[SOLVED] Hotspot with SSL: Private Key and Certificate fail

mipland · Sun Nov 12, 2006 7:53 pm

After reading a LOT of topic, wiki and Google, I haven't found a suitable way to generate ssl keys for RouterOS (2.9.34). Better: I found the way, but RouterOS doesn't want it!
Winbox wouldn't to import my key/certificate. I try to follow the howto for certificate import, but no success...when I try to give a "decrypt" command, he ask me the passphrase, but no keys decrypted follows...I'm (quite) desperate!
This is what I do:
- generating the private key and certificate in this way:

SERVER=hotspot.mynetwork.net
PRIVATE_KEY=$SERVER.key
CERTIFICATE_FILE=$SERVER
VALID_DAYS=1095
openssl genrsa -des3 -out $PRIVATE_KEY 1024
openssl req -new -x509 -days $VALID_DAYS -key $PRIVATE_KEY -out $CERTIFICATE_FILE

- two file are generated: hotspot.mynetwork.net (certificate) and hotspot.mynetwork.net.key (private key)
- upload the two file via FTP to an RB153 with RouterOS 2.9.34
- login via telnet to the RB153:

[admin@IZ3HAD] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
[admin@IZ3HAD] certificate> import
passphrase: *********
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 1

[admin@IZ3HAD] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0    name="cert1" subject=C=IT,ST=xxxxxx,O=xxxxxx 
      issuer=C=IT,ST=xxxxxx,O=xxxxxx serial-number="xxxxxx" 
      invalid-before=nov/12/2006 17:32:27 invalid-after=nov/11/2009 17:32:27 ca=yes 
[admin@IZ3HAD] certificate> decrypt 
passphrase: *********
  keys-decrypted: 0

[admin@IZ3HAD] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0    name="cert1" subject=C=IT,ST=xxxxxx,O=xxxxxx 
      issuer=C=IT,ST=xxxxxx,O=xxxxxx serial-number="xxxxxx" 
      invalid-before=nov/12/2006 17:32:27 invalid-after=nov/11/2009 17:32:27 ca=yes

Someone has never set-up a hotspot with SSL autentication?
Thanks in advance

73 de IZ3HAD

mipland · Mon Nov 13, 2006 2:02 pm

No one?

Mon Nov 13, 2006 2:55 pm

try running the import command once more

mipland · Mon Nov 13, 2006 3:45 pm

Thanks Normis! I followed the official HowTo http://www.mikrotik.com/docs/ros/2.9/root/certificate, but it is incorrectly (in my opinion).

Edit:
follow my personal HowTo.

Mon Nov 13, 2006 4:37 pm

but did it work then? did you get your hotspot to run with SSL?

mipland · Mon Nov 13, 2006 6:24 pm

cmit · Mon Nov 13, 2006 6:32 pm

Could someone please correct the misleading thread topic?
We're talking about SSL (!) certificates here, not SSH...

Best regards,
Christian Meis

mipland · Mon Nov 13, 2006 6:34 pm

Excuse me for the mistakes...I've just changed the title of the topic.

mipland · Mon Nov 13, 2006 7:59 pm

RB 112-153 Secure Hotspot HowTo with HTTPS (optionally HTTPS + RADIUS)

This HowTo is intended for use on MikroTik RouterBoard 112/153, with RouterOS 2.9.34.

Open your winbox utility, and connect to the board through MDP (or do a "/system reset" on a board already in use):
Click on "New Terminal".

Now we are going to control our interfaces, and to enable/disable whoes of our interest (I have a RB 153):

[admin@MikroTik] > /interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R ether3 ether 0 0 1500
3 R ether4 ether 0 0 1500
4 R ether5 ether 0 0 1500
5 X wlan1 wlan 0 0 1500
[admin@MikroTik] > interface
[admin@MikroTik] interface> set 1,2,3,4 disabled=yes
[admin@MikroTik] interface> set 5 disabled=no
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 X ether2 ether 0 0 1500
2 X ether3 ether 0 0 1500
3 X ether4 ether 0 0 1500
4 X ether5 ether 0 0 1500
5 wlan1 wlan 0 0 1500

Set a name for the Interfaces (without space on thw wireless interfaces, otherwise the hotspot setup will fail, I think that's a bug).

