Community discussions

MikroTik App
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Updating CA root certs regularly

Fri Nov 27, 2020 1:58 pm

What is the best way to update CA root certs? I am running the script below every 7 days but I wondered if there is a better way to work out if they actually *need* updating before downloading, deleting and replacing certs every week.

Also - can running this every week damage flash RAM (or whatever memory is inside it).
{
  :do {
      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes dst-path=cacert.pem;
      /certificate remove [find];
      /certificate import file-name=cacert.pem passphrase="";
      /file remove cacert.pem;
      :log info ("Updated certificate trust store");
  } on-error={
      :log error ("Failed to update certificate trust store");
  };
}
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Updating CA root certs regularly

Fri Nov 27, 2020 2:23 pm

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Fri Nov 27, 2020 2:27 pm

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.
ok, thanks
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Updating CA root certs regularly

Fri Nov 27, 2020 7:10 pm

No need to remove all certificates... You could just remove the expired ones to clean up.
/certificate remove [ find where authority expired ];
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:31 pm

No need to remove all certificates... You could just remove the expired ones to clean up.
/certificate remove [ find where authority expired ];
Thanks - will the certificate import command then only import the new ones or will it write them all again?
/certificate import file-name=cacert.pem passphrase="";
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:32 pm

Completely unnecessary to update them that often! Once every 3 months should be more than enough, maybe even once per year.
So if I run 3 monthly and a cert expires the day after the last script run then potentially I wait 3 months for this remote site to update root certs so the dynamic DNS IP update script can run via https.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:47 pm

It would be very bad practice for a certificate issuer to update their root certs only the day before they expire!
Remember all certs issued to clients depend on the root cert to be valid at least as long as the issued certificate.
As these are valid often for a year, the new root cert should be issued at least a year before the old one expires.
And these are usually valid for 10 years or so.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:49 pm

That makes perfect sense! Thanks.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 214
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: Updating CA root certs regularly

Sat Nov 28, 2020 3:52 pm

I will run this every 6months then. Is there any way to only import the certs that expired or will this import all and overwrite existing certs?
{
  :do {
      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes dst-path=cacert.pem;
      /certificate remove [ find where authority expired ];
      /certificate import file-name=cacert.pem passphrase="";
      /file remove cacert.pem;
      :log info ("Updated certificate trust store");
  } on-error={
      :log error ("Failed to update certificate trust store");
  };
}
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Updating CA root certs regularly  [SOLVED]

Sun Nov 29, 2020 1:10 am

Certificates that do not change are untouched. Have a look at the import output, it should give some numbers.
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Thu Jun 13, 2024 2:10 pm

I will run this every 6months then. Is there any way to only import the certs that expired or will this import all and overwrite existing certs?
{
  :do {
      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes dst-path=cacert.pem;
      /certificate remove [ find where authority expired ];
      /certificate import file-name=cacert.pem passphrase="";
      /file remove cacert.pem;
      :log info ("Updated certificate trust store");
  } on-error={
      :log error ("Failed to update certificate trust store");
  };
}
This is perfect, thank you for providing it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Thu Jun 13, 2024 6:48 pm

The first time do not work with "check-certificate=yes" because the certificate is not already present.
Must be done first time manually without "check-certificate=yes"...


also this do not work:
/certificate remove [ find where authority expired ];
because no one certificate is "authority" (authority is just the machine itself that generate certificates)
so that line must be only
/certificate remove [find where name~"certs.pem*" expired=yes]


also this do not work on v6:
/tool fetch url=https://mkcert.org/generate/
because the filename is missing. (on v7.15.1 work)
and only /generated redirect to /generated/ and v6 do not support http redirect.
on v6 mus be:
/tool fetch url=https://mkcert.org/generate/[b]all/except/nothing[/b]

so, a correct script that work on both v6 and v7 is this:

EDIT: Removed, see post #16
viewtopic.php?p=1080456#p1080456
Last edited by rextended on Thu Jun 13, 2024 11:10 pm, edited 4 times in total.
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Thu Jun 13, 2024 9:29 pm

These were the changes which I did because I found it always failed on first run.
This is based off the original code posted by @ilium007, so I made the following changes to make it more reliable.
{
  :local retryCount 0;
  :local maxRetries 3;
  :local success false;

