Mar 22 2017

Did your OpenVPN / Mikrotik certificates (both CA and client certs) expire?  It turns out they were only good for one year!

The default duration for these VPN certificates, and Certificate Authority, is 365 days.  My OpenVPN VPN client quit working recently (it appears stuck in a loop retrying the connection and authentication process).  Oops.

The fix is to remove and re-create and distribute new Certificates for the OpenVPN Clients.  We must first remove and re-create the Mikrotik VPN server and CA keys and certificates.  If there is a simpler way, please shoot me a note.

First, log in to your router with ssh and remove the old client certificates, server certificate and the certificate authority entries:

remove 2
remove 1
remove 0

Then, add back a new, 2-year duration Certificate Authority:

add name=CA2017 common-name=CA2017 key-usage=key-cert-sign,crl-sign days-valid=730
sign CA2017 ca-crl-host= name=CA2017

Next, finish up on the router by creating new 2-year client certificates:

add name=server common-name=server days-valid=730
sign server ca=CA2017 name=server

The certificates must be exported from the router and downloaded to your PC or laptop for dissemination.  Export from the command line, then visit the admin website or use sftp to retrieve the certificate files.

export-certificate export-passphrase=mysecret CA2017
export-certificate export-passphrase=mysecret client1
export-certificate export-passphrase=mysecret client2

From the Files section of the Mikrotik Web GUI you should see:


We can now move over to your client's .ovpn file and substitute new CA and client keys and certificates.  For this procedure we refer you back to the OpenVPN Client Configuration section of last year's blog post.  The .crt files can be inserted/substituted in your per-client .ovpn file as-is.  The .key file must be decrypted with your chosen export-passphrase thusly:

openssl rsa -in cert_export_client1.key -text

Hope this cures your issue and my apologies for being short-sighted on my original post.  I'm up to RouterOS version 6.38.1 on this end for this solution / workaround.

Created by Quentin Conner on 03/22/2017
This website content is not licensed to you. All rights reserved.
XWiki Enterprise 9.11.1 - Documentation