[admin@MikroTik] interface> set 0 name=internet
[admin@MikroTik] interface> set 5 name=hotspot
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R internet ether 0 0 1500
1 X ether2 ether 0 0 1500
2 X ether3 ether 0 0 1500
3 X ether4 ether 0 0 1500
4 X ether5 ether 0 0 1500
5 hotspot wlan 0 0 1500

Now, we are going to setting-up the wireless interface

[admin@MikroTik] interface> wireless set hotspot ssid=IZ3HAD band=5ghz frequency=5280 mode=ap-bridge periodic-calibration=enabled

Set an IP address for the "internet" interface, it's default gateway and it's dns. The option allow-remote-requests is to speed up the dns by caching the local request to the MikroTik box.

[admin@MikroTik] interface> /ip
[admin@MikroTik] ip> address add address=192.168.10.99/24 interface=internet
[admin@MikroTik] ip> route add gateway=192.168.10.1
[admin@MikroTik] ip> dns
[admin@MikroTik] ip dns> set primary-dns=192.168.10.1
[admin@MikroTik] ip dns> set allow-remote-requests=yes
[admin@MikroTik] ip dns> ..
[admin@MikroTik] ip> ..

Now, create a certificate on a Linux Machine. A script could be the follow:

#!/bin/sh
SERVER=hotspot.mynetwork.net
PRIVATE_KEY=$SERVER.key
CERTIFICATE_FILE=$SERVER
VALID_DAYS=1095

openssl genrsa -des3 -out $PRIVATE_KEY 1024

openssl req -new -x509 -days $VALID_DAYS -key $PRIVATE_KEY -out $CERTIFICATE_FILE # Autocertified

Then, give it the execution properties and execute it:

chmod +x myscript
./myscript

Give your password three times.
Give all the information required (CA, email, ecc.).

Two file are produced:
--- hotspot.mynetwork.net is the certificate
--- hotspot.mynetwork.net.key is the private key

Put this (via FTP) file on the root of MT Board.
Return to the MT Board CLI and give the following commands to import the certificate and the private keys:

[admin@MikroTik] > certificate
[admin@MikroTik] certificate> import
passphrase: ****************
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 1

[admin@MikroTik] certificate> import
passphrase: ****************
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
decryption-failures: 0
keys-with-no-certificate: 0

[admin@MikroTik] certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
0 KR name="cert1" subject=C=IT,ST=xxxx,L=xxxx,O=xxxx,OU=xxxx,CN=IZ3HAD,emailAddress=xxxx issuer=C=IT,ST=xxxx,L=xxxx,O=xxxx,OU=xxxx,CN=IZ3HAD,
emailAddress=xxxx
serial-number="xxxx" email=xxxx
invalid-before=nov/13/2006 13:13:27 invalid-after=nov/12/2009 13:13:27
ca=yes

It's time to set-up your hotspot.

[admin@MikroTik] certificate> /ip hotspot
[admin@MikroTik] ip hotspot> setup
hotspot interface: hotspot
local address of network: 192.168.100.1/24
masquerade network: yes
address pool of network: 192.168.100.100-192.168.100.254
select certificate: IZ3HAD
ip address of smtp server: 0.0.0.0
dns servers: 192.168.10.2
dns name: hotspot.mynetwork.net
name of local hotspot user: admin
password for the user: *******
[admin@MikroTik] ip hotspot>

To force the authentication mode to "only HTTPS", type this:

[admin@MikroTik] ip hotspot> profile
[admin@MikroTik] ip hotspot profile> set hsprof1 login-by=https

If you have a freeradius server, add in /etc/raddb/clients.conf a new entry like this:

client 192.168.10.99/24 {
       secret          = iz3had
       shortname       = hotspot
}

And, on the RB CLI:

[admin@MikroTik] > /radius
[admin@MikroTik] radius> add address 192.168.10.2 service=hotspot secret=iz3had authentication-port=1812 accounting-port=1813
[admin@MikroTik] radius> /ip hotspot profile
[admin@MikroTik] ip hotspot profile> set hsprof1 use-radius=yes

Now you have a secured hotspot! Connect your client to the MT, and type any address on Firefox: you will get a certification approval request, it's yours!
Hints
If you disable Connection Tracking, the HotSpot will not be able to redirect your connection.

