Blog Archive

Last modified by Administrator on 04/21/2011

Blog posts for March 2017

Mikrotik expired certificate with OpenVPN

Did your OpenVPN / Mikrotik certificates (both CA and client certs) expire?  It turns out they were only good for one year!

The default duration for these VPN certificates, and Certificate Authority, is 365 days.  My OpenVPN VPN client quit working recently (it appears stuck in a loop retrying the connection and authentication process).  Oops.

The fix is to remove and re-create and distribute new Certificates for the OpenVPN Clients.  We must first remove and re-create the Mikrotik VPN server and CA keys and certificates.  If there is a simpler way, please shoot me a note.

First, log in to your router with ssh and remove the old client certificates, server certificate and the certificate authority entries:

/certificate
print
remove 2
remove 1
remove 0

Then, add back a new, 2-year duration Certificate Authority:

add name=CA2017 common-name=CA2017 key-usage=key-cert-sign,crl-sign days-valid=730
sign CA2017 ca-crl-host=192.168.1.1 name=CA2017

Next, finish up on the router by creating new 2-year client certificates:

add name=server common-name=server days-valid=730
sign server ca=CA2017 name=server

The certificates must be exported from the router and downloaded to your PC or laptop for dissemination.  Export from the command line, then visit the admin website http://192.168.1.1/ or use sftp to retrieve the certificate files.

export-certificate export-passphrase=mysecret CA2017
export-certificate export-passphrase=mysecret client1
export-certificate export-passphrase=mysecret client2
...

From the Files section of the Mikrotik Web GUI you should see:

cert_export_client1.crt
cert_export_client1.key
cert_export_client2.crt
cert_export_client2.key
cert_export_CA2017.crt

We can now move over to your client's .ovpn file and substitute new CA and client keys and certificates.  For this procedure we refer you back to the OpenVPN Client Configuration section of last year's blog post.  The .crt files can be inserted/substituted in your per-client .ovpn file as-is.  The .key file must be decrypted with your chosen export-passphrase thusly:

openssl rsa -in cert_export_client1.key -text

Hope this cures your issue and my apologies for being short-sighted on my original post.  I'm up to RouterOS version 6.38.1 on this end for this solution / workaround.

Tags:
Created by Administrator on 07/09/2013

Advertisement


This website content is not licensed to you. All rights reserved.
XWiki Enterprise 5.1 - Documentation