1a8004462b68ee6bfa invalid-before=2024-11-16 14:04:49 

           invalid-after=2025-11-16 14:04:49 expires-after=52w23h53m29s
May help to run a
Code: Select all
certificate print detail
carrotik
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11227
Joined: Mon Dec 04, 2017 9:19 pm

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Sat Nov 16, 2024 3:39 pm

It indeed looks like a bug to me. I am also signing the client certificates using a CA on Mikrotik, but using the "correct" way where the private key is generated on the client itself along with a certificate signing request, the request alone is then transferred to the CA Mikrotik and signed there using certificate sign-certificate-request, and the signed certificate gets imported back on the client first and the locally generated key next, and I haven't experienced such a behaviour yesterday when signing a certificate request using 7.16.1. So if you can, try this way. If your client does not allow to generate certificate signing requests (many don't), you can still use certificate create-certificate-request on the CA Mikrotik itself instead. So the private key will be generated there, and much like when you directly sign the template, you'll be able to import the key and the signed certificate to the client (or maybe you'll have to import the key locally and then export certificate+key in pkcs12 format if that's the only format the client can import).

In any case, it would be nice if you could create a supout.rif file right after the certificate with wrong dates gets generated, and open a support ticket with Mikrotik. Without that, the bug can never be fixed.
Top
 
downlots
just joined
Posts: 24
Joined: Tue Mar 09, 2010 9:48 pm

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Thu Nov 21, 2024 9:38 am

I can also confirm this bug. I am using version 7.16.1, and I have this behavior.

The same procedure applies to another router that runs 7.15.3 and works properly, so the issue is imported in 7.16.1.

This is why I am not running the same version in all infrastructure! :?
Top
 
jakoobcz
just joined
Posts: 2
Joined: Sun Dec 01, 2024 8:54 pm

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Sun Dec 01, 2024 8:59 pm

Same story here, upgraded my Mikrotik to 7.16.2 and a freshly generated certificate is invalid.
/certificate print detail shows:
invalid-before=1970-01-01 02:00:00
invalid-after=1970-01-01 02:00:00

Currently, I can't create a VPN connection for our new colleague. I would appreciate any help or workaround. Thanks :)
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11227
Joined: Mon Dec 04, 2017 9:19 pm

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Sun Dec 01, 2024 10:12 pm

I would appreciate any help or workaround.
Have you tried the procedure I have suggested in my previous post?
Top
 
jakoobcz
just joined
Posts: 2
Joined: Sun Dec 01, 2024 8:54 pm

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Wed Dec 04, 2024 11:40 pm

Truth be told, I'm not skilled in certificates. I'm following a setup for an OpenVPN, which creates the certificate (key) directly on the Mikrotik. However, if this doesn't get fixed soon I might need to learn a new way (workaround).

EDIT: Reported using Mikrotik service desk (SUP-173239) with a link to this thread.
Top
 
matiss
MikroTik Support
MikroTik Support
Posts: 36
Joined: Fri Dec 30, 2016 10:13 am

Re: Certificate is expired after signing, "Invalid Before" and "Invalid After" attribute values are Jan, 1st 1970

Wed Dec 11, 2024 4:13 pm

Hello,

The issue is fixed in RouterOS 7.17rc versions
Top
Post Reply

Who is online

Users browsing this forum: CloudRouting, sindy and 77 guests
  4. RouterOS
  5. General