Community discussions

MikroTik App
  4. RouterOS
  5. General

https check-certificate howto with self-created ca/cert

Post Reply
 
paris9
newbie
Topic Author
Posts: 32
Joined: Mon Feb 03, 2014 9:31 am

https check-certificate howto with self-created ca/cert

Tue Mar 15, 2016 10:34 am

Hello,

Any help would be appreciated :D

I created my own CA and server certificate and installed them into apache2. Note that this is not a self-signed certificate, but a CA and server certificate signed by the CA. Firefox, Internet Explorer, and Chrome all recognizing the server certificate and CA and everything works as expected. When I use openssl to connect and verify the certificate with the CA everything works fine as shown below. However, when I installed my CA into RouterOS to verify my server's certificate (which it signed) and attempted a fetch with check-certificate I get the errors.

What am I doing wrong or is this a bug in RouterOs?

openssl s_client -connect 192.168.80.40:443 -showcerts -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=1 C = US, ST = California, L = San Jose, O = abc, OU = it, CN = MY CA (verify return:1)
depth=0 CN = 192.168.80.40, ST = California, C = US, O = abc, OU = it (verify return:1)
Verify return code: 0 (ok)

Debian Apache 2.4.10 says:
[Tue Mar 15 07:50:30.857437 2016] [ssl:info] [pid 2922] SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)

RouterOS 6.34.3 (stable) says:
failure: ssl connection error: handshake failed: unable to get certificate CRL (6)
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: https check-certificate howto with self-created ca/cert

Tue Mar 15, 2016 2:59 pm

It says that it can't get CRL (revocation list). So from the look of it, without any testing, I'd it's either:
a) you included CRL URL in your certificate, it's not accessible and RouterOS is probably right to complain
b) there is no such thing in your certificate, RouterOS invented it out of nothing and it looks like bug
Top
 
paris9
newbie
Topic Author
Posts: 32
Joined: Mon Feb 03, 2014 9:31 am

Re: https check-certificate howto with self-created ca/cert

Tue Mar 15, 2016 7:18 pm

It says that it can't get CRL (revocation list). So from the look of it, without any testing, I'd it's either:
a) you included CRL URL in your certificate, it's not accessible and RouterOS is probably right to complain
b) there is no such thing in your certificate, RouterOS invented it out of nothing and it looks like bug
You are absolutely right! I completely forgot that I include certificate revocation when I created the certificate. I reproduced the issue with openssl so I just need to get my server configured correctly with the crl.pem. Thank you :D

openssl s_client -connect 192.168.80.40:443 -showcerts -CApath /etc/ssl/certs -crl_check
Verify return code: 3 (unable to get certificate CRL)
Top
Post Reply
  4. RouterOS
  5. General