Community discussions

MikroTik App
 
anv
newbie
Topic Author
Posts: 31
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

[SOLVED] Can't import client private key for OVPN

Mon Jul 04, 2011 5:30 pm

I followed the instructions on http://wiki.mikrotik.com/wiki/OpenVPN#C ... h_Easy-RSA.

I created the CA and the certificates
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server myserver
./pkitool --pass client1
I uploaded the files to the router:
ca.crt
client1.crt
client1.key

I imported the CA cert:
[admin@MikroTik] /certificate> import file=ca.crt
passphrase: 
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
Then I import the user cert:
[admin@MikroTik] /certificate> import file=client1.crt
passphrase: *******
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
But when I try to import the user key, it does not work:
[admin@MikroTik] /certificate> import file=client2.key
passphrase: *******
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0
I had routeros 4.x but I installed 5.5 in case it were a bug of the older version. I googled about this and I only found some people having the same problem but no solution.
Last edited by anv on Fri Jul 08, 2011 6:12 pm, edited 2 times in total.
 
bumsyy
just joined
Posts: 2
Joined: Thu Jul 07, 2011 9:51 pm

Re: Can't import client private key for OVPN

Thu Jul 07, 2011 9:52 pm

In the same boat. Unable to import any keys.
 
bumsyy
just joined
Posts: 2
Joined: Thu Jul 07, 2011 9:51 pm

Re: Can't import client private key for OVPN

Thu Jul 07, 2011 9:52 pm

Same Problem :(
driving me crazy
 
anv
newbie
Topic Author
Posts: 31
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

Re: Can't import client private key for OVPN [SOLVED]

Fri Jul 08, 2011 11:15 am

Same Problem :(
driving me crazy
In the same boat. Unable to import any keys.
Just solved the problem: the documentation is wrong. You must not upload the private key in .key format, you must upload a .pem format.

Just do this:
openssl rsa -in client1.key -out client1.pem
and upload and import the .pem file.

I updated the wiki documentation.
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: [SOLVED] Can't import client private key for OVPN

Tue Aug 02, 2011 3:14 pm

Hi,

I have tried to import the certificates and the key file into mikrotik 5.0 and 5.5 and the key file was not imported. (both methods, import client.crt, client.key, ca.crt or import client.crt, client.pem, ca.crt) I cannot get the OVPN client configuration settings to apply because it says certificate not found.

I am using RB750 with Mikrotik 5.0/5.5 as OVPN client, the server is linux.
The date and time are sync by ntp.

[admin@MikroTik] > /certificate

[admin@MikroTik] /certificate> import file= MexGrande.crt
passphrase: 
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[admin@MikroTik] /certificate> import file= MexGrande.pem
passphrase: 
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0

[admin@MikroTik] /certificate> import file= ca.crt          
passphrase: 
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[admin@MikroTik] /certificate> 
Update: I have figured out that the keys were generated in Ubuntu and worked, now the keys are generated in Fedora Core 15 and doesn´t work in mikrotik but in other linux server are all ok. 
Bug ?!
Any help ?

Thanks
 
anv
newbie
Topic Author
Posts: 31
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

Re: [SOLVED] Can't import client private key for OVPN

Wed Aug 03, 2011 12:56 am

[admin@MikroTik] > /certificate
[admin@MikroTik] /certificate> import file= MexGrande.pem
passphrase: 
     certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0
 
0 keys imported... this means the file has no info about keys that can be imported from this file... ¿How did you create the .pem file?
Update: I have figured out that the keys were generated in Ubuntu and worked, now the keys are generated in Fedora Core 15 and doesn´t work in mikrotik but in other linux server are all ok.
Bug ?!
How did you create the .pem file? I uses Mandriva that is Red-Hat based like Fedora and generated the keys with easyrsa scripts. Then converted the .key to .pem format with a command like this:
openssl rsa -in MexGrande.key -out MexGrande.pem
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: [SOLVED] Can't import client private key for OVPN

Wed Aug 03, 2011 4:13 pm

I will try to convert to .pem, but the certificates that are generated in ubuntu/debian does not need to be converted, i can import them from .crt and . key without any problem.


Thanks
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: [SOLVED] Can't import client private key for OVPN

Wed Aug 03, 2011 4:22 pm

How did you create the .pem file? I uses Mandriva that is Red-Hat based like Fedora and generated the keys with easyrsa scripts. Then converted the .key to .pem format with a command like this:
openssl rsa -in MexGrande.key -out MexGrande.pem
[admin@MikroTik] /certificate> import
passphrase: 
     certificates-imported: 2
     private-keys-imported: 0
            files-imported: 2
       decryption-failures: 0
  keys-with-no-certificate: 1

[admin@MikroTik] /certificate> 
Now i have converted the certificates from .key to .pem but i get that message saing that the key has no certificate.
 
manchoz
just joined
Posts: 2
Joined: Wed Jan 13, 2010 12:26 pm

Re: [SOLVED] Can't import client private key for OVPN

Thu Aug 04, 2011 11:43 am

Hello,
we also had same problem and trying to tame it we made some test. We found that keys generated with openssl 1.0.0 do not get imported properly. Everything works if keys and certificates get generated with openssl 0.9.8.

AFAIK, something has been changed in key file format between 0.9.8 and 1.0.0. OpenSSL 1.0.0 is becoming mainstream on any major distribution (even in Mac OS X with macports) so, soon, the importing issue will become a big problem: could you please check that the new format would be also imported?

Thanks in advance!

Giampaolo
 
anv
newbie
Topic Author
Posts: 31
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

Re: [SOLVED] Can't import client private key for OVPN

Thu Aug 04, 2011 12:30 pm

Hello,
we also had same problem and trying to tame it we made some test. We found that keys generated with openssl 1.0.0 do not get imported properly. Everything works if keys and certificates get generated with openssl 0.9.8.

AFAIK, something has been changed in key file format between 0.9.8 and 1.0.0. OpenSSL 1.0.0 is becoming mainstream on any major distribution (even in Mac OS X with macports) so, soon, the importing issue will become a big problem: could you please check that the new format would be also imported?

Thanks in advance!

Giampaolo
openssl-1.0.0-1.1-.sv2010.2 worked for me.
 
manchoz
just joined
Posts: 2
Joined: Wed Jan 13, 2010 12:26 pm

Re: [SOLVED] Can't import client private key for OVPN

Thu Aug 04, 2011 12:41 pm

Hello anv,
what is that version? I can't find it neither among the the official tarballs, nor among the snapshots. I guess that is some CVS revision plus some special patch: where did you find it?

Thanks,
Giampaolo
 
anv
newbie
Topic Author
Posts: 31
Joined: Mon Jul 04, 2011 5:19 pm
Location: Spain

Re: [SOLVED] Can't import client private key for OVPN

Thu Aug 04, 2011 12:56 pm

Hello anv,
what is that version? I can't find it neither among the the official tarballs, nor among the snapshots. I guess that is some CVS revision plus some special patch: where did you find it?

Thanks,
Giampaolo
This is fue mandriva packet. You may download the source code if you want. Just google for it.
 
spacemind
Member Candidate
Member Candidate
Posts: 111
Joined: Mon Jul 07, 2008 8:33 pm

Re: [SOLVED] Can't import client private key for OVPN

Tue Aug 09, 2011 2:51 pm

Hi Again,


I think there is a bug in MIkrotik 5.x that does not work with the openssl-1.0.0d-fips 8 (Fedora 15) .key files and .crt files

openssl-1.0.0d-fips 8 (Fedora 15)

Who is online

Users browsing this forum: kleshki and 32 guests