Page 1 of 1
Certificate Key Import not possible on v7.7
Posted: Fri Jan 13, 2023 3:47 pm
by fwedvteam
Hello,
starting with RouterOS 7.7 i am not able to import a certificate key. The certificate is created with EasyRSA that we use a long time ago. I can import the certicate successfuly but not the key. With ROS 7.6 it works without any problems.
I got no error, it does nothing.
There are changes to certificate import in the changelog. Could it be a bug? How can i find out, where the problem is?
Tell me if you need some more details.
Thans a lot!
Best regards
Frank
Re: Certificate Key Import not possible on v7.7
Posted: Mon Jan 16, 2023 2:00 pm
by kalderista
Hi,
I have same issue too.
Regards
Re: Certificate Key Import not possible on v7.7
Posted: Mon Jan 16, 2023 6:44 pm
by strods
What kind of algorithms do you use? Starting from the RouterOS v7.7 some of the very old mechanisms as, for example, pkcs#7 encryption method "pbeWithSHA1And40BitRC2", are not supported, since nowadays they can not be considered as "secure".
Re: Certificate Key Import not possible on v7.7
Posted: Tue Jan 17, 2023 10:33 am
by fwedvteam
Hi,
thanks for your reply. We are using "sha256RSA"
Best regards
Frank
Re: Certificate Key Import not possible on v7.7
Posted: Tue Jan 17, 2023 12:17 pm
by eworm
Works for me... So this is not a general problem with RouterOS 7.7. Can you give more detail on your certificate?
Re: Certificate Key Import not possible on v7.7
Posted: Tue Jan 17, 2023 1:53 pm
by fwedvteam
Works for me... So this is not a general problem with RouterOS 7.7. Can you give more detail on your certificate?
I can, but tell me what you need. If it's not clear, we have no issues with the certificate, only with the Key.
Re: Certificate Key Import not possible on v7.7
Posted: Wed Jan 18, 2023 7:31 pm
by RichieB
We were seeing the same problems with certificates generated by EasyRSA. Up to v7.6 no issues, starting the v7.7 they refuse to import. The output is:
> /certificate import file-name="test.p12" name="test" passphrase=1234
certificates-imported: 0
private-keys-imported: 0
files-imported: 0
decryption-failures: 1
keys-with-no-certificate: 0
EasyRSA uses OpenSSL to generate the p12 files with the default PKCS#12 algorithms. This gives:
# openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44
friendlyName: my test
subject=/CN=test
issuer=/CN=test CA
As stated
above pbeWithSHA1And40BitRC2-CBC is no longer supported in v7.7. The solution is to change the ciphers in the OpenSSL pkcs12 export:
$ openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES ....
$ openssl pkcs12 -in test.p12 -info
Enter Import Password:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 56 48 D7 2B F7 AA D7 4A 4A DB 80 16 90 D1 38 F9 C7 5C A3 44
friendlyName: my test
subject=/CN=test
issuer=/CN=test CA
For EasyRSA you can set this in the appropriate line of the easyrsa script:
pkcs_opts="-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES"
Re: Certificate Key Import not possible on v7.7
Posted: Thu Jan 19, 2023 10:36 am
by fwedvteam
We do not have PKCS12, we use x509 Certificate with RSA key.
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Re: Certificate Key Import not possible on v7.7
Posted: Fri Feb 03, 2023 4:02 pm
by fwedvteam
For me it's working again with routeros-7.8beta3.
Thanks!
Re: Certificate Key Import not possible on v7.7
Posted: Fri Feb 03, 2023 9:10 pm
by eworm
That's good news. Looks like I found a case where it is failing for me as well... Any chance we will see this in something like version 7.7.2?
Re: Certificate Key Import not possible on v7.7
Posted: Sat Feb 04, 2023 4:36 pm
by depth0cert
What kind of algorithms do you use? Starting from the RouterOS v7.7 some of the very old mechanisms as, for example, pkcs#7 encryption method "pbeWithSHA1And40BitRC2", are not supported, since nowadays they can not be considered as "secure".