  :do {
    :while ($retryCount < $maxRetries && !$success) do={
      :do {
        /tool fetch url=https://mkcert.org/generate/ check-certificate=yes dst-path=cacert.pem;
        /certificate remove [ find where authority expired ];
        /certificate import file-name=cacert.pem passphrase="";
        /file remove cacert.pem;
        :log info ("Updated certificate trust store");
        :set $success true;
      } on-error={
        :set $retryCount ($retryCount + 1);
        :log error ("Failed to update certificate trust store. Attempt: $retryCount");
        :delay 5s;  # Delay before retrying
      };
    }
    :if (!$success) do={
      /tool e-mail send to="noc@example.io" subject="RouterOS Certificate Update Failed" body="Failed to update the certificate trust store after $maxRetries attempts.";
      :log error ("Failed to update certificate trust store after $maxRetries attempts");
    }
  } on-error={
    :log error ("Unexpected error in the update script");
  };
}
As mentioned, it will fail first time as @rextended noted because the certs gets deleted on first run, so theres a small loop which will try again until sucessful upto maxRetries count and if it still fails, it will send you a mail.

---
Update

Just made those changes you spotted, thanks, didnt notice tbh.
{
  :local retryCount 0;
  :local maxRetries 3;
  :local success false;

  :do {
    :while ($retryCount < $maxRetries && !$success) do={
      :do {
        /tool fetch url=https://mkcert.org/generate/all/except/nothing check-certificate=yes dst-path=cacert.pem;
        :delay 15s; # Wait 15 seconds for download
        /certificate remove [find where name~"cacert.pem*" expired=yes];
        /certificate import file-name=cacert.pem passphrase="";
        /file remove cacert.pem;
        :log info ("Updated certificate trust store");
        :set $success true;
      } on-error={
        :set $retryCount ($retryCount + 1);
        :log error ("Failed to update certificate trust store. Attempt: $retryCount");
        :delay 5s;  # Delay before retrying
      };
    }
    :if (!$success) do={
      /tool e-mail send to="noc@example.io" subject="RouterOS Certificate Update Failed" body="Failed to update the certificate trust store after $maxRetries attempts.";
      :log error ("Failed to update certificate trust store after $maxRetries attempts");
    }
  } on-error={
    :log error ("Unexpected error in the update script");
  };
}
Last edited by majestic on Thu Jun 13, 2024 11:35 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Thu Jun 13, 2024 10:37 pm

As mentioned, it will fail first time as @rextended noted because the certs gets deleted on first run, so theres a small loop which will try again until sucessful upto maxRetries count and if it still fails, it will send you a mail.
Still fail forever, until the check-certificate=yes is removed OR the first time the certs (or at least the cert for mkcert.org) are added manually...
Last edited by rextended on Thu Jun 13, 2024 10:58 pm, edited 3 times in total.
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Thu Jun 13, 2024 10:38 pm

This is expected, but I will see if I can add in some checking code to allow it to bypass the first time.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Thu Jun 13, 2024 10:58 pm

Do not worry, ie easy...

no manual install code

/file
print file=mkcert.txt
:delay 1s
set mkcert.txt content="-----BEGIN CERTIFICATE-----\r\
    \nMIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw\r\
    \nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\r\
    \ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4\r\
    \nWhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu\r\
    \nZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY\r\
    \nMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc\r\
    \nh77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+\r\
    \n0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U\r\
    \nA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW\r\
    \nT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH\r\
    \nB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC\r\
    \nB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv\r\
    \nKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn\r\
    \nOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn\r\
    \njh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw\r\
    \nqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI\r\
    \nrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV\r\
    \nHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq\r\
    \nhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL\r\
    \nubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ\r\
    \n3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK\r\
    \nNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5\r\
    \nORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur\r\
    \nTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC\r\
    \njNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc\r\
    \noyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq\r\
    \n4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA\r\
    \nmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\r\
    \nemyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\r\
    \n-----END CERTIFICATE-----"
/certificate
import file-name=mkcert.txt passphrase="" name=imported-ca-cert_mkcert
/file remove [find where name=mkcerts.txt]
:do {
    /tool fetch url=https://mkcert.org/generate/all/except/nothing check-certificate=yes dst-path=mkcerts.pem
    remove [find where name~"imported-ca-cert*" expired=yes]
    import file-name=mkcerts.pem passphrase="" name=imported-ca-cert
    /file remove [find where name=mkcerts.pem]
    :log info "Trust Store: Certificates update from mkcert.org succeeded"
    /tool e-mail send to="correct@example.com" subject="$[/sys id get name] Trust Store script executed successfully" \
        body="Trust Store: Certificates update from mkcert.org succeeded"
} on-error={
    :log error "Trust Store: Unable to update certificates from mkcert.org"
    /tool e-mail send to="correct@example.com" subject="$[/sys id get name] Error on auto update Trust Store script" \
        body="For some reason the script failed to update certificates from mkcert.org"
}
This work until Mon, 04 Jun 2035 11:04:38 GMT,
after that date, the embedded cert (on a new machine) must be updated...

