How about some documentation?

Code: Select all

/certificate template> add
name: test
failure: At least one field specifying certificate name must be set!

Not a particularly helpful response.

I have problem to import certificate on 6.5 too.

and you get template wit common name lala

/certificate template add name=myTempl common-name=lala key-size=1024

and you get template with common name and key size...
and so on.

[admin@MikroTik] > /certificate template add name=myTempl common-name=lala key-size=1024
syntax error (line 1 column 51)
[admin@LinkSys] > 

and you get template wit common name lala

/certificate template add name=myTempl common-name=lala key-size=1024

and you get template with common name and key size...
and so on.

On 6.7 now and the template creation command no longer seems to work...

Very frustrating.

What's new in 6.7 (2013-Nov-29 13:37):
*) support Android usb tethering interface;
*) ipsec - added aes-gcm icv16 encryption mode;
*) wireless - improve rate selection for nstreme protocol
*) poe - new poe controller firmware for RB750UP and OmniTIK UPA;
*) ipsec - added aes-ctr encryption mode;
*) leds - inverted modem signal trigger, now it will trigger when the signal level rises above the treshold;
*) ipsec - added sha256 and sha512 support;
*) ipsec - proposal defaults changed to aes-128 and sha1 for both phase1 and phase2;
*) certificate - support ip, dns and email subject alternative names;
*) dhcpv4 server - added REMOTE_ID option variable for relayed packets;
*) ipsec - fix policy bypass on IPv6 gre, ipip, eoip tunnels when policy uses protocol filter;
*) userman - fix crash on tilera;
*) fixed hairpin nat on bridge with use-ip-firewall=yes;
*) fixed vlan on bridge after reboot having 00:00:00:00:00:00 mac address;
*) address-list - allow manually adding timeoutable entries;
*) address-list - show dynamic entry timeout;
*) fixed l2mtu changing on CCRs - could cause port flapping;
*) disabling/enabling ethernet ports did not work properly on CCRs - could cause port flapping;
*) fixed port flapping on CCR - could happen when having other than only-hardware-queue interface queue.
Note that having other interface queue than only-hardware-queue dramatically reduces performace, so should be avoided if possible;

What's new in 6.6 (2013-Nov-07 13:04):
*) winbox - fixed problem where all previous session opened windows were read only;
*) certificate - no more 'reset-certificate-cache' and 'decrypt' commands,
private keys can be decrypted only on 'import', use 'decrypt' before upgrade if needed;
*) fixed arp-reply only with more than one ip address on interface;
*) fixed RB400 not to reboot by watchdog during micro-sd format;
*) web proxy - fix SPDY server push handling;
*) certificate - merged '/certificate ca issued', '/certificate scep client' and
'/certificate templates' into '/certificate';
*) console - :foreach command can iterate over keys and values in an array,
by specifying two counter variables, e.g.:
:foreach k,v in=[/system clock get] do={:put "$k is $v"};
*) added support for new Intel 10Gb ethernet cards (82599);
*) certificates - fixed certificate import;
*) wireless - fixed crash when dfs was enabled on pre-n wireless cards;
*) fixed port flapping on CCR;

What's new in 6.5 (2013-Oct-16 15:32):
*) tftp - added data packet pipelining for read requests;
*) console - exported physical interface configuration uses 'default-name'
instead of item number to match relevant interface;
*) console - report all constituent errors for parameters with multiple
alternative value types;
*) certificates - merge '/certificate ca' into '/certificate', use set-ca-passphrase to maintain CA functionality;
*) lcd - backlight option is replaced with "/lcd backlight" command
*) dhcp server - added option to disable conflict-detection;
*) console - ':return' does not trigger 'on-error=' action of ':do' command;
*) route - fixed crash that could be triggered by change in nexthop
address resolution;
*) route - some imported VPNv4 routes were not using MPLS labels;
*) route - imported VPNv4 routes were not always updated or removed when
the original route changed;
*) winbox - fixed problem where all settings were read only on first open;
*) ovpn server - use only ciphers that are allowed not that client requested;
*) ssh client - fixed public key authentication;
*) ipsec - fix peer mathing with non byte aligned masks;
*) fix routerboot upgrading if RouterOS is partitioned;
*) add support for second serial port on CCR boards;
*) fix serial port baudrate selection on CCR boards;
*) ethernet interface stats that are behind switch chip
show real hw stats instead of just the traffic that goes through cpu;

This is how I solved this issue on RouterOS 6.9.

First, create a new certificate template (for the router with address host.foo.bar):

Code: Select all

/certificate add name=cert1 common-name=host.foo.bar key-size=2048 country=XX state=MyState locality=MyCity organization=foo.bar subject-alt-name=email:user@foo.bar

Create a certificate request based on the template:

Code: Select all

/certificate create-certificate-request
template: cert1
key-passphrase: ********

This creates certificate-request.pem file in the root directory, which you can submit to a CA.
Upload the *.cer file with the issued certificate to the root directory and run the following:

Code: Select all

/certificate import
passphrase: ********
     certificates-imported: 1
     private-keys-imported: 1
            files-imported: 2
       decryption-failures: 0
  keys-with-no-certificate: 0

Run the following command and note the name of the imported certificate (e.g. cert_5):

Code: Select all

/certificate print detail

Through web interface select the certificate:
IP → Services → www-ssl → Certificate: cert_5

-- rpr.