Certificates
Certificates
Section titled “Certificates”RouterOS includes a built-in certificate manager under /certificate that handles the full PKI lifecycle: generating key pairs, self-signing or signing with a local CA, producing CSRs for external CAs, importing PEM and PKCS12 bundles, automatic renewal via ACME (Let’s Encrypt), and enterprise enrollment via SCEP. Certificates installed here are used by WebFig HTTPS, the REST API, SSTP VPN, Hotspot captive portal, WinBox TLS, DoH, and EAP-TLS wireless authentication.
Certificate Store Overview
Section titled “Certificate Store Overview”All certificates live under /certificate. Inspect what is installed with:
/certificate print detailCertificate Flags
Section titled “Certificate Flags”| Flag | Meaning |
|---|---|
K | Has a local private key |
A | Authority — a CA certificate |
T | Trusted — included in the router’s trust store |
L | Associated CRL entry present |
I | Invalid (expired, revoked, or chain verification failed) |
R | Revoked |
E | Expired |
End-entity certificates used by TLS services must have the K flag (private key present). CA anchors used to validate peer certificates must have A and T flags set.
Entry Types
Section titled “Entry Types”| Type | Has Private Key (K) | Typical Use |
|---|---|---|
| End-entity certificate | Yes | TLS server identity (WebFig, SSTP, Hotspot) |
| CA / trust anchor | No | Validating peers (SSTP client, EAP, SCEP, DoH) |
Creating a Local CA
Section titled “Creating a Local CA”Use a local CA when you control the client devices and can distribute the CA certificate into their trust stores — typical for internal infrastructure, VPNs, and lab environments.
Create and Sign the Root CA
Section titled “Create and Sign the Root CA”/certificateadd name=local-ca common-name="Local CA" \ key-size=2048 days-valid=3650 \ key-usage=key-cert-sign,crl-signsign local-caset local-ca trusted=yeskey-cert-sign,crl-sign marks this as a CA. Setting trusted=yes adds it to the router’s trust store so that services validating peer certificates against this CA accept what it has signed.
Export the CA Certificate for Client Distribution
Section titled “Export the CA Certificate for Client Distribution”To install the CA into client trust stores, export it (without the private key):
/certificate export-certificate local-caThis creates cert_export_local-ca.crt in /file. Download it and install it in the trust store of every client that needs to trust certificates issued by this CA.
To export with the private key included (for backup or migration to another RouterOS device):
/certificate export-certificate local-ca export-passphrase="strong-passphrase"This creates two files in /file:
cert_export_local-ca.crt— the certificate in PEM formatcert_export_local-ca.key— the private key, PKCS#8 encrypted with the passphrase
RouterOS does not produce a PKCS12 (.p12) bundle. To create a .p12 for use with external tools, copy the exported .crt and .key files off the router and convert them with openssl:
openssl pkcs12 -export \ -in cert_export_local-ca.crt \ -inkey cert_export_local-ca.key \ -passin pass:strong-passphrase \ -out local-ca.p12 \ -passout pass:strong-passphraseGenerating and Signing Server Certificates
Section titled “Generating and Signing Server Certificates”Sign with the Local CA
Section titled “Sign with the Local CA”/certificateadd name=router-tls common-name=router.example.com \ subject-alt-name=DNS:router.example.com,IP:192.168.88.1 \ key-size=2048 days-valid=825 \ key-usage=digital-signature,key-encipherment,tls-serversign router-tls ca=local-caAlways include subject-alt-name with the hostname or IP used to connect. Modern browsers and TLS clients ignore the CN field and require a matching SAN entry.
Using a Certificate from an External CA
Section titled “Using a Certificate from an External CA”RouterOS 7 does not generate CSR files natively. To use a certificate signed by a corporate or commercial CA, generate the private key and CSR on an external machine, have the CA sign it, then import both files into RouterOS.
Generate the key and CSR externally with OpenSSL:
openssl req -newkey rsa:2048 -nodes -keyout router.key \ -out router.csr \ -subj "/CN=router.example.com" \ -addext "subjectAltName=DNS:router.example.com"Submit router.csr to your CA. Once the CA returns the signed certificate (e.g. router.crt), upload both files to the router and import them:
/certificate import file-name=router.crt/certificate import file-name=router.key passphrase=""Verify the K flag appears on the imported certificate (private key present), then bind it to services as shown in Binding Certificates to Services.
