From version 4.1
edited by Quentin Conner
on 03/23/2017
To version 5.1
edited by Quentin Conner
on 03/28/2018
Change comment: There is no comment for this version

Summary

Details

Blog.BlogPostClass[0]
Content
... ... @@ -3,8 +3,9 @@
3 3  The default duration for these VPN certificates, and Certificate Authority, is 365 days. My OpenVPN VPN client quit working recently (it appears stuck in a loop retrying the connection and authentication process). Oops.
4 4  
5 5  
6 -The fix is to remove and re-create and distribute new Certificates for the OpenVPN Clients. We must first remove and re-create the Mikrotik VPN server and CA keys and certificates. If there is a simpler way, please shoot me a note.
6 +The fix is to remove and re-create, then distribute, new Certificates for the OpenVPN Clients. We must first remove keys and certificates for the Mikrotik CA, Server and Clients'. If there is a simpler way, please shoot me a note below in the comments.
7 7  
8 +
8 8  First, log in to your router with ssh and remove the old client certificates, server certificate and the certificate authority entries:
9 9  
10 10  {{code}}
... ... @@ -16,6 +16,7 @@
16 16  
17 17  {{/code}}
18 18  
20 +
19 19  Then, add back a new, 2-year duration Certificate Authority:
20 20  
21 21  {{code}}
... ... @@ -23,13 +23,33 @@
23 23  sign CA2017 ca-crl-host=192.168.1.1 name=CA2017
24 24  {{/code}}
25 25  
26 -Next, finish up on the router by creating new 2-year client certificates:
27 27  
29 +Update your OpenVPN configuration to use the new CA:
30 +
28 28  {{code}}
32 +/interface ovpn-server server set certificate=CA2017
33 +{{/code}}
34 +
35 +
36 +Next, create a new 2-year server certificate:
37 +
38 +{{code}}
29 29  add name=server common-name=server days-valid=730
30 30  sign server ca=CA2017 name=server
31 31  {{/code}}
32 32  
43 +
44 +Finish up on the router by creating a new 2-year client certificate for each client:
45 +
46 +{{code}}
47 +add name=client1 common-name=server days-valid=730
48 +sign client1 ca=CA2017 name=client1
49 +
50 +add name=client2 common-name=server days-valid=730
51 +sign client2 ca=CA2017 name=client2
52 +{{/code}}
53 +
54 +
33 33  The certificates must be exported from the router and downloaded to your PC or laptop for dissemination. Export from the command line, then visit the admin website http:~/~/192.168.1.1/ or use sftp to retrieve the certificate files.
34 34  
35 35  {{code}}
... ... @@ -55,4 +55,4 @@
55 55  (% style="font-size: 14px;" %){{code}}openssl rsa -in cert_export_client1.key -text{{/code}}
56 56  
57 57  
58 -Hope this cures your issue and my apologies for being short-sighted on my original post. I'm up to RouterOS version 6.38.1 on this end for this solution / workaround.
80 +Hope this cures your issue and my apologies for being short-sighted on my original post. I'm up to RouterOS version 6.41.3 on this end for this solution / workaround (updated 3/28/2018).
This website content is not licensed to you. All rights reserved.
XWiki Enterprise 9.11.1 - Documentation