Community discussions

MikroTik App
 
611
newbie
Topic Author
Posts: 47
Joined: Wed Oct 17, 2018 10:12 am

Backing up certificates

Thu Oct 06, 2022 6:27 pm

It happened that I had ran my CA for IPsec purposes on one of my MT routers (yes, I know), and as the device in question was due to be upgraded, I've decided to move the CA to a back-end device.

From my previous experience I knew that configuration backup/restore functions in ROS also backing up/restoring certificates. However it turned out that restoring a backup on another device actually doesn't restore private keys of the certificates - the certificates are getting restored OK, but they no longer have their private keys. (It may happen that the private keys are not actually backed up if you're selecting "do not encrypt backup" as I did, but as the recipient device is of another model the backup/restore approach was anyhow suboptimal.)

So I came up with a script that exports certificates along with their keys (each certificate is exported with its own passphrase) and creates a script to import them back, allowing easy migration to other device:
# Certificate export tool for ROS 7.x by 611

# Filter for cert names
:local certnamesearchstring "";

# Create script file for cert import
:local scriptname "cert-import-$certnamesearchstring.rsc";
:put "Exporting (non-expired, non-revoked) certificates with filter '$certnamesearchstring', writing import script to $scriptname:";
# There could be a lot of files, so /file print is suboptimal, we'll use /certificate instead with a filter, so that the output will be empty (except for header)
/certificate print file=$scriptname where !name;

# Export loop (with reqd variables)
:local certname; :local exportpass;
:local scriptbody ""; :local scriptpart 1;

# Certificate templates won't export and have no "invalid-after" date, excluding them 
# You may add extra conditions to filter the cert list here:
:foreach i in=[/certificate find invalid-after !expired !revoked name~($certnamesearchstring)] do={
  :set $certname [/certificate get $i name];
  :set $exportpass [:rndstr from="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" length=32]
  :put "* $certname";

  # Actual export, ignore errors
  :do { /certificate export-certificate $i file-name=$certname export-passphrase=$exportpass; } on-error={ :put "  ! Error"; }

  # Add import cert command to the script
  :set $scriptbody ($scriptbody . "/certificate import file-name=$certname.crt name=$certname passphrase=""""\r\n");
  
  # Add import key command to the script if there's a key
  :delay 2;
  :if ([/file find name="$certname.key"]) do={
    :put "  + key";
    :set $scriptbody ($scriptbody . "/certificate import file-name=$certname.key passphrase=$exportpass\r\n"); }

  # Check if the script is approaching 4k. write contents to the file and start a new one if so
  if ([:len $scriptbody] > 3840) do={
    # Delay could be required as file creation seems to be async to the script, and it should complete for write to succeed
    :delay 2;
    /file set $scriptname contents=$scriptbody;
    :set $scriptbody "";  :set $scriptpart ($scriptpart+1);
    :set $scriptname "cert-import-$certnamesearchstring-$scriptpart.rsc";
    ;put "Starting new import script $scriptname:";
    /certificate print file=$scriptname where !name; }
}

# Write script to the file
:delay 2;
/file set $scriptname contents=$scriptbody;
:put "OK";
:put "Remove '.txt' from script(s) extension, transfer script(s), .crt and .key files to the destination router, and use /import to run the script(s).";

# That's all, folks!

Peculiarities:
  • Certificates could be filtered by their names, the filter string is set in the beginning of the script;
  • Templates (certificates created, but not yet signed) obviously won't export as there are no public an private keys yet, so they are filtered out when exporting. It's possible to export them as plain configuration, but this is not implemented (I have a single template so it's not problem to do it manually);
  • Expired and revoked certificates are not exported as it looks unnecessary;
  • The script is slow as file operations require 2 second delay after creation of file before it could be found or written to. Ofc it's possible to export all the certs, then look for all the .key files, thus have a single 2 second delay instead of a delay for each certificate, but let's leave this implementation to ones who require better performance (I'm OK with the script running to 40 seconds or so on my device);
  • File read/write operations as implemented in ROS are limited to 4k file size, thus the script will write out an import script file and start the next one as the size will approach 4k;
  • The script will require modifications for ROS v6 and earlier (as :rndstr was introduced in v7).

Comments and suggestions are welcome.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Backing up certificates

Thu Oct 06, 2022 7:08 pm

I don't remember exact details, but last time I tried to transfer RouterOS CA like this, it had trouble keeping relation between CA and issued certificates. Meaning that they didn't show as issued by CA and couldn't be revoked. Does this work for you?
 
611
newbie
Topic Author
Posts: 47
Joined: Wed Oct 17, 2018 10:12 am

Re: Backing up certificates

Fri Oct 07, 2022 1:02 am

Same to me - looks like "issued" and "revoked" flags, along with CA attribute of the certificates are local - they are not exported and absent on imported ones.

Not a major problem for me as mu use case is simple: I'm pinning specific certificates for all connections I'm using and have never implemented CRL thus removing and revoking certificates are synonymous for me.

I've red an article stating there are more problems if CRL is implemented as there's no way to export neither existing CRL, and if the new device will not be able to download it from the old device, CRL won't work on the new device even for newly issued certificates.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: Backing up certificates

Fri Oct 07, 2022 1:59 am

If only MikroTik made readable export that exports everything (and can be imported elsewhere, obviously, both as whole and partially). No "hidden magic". It's not like it would be something weird, quite the opposite. Oh well, one can dream... :)

Who is online

Users browsing this forum: capy2008, dioeyandika, flintham12 and 88 guests