MikroTik

All - I've been reading threads and Wiki's for the past 2 days and just cannot find how to install a legitimate SSL certificate onto a RB750GL router. I believe it has to do with the creating/installation of the KEY file. I'm currently running v6.19 - it has been a stable load for me but I'm willing to upgrade if necessary. The network solution I'm deploying is using the RB750 as a Hotspot server for unauthorized wireless clients (on a specific VLAN) which are redirected to an external portal page for credentials and authentication. I have it working great for users with regular HTTP default browser page, but I want to enable HTTPS on the Hotspot service so that it will also accept and redirect clients that have HTTPS as a default browser homepage. I'm well aware of the issue of redirecting a user expecting a signed HTTPS certificate say from Google to a different, but fully verified Hotspot server (I expect the client to see the SSL Warning page - but they can then proceed to the different site which is the Mikrotik Hotspot page).

I ordered a certificate from Comodo, and when I couldn't get that to work correctly I ordered another certificate from RapidSSL, but got the same results. What I feel may be the problem is that after I do the CSR creation via > /certificate create-certificate-request template=MKtemplate key-passphrase=passphrase123 I created the MKtemplate with all the proper options populated including the common-name being set to a real subdomain name that my company owns. Now when I do this I get the CSR = certificate-request.pem it also creates a key file named certificate-request_key.pem

The Certificate Authorities do not request my key file. The CSR I created is validated by them and they issue me my real SSL certificates. I upload them to the RB750 and then IMPORT them via the /Certificates menu, but the actual SSL certificate (not intermediates) imports with the LT flag, but I believe it needs to be KLT - is this correct??? When I try to import the key file either as its original format as certificate-request_key.pem, it doesn't apply. If I change it to a new file as "SSLkey.key" file, that doesn't import either. Or am I wrong and I don't need to import the key file? I just have not been able to correctly key word the search engine to find the answer here on the forums....LOTS of if I create my own certificate via a Linux machine using openssl tools.......but I'm not creating my own - I'm trying to install a legit CA one.

If I try the Hotspot with these certificates from Comodo or RapidSSL, and enable HTTPS on the Hotspot server and enable www-ssl under /IP/Services, I get invalid SSL message from clients even on a HTTP homepage. Firefox browsers give me the SSLv3 vulnerability error message and I can't even continue further.

Need to fix this today. Sorry if the answer is right under my nose. Thanks for the guidance to fix this in advance!

David

Have you tried giving the CA just the "_key.pem" file instead of just the non "_key.pem" file? Does it error or what?

Also, doesn't the CA's site have their own form for making certificate requests that would then be signed? If they do, I'd suggest you use that, instead of creating your own CSR.

Or maybe make the CSR with OpenSSL instead... Basically, do those same procedures, minus the signing part, which you'd leave to the CA.

Thanks boen-robot for the inputs. All the CA providers I've been to require you to input the actual CSR of the server you need the certificate for - they do not have any tools to create a CSR for my device that I saw. I am pretty certain the _key.pem file if used as the CSR would fail (you can verify this on the sslchecker web tools).

I ordered a RapidSSL certificate for a Mikrotik today and here are the steps I took so hope this helps.

/certificate add name=ssl-template common-name=ssl.example.com key-size=2048 organization="Example" state=CA country=US

/certificate create-certificate-request template=ssl-template key-passphrase=password

- this created 2 files that are important
certificate-request_key.pem
certificate-request.pem

FTP the copy of certificate-request.pem to your local machine. Open and this is what you will provide RapidSSL. Once you complete the autorization steps and receive the certificate file, upload it to your router.

/certificate import file-name=nameOfCertificate.crt passphrase=password

now when I do certificate print I have the LT flags like you do, so I think this next step is the one you missed.

/certificate import file-name=certificate-request_key.pem

Now I have the KLT flags

I have the same problem,
I have purchased COMODO SSL, Installation has beet complete, Now I have KLT flag
but when user try to open any https://anyDomain.com through Hotspot, that face the red message...

Resurrecting this SSL certificate thread due to needing to renew my (real) SSL certificate for my Mikrotiks. It has been a year with success using a RapidSSL cert, but now have created a new one with 3-year duration and used a PositiveSSL from Comodo. This cert package includes four certificates: the main certificate, a Root cert and two Intermediate certs. You can essentially follow mfarris' steps below to install them, but with one modification/correction to get the primary certificate to be key verified (the "K" label will show on the initial "LT" status label): I had to also include my password when I imported my ...key.pem file:

/certificate import file-name=certificate-request_key.pem key-passphrase=password

Cheers,
David

I ordered a RapidSSL certificate for a Mikrotik today and here are the steps I took so hope this helps.

/certificate add name=ssl-template common-name=ssl.example.com key-size=2048 organization="Example" state=CA country=US

/certificate create-certificate-request template=ssl-template key-passphrase=password

- this created 2 files that are important
certificate-request_key.pem
certificate-request.pem

FTP the copy of certificate-request.pem to your local machine. Open and this is what you will provide RapidSSL. Once you complete the autorization steps and receive the certificate file, upload it to your router.

/certificate import file-name=nameOfCertificate.crt passphrase=password

now when I do certificate print I have the LT flags like you do, so I think this next step is the one you missed.

/certificate import file-name=certificate-request_key.pem

Now I have the KLT flags

Hi,
Did you manage to resolve this issue. I'm having the same issue at moment. TQ

I have the same problem,
I have purchased COMODO SSL, Installation has beet complete, Now I have KLT flag
but when user try to open any https://anyDomain.com through Hotspot, that face the red message...

I have the same problem whit comodo ssl

Hello,
for me the final solution with my comodo certificate was to add the address of the comodo certificate server in the wall garden:
allow *.comodoca.com
hope this will help
Best regards