Mikrotik expired certificate with OpenVPN

Last modified by XWikiGuest on 12/28/2018

Mar 22 2017

Did your OpenVPN / Mikrotik certificates (both CA and client certs) expire?  It turns out they were only good for one year!

The default duration for these VPN certificates, and Certificate Authority, is 365 days.  My OpenVPN VPN client quit working recently (it appears stuck in a loop retrying the connection and authentication process).  Oops.

The fix is to remove and re-create, then distribute, new Certificates for the OpenVPN Clients.  We must first remove keys and certificates for the Mikrotik CA, Server and Clients'.  If there is a simpler way, please shoot me a note below in the comments.

First, log in to your router with ssh and remove the old client certificates, server certificate and the certificate authority entries:

remove 2
remove 1
remove 0

Then, add back a new, 2-year duration Certificate Authority:

add name=CA2017 common-name=CA2017 key-usage=key-cert-sign,crl-sign days-valid=730
sign CA2017 ca-crl-host= name=CA2017

Update your OpenVPN configuration to use the new CA:

/interface ovpn-server server set certificate=CA2017

Next, create a new 2-year server certificate:

add name=server common-name=server days-valid=730
sign server ca=CA2017 name=server

Finish up on the router by creating a new 2-year client certificate for each client:

add name=client1 common-name=server days-valid=730
sign client1 ca=CA2017 name=client1

add name=client2 common-name=server days-valid=730
sign client2 ca=CA2017 name=client2

The certificates must be exported from the router and downloaded to your PC or laptop for dissemination.  Export from the command line, then visit the admin website or use sftp to retrieve the certificate files.

export-certificate export-passphrase=mysecret CA2017
export-certificate export-passphrase=mysecret client1
export-certificate export-passphrase=mysecret client2

From the Files section of the Mikrotik Web GUI you should see:


We can now move over to your client's .ovpn file and substitute new CA and client keys and certificates.  For this procedure we refer you back to the OpenVPN Client Configuration section of last year's blog post.  The .crt files can be inserted/substituted in your per-client .ovpn file as-is.  The .key file must be decrypted with your chosen export-passphrase thusly:

openssl rsa -in cert_export_client1.key -text

Hope this cures your issue and my apologies for being short-sighted on my original post.  I'm up to RouterOS version 6.41.3 on this end for this solution / workaround (updated 3/28/2018).

Created by Quentin Conner on 03/22/2017
This website content is not licensed to you. All rights reserved.
XWiki Enterprise 9.11.1 - Documentation