P.S.
I found a perfectly working guide on a previous topic to made this config, but there was nothing on the SSL side, and no or erroneus info found for a "secure" hotspot authenticating on the rest of the forum, so I decided to made a new howto.
Thanks to Normis for it's hint.

73 de IZ3HAD

Mon Nov 13, 2006 8:17 pm

If you are example are 100% working, you can publish it in MikroTik wiki,
http://wiki.mikrotik.com

mipland · Mon Nov 13, 2006 8:27 pm

Sure, it's 100% working. I resetted my board and try to follow my howto as posted to made a hotspot. I powered on my laptop and it gives an IP from the hotspot DHCP's. Then, after started FFirefox, it request me to accept the certificate and show up the login page. The login, redirect, logout work perfectly.
I'm trying to register myself on wiki, but it appears to have some problem...I'll try later and I'll insert my howto.

73 de IZ3HAD

kvan64 · Sun Nov 04, 2007 12:37 am

Can you create an unsigned certificate using a Linux liveCD? if yes, which liveCD do you recommend. Ta

lagosta · Tue Aug 19, 2008 12:57 pm

I tried this tutorial and it works really good, thanks very much, everything is very well explained and you should definitely publish it in MikroTik wiki.

I don't know if the live cds are able to do this, if they have OpenSSl installed, i'm pretty sure it is possible.Then you just need an ftp client (I used Filezilla) and ssh or telnet to do the rest.
Try to do everything on linux, because if you import your self signed certificate to windows it is possible that the properties of the file change and the certificate wont work. But you can try

lagosta · Wed Aug 20, 2008 11:29 am

Well I think there is no use on having linux after all, all you need is a version of OpenSSl for windows, for example this one:
http://www.slproweb.com/download/Win32O ... 0_9_8g.exe

After install go to the /bin directory and run the executale file, you can then create your own certificate and private key with this two simple commands:

genrsa -des3 -out private.key 1024

req -new -x509 -days 365 -key private.key -out certificate.pem

Then follow the rest of the tutorial

tristan.bolton · Sat Feb 28, 2009 7:39 am

is there a way to have Secure Hotspot without it having to except the SSL certificate? Mine is signed by a CA and it says unknown Issuer?

Any Ideas??

mikrotikgrrl · Mon Apr 13, 2009 10:00 pm

Thank you for this straight forward tutorial! Worked like a charm

Darci

macns · Fri Sep 19, 2014 10:07 am

if you're having timeouts when trying to import a certificate on RouterOS v6.5 (could be other versions too)
try upgrading to the latest version

System / Packages / Check for updates

Installing an SSL certificate on your hotspot setup, will not get rid of the browser warnings on clients.
Latest versions of chrome AFAIK, display a large red lock with no other -- immediately visible -- options

Due to this I'm thinking of allowing all 443 traffic ..

This is a problem that seems un-solvable because of the way encrypted traffic works.

suggestions/thoughts anyone?

loveman · Sat May 30, 2020 1:44 pm

I dont have linux to doing the certificate, Can anyone advice me how to doing in windows?
Because i need to connection secure for my hotspot login webpage https certificate !!

Sob · Sat May 30, 2020 4:23 pm

You again?

You don't need Linux for this, only OpenSSL and it exists for Windows too (use your favourite search engine and you'll find it).

More importantly, it will NOT help you. It's self-signed certificate, nobody will trust it.

What in Issue when add the certificate for hotspot "https" wasn't clear last year?

[SOLVED] Hotspot with SSL: Private Key and Certificate fail

[SOLVED] Hotspot with SSL: Private Key and Certificate fail

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate f

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Re: [SOLVED] Hotspot with SSL: Private Key and Certificate fail

Who is online