Key Parameters for /certificate add
Section titled “Key Parameters for /certificate add”| Parameter | Description |
|---|---|
name | Internal reference name |
common-name | CN field in the subject |
subject-alt-name | SAN entries: DNS:host.example.com, IP:192.168.1.1 (comma-separated) |
key-size | RSA key size in bits: 1024, 2048, 4096 — 2048 minimum recommended |
days-valid | Validity period in days |
key-usage | Comma-separated X.509 key usages (see table below) |
country, state, locality, organization, unit | Optional subject DN fields |
Common key-usage Values
Section titled “Common key-usage Values”| Value | Use |
|---|---|
key-cert-sign,crl-sign | CA certificate |
digital-signature,key-encipherment,tls-server | TLS server certificate |
digital-signature,key-encipherment,tls-client | TLS client certificate |
digital-signature | Code signing, general-purpose |
Importing External Certificates
Section titled “Importing External Certificates”Use /certificate import to bring in certificates from external sources. The file must first be uploaded to the router via Drag & Drop in WinBox/WebFig, FTP, SCP, or /tool fetch.
Import a CA Certificate (PEM)
Section titled “Import a CA Certificate (PEM)”/certificate import file-name=my-ca.pemMark it as trusted so RouterOS validates peers against it:
/certificate set my-ca trusted=yesImport a Certificate and Private Key (PKCS12)
Section titled “Import a Certificate and Private Key (PKCS12)”/certificate import file-name=router.p12 passphrase=secretRouterOS imports the certificate and private key from the bundle. If the passphrase is wrong, the command succeeds but reports 0 keys imported — check the passphrase if the K flag does not appear after import.
Import a PEM Certificate and Key as Separate Files
Section titled “Import a PEM Certificate and Key as Separate Files”When the certificate and private key are in separate PEM files, import them individually — RouterOS automatically associates the key with the matching certificate:
/certificate import file-name=router.crt/certificate import file-name=router.key passphrase=""Verify the Import
Section titled “Verify the Import”/certificate print detail where name=router-tlsConfirm:
Kflag is present on end-entity certificates (private key imported)AandTflags are present on CA anchors (trusted CA)- No
IorEflags (not invalid or expired)
ACME / Let’s Encrypt
Section titled “ACME / Let’s Encrypt”RouterOS 7 can obtain and automatically renew a certificate from Let’s Encrypt using the ACME HTTP-01 challenge, directly binding it to the www-ssl service.
Requirements
Section titled “Requirements”- The router must have a public FQDN with DNS resolving to its WAN IP.
- Port 80 (HTTP) must be reachable from the internet — Let’s Encrypt sends the HTTP-01 challenge to
http://<dns-name>/.well-known/acme-challenge/. - The router must not be behind NAT without port 80 forwarded to it.
- The
wwwservice must be enabled:/ip service enable www.
Issue the Certificate
Section titled “Issue the Certificate”/certificate enable-ssl-certificate dns-name=router.example.comRouterOS contacts the Let’s Encrypt ACME endpoint, completes the HTTP-01 challenge, downloads the signed certificate chain, and binds it to the www-ssl service automatically. The command takes up to 30 seconds.
Test with the Staging Environment
Section titled “Test with the Staging Environment”Let’s Encrypt rate-limits production certificate issuance. Use the staging endpoint during setup and testing to avoid hitting limits:
/certificate enable-ssl-certificate dns-name=router.example.com \ directory-url=https://acme-staging-v02.api.letsencrypt.org/directoryStaging certificates are not browser-trusted, but they confirm the workflow is correct before switching to production.
Verify
Section titled “Verify”/certificate print detail where name~"letsencrypt"/ip service print where name=www-sslRenewal is automatic — RouterOS tracks the certificate expiry and renews it before it expires without manual intervention.
Limitations
Section titled “Limitations”- Only the
www-sslservice is updated automatically by this command. For other services (API, SSTP, Hotspot), manually bind the certificate after issuance. - DNS-01 challenge is not supported. HTTP-01 requires port 80 to be publicly reachable.
- Air-gapped or NAT-only routers without inbound port 80 cannot use this method.
- Only one certificate per router via this command (single FQDN).
Binding Certificates to Services
Section titled “Binding Certificates to Services”Once a certificate with a private key (K flag) is in the store, assign it to services.
WebFig HTTPS and REST API
Section titled “WebFig HTTPS and REST API”/ip service set www-ssl certificate=router-tls disabled=no tls-version=only-1.2/ip service set api-ssl certificate=router-tls disabled=no tls-version=only-1.2Optionally disable plaintext access:
/ip service disable www,api,telnet,ftpSSTP VPN Server
Section titled “SSTP VPN Server”/interface sstp-server server set certificate=router-tls enabled=yesSSTP clients with verify-server-certificate=yes validate the full chain, so the signing CA must be in the client’s trust store.
