How to import certificates into Mikrotik RouterOS

We need certificates for specific VPN technologies, including Microsoft SSTP and OpenVPN tunnels. For small installations, we will use the self-signed CA infrastructure. Moreover, this process is the same regardless how we obtain those certificates.

The procedure described here is the same for any version of Mikrotik RouterOS, from 3.30 to 6.36.3. We can work from the command line or from WinBox GUI.


What we need?

Our list of the ingredients is very short. We need:

  • A CA root certificate
  • A private (device) certificate
  • A key for the private certificate


We will never use a private key for the root CA certificate. It is sensitive and we never share it. More importantly, if we are working with a third party CA root certificate we will never have access to it.

We need to upload those files on the router; we can utilize the Mikrotik WinBox built-in file transfer capability or FTP session with the router.



Importing from the command line

If you prefer to work from the command line or if working over a slow link, you can finish the whole job with a few commands. I will import in this example the root CA certificate from the command line.

Command for importing certificates is:

certificate import file-name=certname.crt

where the certname.crt is the name of the certificate we need to import. In our case that name is ca.crt. Therefore, our command will be:

certificate import file-name=ca.crt

As we protected our CA certificate with a password (or even better passphrase), we must provide the correct password to enable importing of the certificate. The rest of the process is automatic.

03 - import ca cert from cmd line

However, if something is wrong (format of the file or the password), then the import of the certificate will fail. Therefore, read carefully the response from the command. You should see there that one certificate is imported.

When you want to check for an already installed certificates just type following command:

certificate print

The router will print the list of all installed certificates. The output can be very confusing as the columns are truncated on predefined widths.

04 - listanje sertifikata

However, even such poor view can be helpful when working with small number of certificates.


Importing from the WinBox

We can use the WinBox tool when we want to work more comfortably. This way we will have more details in the view and we can use the graphical dialogs to perform the whole operation.

Although we are using the certificate command directly from the root in the command line, this command is placed in the WinBox inside the System menu.

05 - Sys certs

We can see all the already installed certificates when we open the window for the Certificates service. In our example, we can see the root CA certificate which we have just imported.

06 - WinBox Certificates

As you can see, we can have more details on display and we can adapt the column widths. The name of the certificate is always a combination of the file name, underscore sign and ordinal number. That means that we can have more than one certificate with the same file name and Mikrotik will generate different names for them.

Now we need to import the device certificate. In our example, this is server.crt. We will click on the button [ Import ] and a new dialog window will appear. We have a pull down list with the names of all files found inside the router.

07 - Winbox certs select file 2 import

We will choose our device certificate. Remember that you need to import first the certificate then the key.

Before we go any further, I have a trick question for you. What is wrong with this screenshot? I will provide the answer later.

We chose our certificate from the list. If the certificate hasn’t got the password, you can just click on the [ Import ] button.

08 - import server cert

However, if there is a password and you did not provide it, there will be no error message. Therefore, you will see result in the basic dialog. If our new certificate appears there, then everything is fine.

09 - WinBox certs imported certs

You should see all parameters. The most important one is the Common Name. This name must be correct. We already discussed that in the section about server certificates inside this post.

To have the device handle SSL communications it must also have the private key for its certificate. Therefore, we need to import it. The procedure is the same as with the certificate file. We will choose the key file from the list, enter the password and click on the button [ Import ].

10 - WinBox certs import key

Oh, yes, the answer. I chose the wrong file in in first place. Instead of the key file (server.key) I chose the certificate request file (server.csr).

Again, if you did not provide the password or passphrase, the key will not import and there will not be an error message. You must check again the list of the certificates.

11 - WinBox certs private cert decrypted

When the import of the private key is successful, you can see that that certificate will have a letter K in the first column. This letter is short from private Key and indicates that the import was successful.

We can check any certificate’s details; Just open it with a double click.

12 - WinBox certs cert details

We can see all the details we provided during the creation process. Furthermore, we can assign a new name to it. As this name is the text field, we can type a meaningful name here.


Using this certificate

We have our certificate imported and ready to be used. As we mentioned at the beginning of this article, we can use this certificate with some VPN technologies. I will quickly demonstrate association between the device certificate and the SSTP VPN server.

13 - Cert used with SSTP server

As you can see, we chose our server certificate from the drop down list. After this step, we will import at least the root CA certificate on the SSTP client machine and then SSTP VPN can be established between them.

For greater security, we can build a larger CA infrastructure that also includes the client side certificates. We can see on this screenshot that we can force verification of the client side certificates.

Stay tuned.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.