SUP-106766 private-keys-imported: 0
NETINSTALLED 7.8beta3
[admin@MikroTik] > /certificate add common-name=r1-ca days-valid=3652 key-size=prime256v1 key-usage=key-cert-sign,crl-sign name=r1-ca subject-alt-name=email:r1-ca
[admin@MikroTik] > :do {/certificate sign [find name=r1-ca] name=r1-ca} on-error={:delay 3}
progress: done
[admin@MikroTik] > /certificate export-certificate r1-ca file-name=r1-ca export-passphrase=passphrase type=pem
[admin@MikroTik] > /certificate remove r1-ca
[admin@MikroTik] > /certificate import file-name=r1-ca.crt name=r1-ca passphrase=passphrase
certificates-imported: 1
private-keys-imported: 0
files-imported: 0
decryption-failures: 0
keys-with-no-certificate: 0
[admin@MikroTik] > /certificate import file-name=r1-ca.key name=r1-ca passphrase=passphrase
certificates-imported: 0
private-keys-imported: 0
files-imported: 0
decryption-failures: 0
keys-with-no-certificate: 0
Re: Certificate Key Import not possible on v7.7
Posted: Sat Feb 04, 2023 7:11 pm
by SergioGC
I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Re: Certificate Key Import not possible on v7.7
Posted: Sat Feb 18, 2023 2:25 am
by KeitaroBR
I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
This worked for me as well!
Re: Certificate Key Import not possible on v7.7
Posted: Wed Feb 22, 2023 7:13 pm
by arnaldo
I was also having problems importing certificates+key in PKCS#12 format, using a file generated by OpenSSL from PEM files with key and certificate (Lets Encrypt - using a script that is a few years old).
I can confirm that the by default OpenSSL will use pbeWithSHA1And40BitRC2 unless RC2 is disabled or -descert option is used. By using -descert the resulting PKCS#12 file uses pbeWithSHA1And3-KeyTripleDES that is (still) accepted by ROS 7.7.
Knowing that pbeWithSHA1And40BitRC2 is no longer accepted was key. A small fix in my script and voila!
Re: Certificate Key Import not possible on v7.7
Posted: Mon Mar 06, 2023 2:20 pm
by MetUys
I'm having the same problem. just implemented two new Mikrotiks freshly done with netinstall to v7.8.
I'm using the Posh-ACME service (targeting ZeroSSL) to generate the certificates on another machine and those are being put onto the units to be imported. I have updated to the latest version and have added the "-UseModernPfxEncryption" to the certificate generation process, but I am still running into the issue.
When I import the certificate files (pfx full chain + key file) it gives me this output:
certificates-imported: 0
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 1
Where am I going wrong?
PS: key file imports, its the pfx that is now not importing (did on previous versions).
Re: Certificate Key Import not possible on v7.7
Posted: Sat Jun 17, 2023 5:37 pm
by sebus46
I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Lets Encrypt client 0.38 le64.exe
The created crt does indeed have 2 blank lines at the very end
That was not a problem ever up to 6.48.7
Now upgraded to RB4011 which came with factory 7.8 and these 2 lines cause issue of not importing crt (but also not failing explicitly)
Once removed, the import works again. IMO that is a bug
sebus
Re: Certificate Key Import not possible on v7.7
Posted: Sun Jul 16, 2023 4:00 pm
by venc0r
I cloud not import the root ca cert of let's encrypt (ISRG Root X1). In my case I had to covert the file to unix line endings, the downloaded one had windows.
model: RB960PGS
revision: r2
firmware-type: qca9550L
factory-firmware: 6.44.6
current-firmware: 7.10.1
upgrade-firmware: 7.10.1
This can be done in any good editor, in my case vim
to save and quit in vim
Re: Certificate Key Import not possible on v7.7
Posted: Thu Aug 24, 2023 11:32 am
by Milan
I had an issue importing certificates, I checked my certificate and It had some blanck rows at the end. After deleting those rows I could import the certificate
Same problem here. Will try to update to v7.11 where some certificate bugs are fixed (as mentioned in changelog).
Re: Certificate Key Import not possible on v7.7
Posted: Tue Jan 09, 2024 10:32 pm
by iotstool
Error that RouterOS v. 7.13.1 does not import certificate with CRLF line endings (in editor visible as ^M$) seems to be persist. My *.pem file was downloaded with Firefox browser on linux system.
I've converted line endings with vim and all is ok.
Re: Certificate Key Import not possible on v7.7
Posted: Fri Apr 05, 2024 1:56 am
by MetUys
PS: key file imports, its the pfx that is now not importing (did on previous versions).
I switched to a full chain cer+key instead of my original full chain pfx+key, this solved my issues on all versions I have tried it on (old and new).
I have not tested yet on v13.5 (or newer), but I'm confident my problem is no more.
Re: Certificate Key Import not possible on v7.7
Posted: Sun May 05, 2024 4:01 pm
by spoken
On 7.14.3, I could not import a default openssl-generated RSA private key. I first had to import the certificate. My 2 cents.