And is also possible save ":execute file=result.txt" and send the result.txt file on the email.

result.txt example on first run code

     certificates-imported: 147
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0
And is also possible, with scripting, report on log or on mail what and how many certificates deleted (if any), and what and how many certificate added (if any).


EDIT:
https://forum.mikrotik.com/viewtopic.php?p=1083839#p1083841
added backward compatibility for unexpected new behaviour
Last edited by rextended on Thu Jul 04, 2024 2:29 pm, edited 1 time in total.
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Thu Jun 13, 2024 11:34 pm

As mentioned, it will fail first time as @rextended noted because the certs gets deleted on first run, so theres a small loop which will try again until sucessful upto maxRetries count and if it still fails, it will send you a mail.
Still fail forever, until the check-certificate=yes is removed OR the first time the certs (or at least the cert for mkcert.org) are added manually...
Just use the initial run of `check-certificate=no` then after you have the certs, set back to `yes`

I have tried to add some logic in but due to the initial import always errors, it always breaks the script anyways. So its much easier to just do the initial with no and then change to yes afterwards, or just use no all the time (not advised).
 
User avatar
patrikg
Member
Member
Posts: 366
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:04 am

Speaking of the issue of certificates.
Mikrotik has not even done a renewal either on there demo routers.

https://demo.mt.lv/
Went out the door at 23 May 2024 07:41:48...

https://demo2.mt.lv/
Goes out the door at 18 June 2024 08:37:45...

Mailed Normis and nothing happend.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:09 am

My previous example is perfect for to not renounce to cert check, also the first time.

**************
reworked, see next posts...
**************
Last edited by rextended on Fri Jun 14, 2024 12:22 am, edited 1 time in total.
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:14 am

I believe Mikrotik should be including the rootCA's as part of their firmware packages like other distro/hardware manufacturers, as they are really part of the OS level and clients shouldnt have to result to installing them for basic functionaly. Installing you own CA's should only be for certain senarios where you role your own i.e your own pki.
Last edited by majestic on Fri Jun 14, 2024 12:14 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:14 am

Speaking of the issue of certificates.....
Since are completely useless becaues you can not do nothing, what matter?
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:17 am

My previous example is perfect for to not renounce to cert check, also the first time.

Still possible to first download only one certificate "https://mkcert.org/generate/ISRG%20Root%20X1"
check if certificate have the correct fingerprint 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
and then download all the others, without giving up any safety.
Yeah thats a good idea, until that one expires :)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:18 am

I believe Mikrotik should be including the rootCA's as part of their firmware packages...
Since the CEO of MikroTik decided that 16M is more than enough, even in 2024,
putting 284KB more in the firmware is impossible, since often you either put the certificates, or you put the wireless drivers...

A word to the wise...
 
User avatar
patrikg
Member
Member
Posts: 366
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:19 am

Speaking of the issue of certificates.....
Since are completely useless becaues you can not do nothing, what matter?
Just want to be nice and let M know that their cert has expired nothing more :)
That is precisely why you should add a script that does it automatically.
Last edited by patrikg on Fri Jun 14, 2024 12:21 am, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:20 am

My previous example is perfect for to not renounce to cert check, also the first time.

