Hello everyone, I need your help.

I have a CCR in my CORE that receives all my VPN connections, site to site with other mikrotik routers.

I have set up in my CCR, three certificates, (CA, Cert for the server and others cert for the clients). My CA has expired

0 K L A ET myCa myCa ...
1 K A ET server server ...
2 K A T clien... clientOVPN1 ...
3 K A ET client1 client1

How i can renew my certificates?

since CA is also expired, restart from scratch generating all certificates

thx

i have tried renew my CA certificate.

now, i have other certificate (newCA1.crt) with the same public key that my original CA certificate.

When i import this new certificat into mikrotik, this new certificate have this flags (KT):

0 K L A ET myCa myCa ...
1 K A ET server server ...
2 K A T clientOVPN1 clientOVPN1 ...
3 K A ET client1 client1 ...
4 K T newCA1.c... newCA ...

what i have missed, because this new certificate is not CA after being imported?!

when i generated a new certificate, the output was newCA1.crt (only certificate) and newCA1.pem (certificate and public key). I copyed and imported this two files to mikrotik.

Only the CA itself has private key (K) , you don't need this on endpoints.
The local certificate for router itself is the only certificate that does require private key being included.