We have a CAPsMAN with 'auto'-generated CA and certificate, and lots of CAPs also with certificates requested from the CAPsMAN but without 'Lock To CAPsMAN'.

We need to replace the router running CAPsMAN with another larger model. How do we manage the certificates?
I'm sure it would work to log in to each CAP and remove the certificates and restart the CAP client to make them request a new certificate from the new CAPsMAN, but we would like to avoid that.

We also tried to export the CA client from the old CAPsMAN and import it into the new, but in the new CAPsMAN it only shows the 'T'-flag for trusted, and not 'KA'

Is it supposed to be possible, and what is then the correct procedure to replace the CAPsMAN?

Auto-generated CA certificate on CAPsMAN is quick and dirty way to get you up and running with certificates. It would be better to implement more advanced PKI for devices in your authority, e.g:
- generate root CA certificate, keep it somewhere safe, not on any CAPsMAN
- issue CA certificate signed by root for each CAPsMAN, install on each CAPsMAN along with trusted root CA
- have CAPs trust your root CA (*)

Now CAPsMAN can sign certificate requests from CAPs with its sub-CA. CAPs will connect to any CAPsMAN with certificate signed by root CA, and CAPsMAN will accept CAPs with certificates generated by any CAPsMAN, provided that CAP certificate chain ends with trusted root CA.

Unfortunately at the moment (*) from the above does not happen automatically - CAPsMAN sends only its own CA certificate to CAP when signing certificate request (CAP installs this CA certificate as trusted). Sending complete CA chain to CAP can be considered for implementation.

BUT

There is also quick and dirty way to do what you want - just export the certificate on your old CAPsMAN along with its private key. You do this by: /cert export-certificate 0 export-passphrase=12345678, it will generate 2 files - certificate and key. Then import it in new CAPsMAN. Beware - auto-generated certificates include device's MAC address in CommonName. Currently this is not being checked, but this can change.

Auto-generated CA certificate on CAPsMAN is quick and dirty way to get you up and running with certificates. It would be better to implement more advanced PKI for devices in your authority, e.g:
- generate root CA certificate, keep it somewhere safe, not on any CAPsMAN
- issue CA certificate signed by root for each CAPsMAN, install on each CAPsMAN along with trusted root CA
- have CAPs trust your root CA (*)

Now CAPsMAN can sign certificate requests from CAPs with its sub-CA. CAPs will connect to any CAPsMAN with certificate signed by root CA, and CAPsMAN will accept CAPs with certificates generated by any CAPsMAN, provided that CAP certificate chain ends with trusted root CA.

Unfortunately at the moment (*) from the above does not happen automatically - CAPsMAN sends only its own CA certificate to CAP when signing certificate request (CAP installs this CA certificate as trusted). Sending complete CA chain to CAP can be considered for implementation.

BUT

There is also quick and dirty way to do what you want - just export the certificate on your old CAPsMAN along with its private key. You do this by: /cert export-certificate 0 export-passphrase=12345678, it will generate 2 files - certificate and key. Then import it in new CAPsMAN. Beware - auto-generated certificates include device's MAC address in CommonName. Currently this is not being checked, but this can change.

Hello M,

Do you know any trick to import the trusted root CA in recent versions of ROS 6.28+?

I need to upgrade an RB2011 to RB3011 and the import of the trusted root CA goes successfully but it´s not recognized as an CA. It has only KT flags and misses the A flag. Inside CAPs manager when selecting the CA it does not appear.

I am in the same situation, we need a secondary capsmanager in case of failure, tried to import the autogenerated certificate to the secondary manager but only KT flags appear. Tried to create my CA manually following this steps:
http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

At the primary router shows with KLAT flags, after "successful" export to the secondary only appear TL flags...

Could you explain further the steps we need to follow in order to have PKI infraestructure able to work with 2 Capsmanager,

Thank you very much

Unfortunately importing CA certificate with ability to sign certificates was not possible, like you explain. This was disabled deliberately so that user does not start signing certificates with CA on multiple devices that would produce conflicting sequence numbers. This has been relaxed so that you can import CA certificates generated by RouterOS. 6.34 has this feature.

Hi guys,
it is there some workaround to move capsman to another / more powerful / device ?
Let's say I have capsman on rb3011 and I wanna move this to some CCR hw...
How I can do this ?

up up

Export configuration and import it in the newer device?

ok but what about cerfs ?