Still possible to first download only one certificate "https://mkcert.org/generate/ISRG%20Root%20X1"
check if certificate have the correct fingerprint 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
and then download all the others, without giving up any safety.
Yeah thats a good idea, until that one expires :)
Already wroted:
This work until Mon, 04 Jun 2035 11:04:38 GMT
:lol:

On that date, with RouterOS 7.23.5 cert are embeded, Normis is the new CEO, and 16M flash still used...
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:22 am

I believe Mikrotik should be including the rootCA's as part of their firmware packages...
Since the CEO of MikroTik decided that 16M is more than enough, even in 2024,
putting 284KB more in the firmware is impossible, since often you either put the certificates, or you put the wireless drivers...

A word to the wise...
True, however, I cant see why they cant at the very least have an "optional" package which you could install for basic functionaly. Call it `ca-certificates` like every distro does and people just install that optional package, that way, those exta K, can still be saved for those who needs that. It would be a lot safer to have a package, then people having to hack up scripts and use workarounds. Just my two cents.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:24 am

reworked the logic:

Still possible to
first check if a certificate with fingerprint 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6 exist,
if not download only one certificate "https://mkcert.org/generate/ISRG%20Root%20X1" and check if the certificate have the correct fingerprint
if is ok, then download all the others, without giving up any safety.
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:25 am

Yeah, think your right, ile see if I can add the logic when I get a few mins. I believe this is prob our best option at least for now.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:27 am

If MikroTik doesn't know where to put all those surplus 16M memories, I would gladly suggest a place... :twisted:

You could put 2, and mount them so that one is the boot and one holds the rest of the configuration...
 
majestic
Member Candidate
Member Candidate
Posts: 109
Joined: Mon Dec 05, 2016 11:19 am

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:28 am

If MikroTik doesn't know where to put all those 16M memories, I would gladly suggest a place... :twisted:

You could put 2, and mount them so that one is the boot and one holds the rest of the configuration...
Let me see what I can knock up :) coz there must be away. Seeing if can do what you suggest, my ROS isnt that great but I get there ;)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:31 am

Sorry, I didn't understand, maybe because of a language error I didn't explain myself:
I meant that if they bought so many 16M memories that they don't know where to put them ( :twisted: ) anymore,
they could put 2 in the routerboards, in one goes the operating system, and in the other the configuration, branding and user files...
 
User avatar
patrikg
Member
Member
Posts: 366
Joined: Thu Feb 07, 2013 6:38 pm
Location: Stockholm, Sweden

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:32 am

LANG=C date --date="@$(echo '2^31-1' | bc)"
Tue Jan 19 04:14:07 CET 2038
From 2K Y problems to the new dooms day for Linux :)

Dont get it, don't know why they don't goto 64bit
LANG=C date --date="@$(echo '2^55+31739239172709231' | bc)"
Wed Dec 31 23:59:59 CET 2147485547
Sorry to say, I think I am ded at year 2147485547 :)

My biggest epoch time supporting my computer now is
67768036191673199
Last edited by patrikg on Fri Jun 14, 2024 1:17 am, edited 8 times in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:33 am

Yeah, think your right, ile see if I can add the logic when I get a few mins. I believe this is prob our best option at least for now.
It would take me a moment to write the script, I'll leave the fun to you this time 8) :lol:
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Fri Jun 14, 2024 12:35 am

echo '2^31-1' | bc
2147483647
LANG=C date --date='@2147483647'
Tue Jan 19 04:14:07 CET 2038
I hope someone fix it before 2038 :lol:
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Updating CA root certs regularly

Wed Jun 19, 2024 9:34 am

also this do not work:
/certificate remove [ find where authority expired ];
because no one certificate is "authority" (authority is just the machine itself that generate certificates)
so that line must be only
/certificate remove [find where name~"certs.pem*" expired=yes]
Ah, right... But you can identify root certificates by empty akid. So this should work:
/certificate remove [ find where akid="" expired ];
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1092
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Updating CA root certs regularly

Wed Jun 19, 2024 9:35 am

echo '2^31-1' | bc
2147483647
LANG=C date --date='@2147483647'
Tue Jan 19 04:14:07 CET 2038
I hope someone fix it before 2038 :lol:
Fixed for 7.16, already available in 7.16beta1:
*) certificate - show validity beyond year 2038;
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12592
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Updating CA root certs regularly

Thu Jul 04, 2024 2:29 pm

Warning about future RouterOS versions:
viewtopic.php?p=1083839#p1083841

Who is online

Users browsing this forum: No registered users and 8 guests