I'm trying to install two ssl certificates on one router and I can't get it to work. Details follow below, after the description of what I'm trying to accomplish.

I have a hotspot running, using one ssl certificate, with no problem.
I purchased a second ssl certificate, with a different domain name, to support a second hotspot on the the same router.

At first, I was going to use one certificate for both hotspots, but since each hotspot has its own subnet, and has to have its own domain name, I realized I needed another certificate.

I know that there are certificates that support multiple domain names, but I opted to buy a second certificate. Maybe that was a mistake.

I didn't know if ROS would be happy with two private keys, so both certificates use the same private key.

I ftp'd the private key and the two certificates to the router. From Winbox, I clicked import and provided the passphrase.

Only the first certificate get the "KR" symbols in the first column. The second certificate shows blank in the first column.

If I ftp them in the opposite order, whichever shows up first in the file window will get the "KR" and the other shows blank.

I also tried importing them one at a time. Regardless of which I import first, only the first one "installs". The second one just sits there.

Some questions:

1) Is it essential to have a certificate for each hotspot?
I don't see how I can share one, since each hotspot has its own subnet and the "IP of DNS name" must be unique on each hotspot.

2) If I need separate certificates, can they share a single private key?

3) Is there some special sequence of import I need to follow to make this work? I've tried cert1-key-cert2, cert1-cert2-key. I still only get
one certificate to install properly.

4) If I need separate keys for each certificate, is there some special import sequence I need to follow to get both certificates to work?

I've searched the forum and wiki, but I can't find anyone using multiple certificates.

Thanks as always for anyone who can help!

2) If I need separate certificates, can they share a single private key?

I don't know. They should have separate keys, though, so that only one must be revoked if control of a key is lost.

3) Is there some special sequence of import I need to follow to make this work? I've tried cert1-key-cert2, cert1-cert2-key. I still only get one certificate to install properly.

I always do chain file, cert file, key file. But that's for single certs.

4) If I need separate keys for each certificate, is there some special import sequence I need to follow to get both certificates to work?

chain, cert, key should work for multiple sequences.

1) Is it essential to have a certificate for each hotspot?
I don't see how I can share one, since each hotspot has its own subnet and the "IP of DNS name" must be unique on each hotspot.

That is not quite true. I run a minimum of 2 Hotspots on all routers. One interface is set up for outside (WAN), one is set up for inside (LAN) with an IP address 10.0.0.1/24, then there are two VLAN interfaces (one per Hotspot) on the inside interface with the appropriate IP addressing. Both Hotspots use 10.0.0.1 and the same DNS name (hotspot.example.com) with the same certificate. I permit DNS (udp/53) in the walled garden and add the following NAT rule:
to keep the Hotspot servlets from consuming DNS requests. Then outside DNS (or the DNS caching resolver on the router, if you use that for clients) must be set up to resolve hotspot.example.com to 10.0.0.1.

That setup works fine for me. We chose it because it makes deployment of additional Hotspots on the routers dead simple.

That's an interesting way of doing things. As I understand your configuration, clients on both hotspots will share a single address space and share a single DNS server on the other side of the hotspot. Is that right?

I'm not sure I understand how the vlan's are configured. You say that each hotspot gets a vlan interface off of the LAN interface. Do they both have the same vlan tag? Where do the "other" end of the vlans terminate? Is there a bridge in this config somewhere?

I always assumed that the interface assigned as the hotspot interface must have the IP address of the DNS of the hotspot. From your configuration, I guess that's not the case. What IP addresses are you assigning to the vlans that are the hotspot interface? Are you assigning 10.0.0.1 to BOTH hotspot interfaces?

I need two hotspots because I'm serving two user communities and I need different profiles for each. I always assumed I needed to give each a separate address space, but I guess it doesn't really matter if they both share 10.0.0.0/24.

If you could provide a little more detail to answer my questions above, maybe I can avoid using two certificates.

Also, thanks for the quick response!

No, the IP addressing on the two Hotspots is different and they are in fact prevented by additional firewall rules to talk to one another.

outside - 1.1.1.2/30
inside - 10.0.0.1/24
hotspot1 - 10.2.0.1/24 (vlan tied to 'inside' physical interface, vlan-id 2)
hotspot2 - 10.3.0.1/24 (vlan tied to 'inside' physical interface, vlan-id 3)

You can set up hotspots on the hotspot1 and hotspot2 interfaces and set the hotspot DNS name to hotspot.example.com (which resolves to 10.0.0.1) and set the IP address of the hotspot to 10.0.0.1. I use external DNS servers (we have high performance and redundance DNS farms) and don't use the built in resolver at all, and that is set to resolve that way.

The important piece is to bypass Hotspot DNS NAT redirect using the rules I described. The Hotpost servlets will cause infinite redirects if you let them grab that traffic - but if you pass DNS right through, any IP address that belongs to the router will work OK. You might lose some functionality that way that I'm not aware of - I don't use all the features (universal NAT, advertising) - but I though untested would think they still work anyway.

Well, after a good night's sleep, I figured out on my own that's what you meant. It seems too simple.

I'm going to give your configuration a try. I still can't get both SSL certs to install. No matter what I try, only the first one imported will be recognized. The second certificate cost only $13 at GoDaddy, so I'm not too worried if I can't use it.

If anyone reading this post has successfully and recently (ROS 4.10) installed two or more certificates, I'd still like to hear from you.

I just ran some quick tests with a private OpenSSL CA - I cannot get RouterOS to decrypt two certificates tied to the same private key. Two certificates with separate private keys work just fine.

So it appears that if you do need two certificates, you'll have to get your second one re-signed with a new private key. Pretty much any CA should be able to do that since it's the same procedure you'd go through if you lost control of a private key and needed to revoke and re-issue.

Thanks for trying that out for me! I appreciate it!

I'll get the second cert re-keyed. If your suggested multi-hotspot configuration works out for me, I won't really need it, but I paid all of $13 for it and I should at least give it a try.

Where are you located? You seem to be online 24 hours/day!

No worries, I was curious, and it only took five minutes to test.

Las Vegas - we just seem to be checking the forum at the same time.

After re-keying the second cert to a different key, I can now get both certs to decrypt. I'm using the sequence cert1-chain-key1, decrypt, cert2-chain-key2, decrypt.

However, I think I won't be needing the second certificate, since I'm now using your suggested configuration to have multiple hotspots share a single
certificate.

Also, I found that it worked just fine without the extra nat entry for DNS and without putting DNS into the walled garden. The hotspot seems to
pass DNS requests through without complaint.

I have the dhcp-server providing the IP address of the shared IP of the two hotspots as the DNS address. I'm using the internal resolver with "allow-remote-requests" checked. Perhaps if I was using an external resolver I'd need to allow port 53 as you described.

This is working perfectly with just one certificate. One oddity is that when I enable the second hotspot, it won't start up in https mode (i.e. I don't get the 'S' in column 1 of winbox). To get around this, I set the certificate to none in the server profile and click apply. Then set it back to cert1 and hit apply again. It then starts up in https mode. It doesn't matter which one I enable first. The first hotspot to be enabled comes right up. The second needs to have the 'trick' applied to get it to start. Once enabled, they both work fine.

This configuration was a great suggestion. I'm looking forward to using it in other locations.