Hotspot Captive Portal
Section titled “Hotspot Captive Portal”/ip hotspot profile set default ssl-certificate=router-tls login-by=https,http-papDNS over HTTPS (DoH)
Section titled “DNS over HTTPS (DoH)”DoH uses the router’s trust store to verify the upstream DoH server certificate. Import and trust the relevant CA, then enable verification:
/certificate import file-name=doh-ca.pem/certificate set doh-ca trusted=yes/ip dns set use-doh-server="https://dns.example.com/dns-query" verify-doh-cert=yesSCEP Server — Automatic Certificate Enrollment for Network Devices
Section titled “SCEP Server — Automatic Certificate Enrollment for Network Devices”SCEP (Simple Certificate Enrollment Protocol) lets RouterOS act as a certificate enrollment server. Network devices (switches, APs, VPN clients) connect to the RouterOS SCEP endpoint, present a challenge, and receive a signed certificate from the local CA.
Prerequisites
Section titled “Prerequisites”- A local CA certificate must exist (see Creating a Local CA).
- The
wwwservice must be enabled so SCEP clients can reach the HTTP endpoint:
/ip service enable wwwAdd a SCEP Server Entry
Section titled “Add a SCEP Server Entry”/certificate scep-serveradd ca-cert=local-ca path=/scep/| Parameter | Description |
|---|---|
ca-cert | The local CA certificate used to sign enrollment requests |
path | URL path where the SCEP endpoint is exposed (e.g. /scep/) |
days-valid | Validity period (in days) for certificates issued via this endpoint |
request-lifetime | How long a pending enrollment request remains valid (default 1h) |
next-ca-cert | Optional next CA certificate for CA rollover scenarios |
The entry is disabled by default. Enable it:
/certificate scep-server enable 0SCEP Client Connection
Section titled “SCEP Client Connection”SCEP clients enroll by connecting to:
http://<router-address><path>For example, with path=/scep/ and router at 192.168.88.1:
http://192.168.88.1/scep/Configure the SCEP URL in the client device’s certificate enrollment settings and point it at this address with the local CA’s fingerprint for validation.
Monitor Enrollments
Section titled “Monitor Enrollments”/certificate scep-server print detail/log print where message~"scep"Trust Store Management
Section titled “Trust Store Management”RouterOS validates peer certificates (SSTP clients, EAP, DoH, fetch with TLS) against all certificates with trusted=yes. To add a CA:
/certificate import file-name=corp-ca.pem/certificate set corp-ca trusted=yesTo enable CRL checking so revoked certificates are rejected:
/certificate settings set crl-use=yesCertificate Renewal
Section titled “Certificate Renewal”ACME / Let’s Encrypt — Automatic
Section titled “ACME / Let’s Encrypt — Automatic”RouterOS renews Let’s Encrypt certificates automatically. No manual steps are required. Renewal begins before expiry; the 90-day validity means renewal runs roughly every 60 days. Monitor with:
/certificate print detail where name~"letsencrypt"/log print where message~"acme\|letsencrypt"If automatic renewal fails, re-run the issuance command. Ensure port 80 is still reachable from the internet before doing so.
SCEP — Client-Driven Renewal
Section titled “SCEP — Client-Driven Renewal”Certificates issued via the SCEP server are renewed by the enrolling client device before expiry. The days-valid and request-lifetime settings on the SCEP server entry control issued certificate lifetime. Monitor the server side with:
/certificate scep-server print detail/log print where message~"scep"Self-Signed Certificates — Manual Rotation
Section titled “Self-Signed Certificates — Manual Rotation”Self-signed certificates do not renew automatically. Rotate them before they expire (E flag appears):
# Find expiring certificates/certificate print where expired/certificate print detail where name=router-tlsTo renew, create a new certificate signed by the same CA, bind it to services, then remove the old one:
# Issue a new certificate/certificateadd name=router-tls-new common-name=router.example.com \ subject-alt-name=DNS:router.example.com,IP:192.168.88.1 \ key-size=2048 days-valid=825 \ key-usage=digital-signature,key-encipherment,tls-serversign router-tls-new ca=local-ca
# Re-bind services to the new certificate/ip service set www-ssl certificate=router-tls-new/ip service set api-ssl certificate=router-tls-new/interface sstp-server server set certificate=router-tls-new
# Remove the old certificate/certificate remove router-tls/certificate set router-tls-new name=router-tlsRenewing the CA itself requires replacing every certificate it signed — stagger CA expiry well beyond server certificate lifetimes (e.g. CA at 10 years, server certs at 825 days).
Imported Certificates — Re-import
Section titled “Imported Certificates — Re-import”For certificates issued by an external or commercial CA, obtain the renewed certificate from the CA, upload it to the router, then re-import and re-bind:
# Upload renewed cert via WinBox/Files or SCP, then:/certificate import file-name=router-new.p12 passphrase=secret
# Confirm K flag present/certificate print detail where name~"router-new"
# Re-bind services/ip service set www-ssl certificate=router-new/ip service set api-ssl certificate=router-new
# Remove old cert/certificate remove router-oldTroubleshooting
Section titled “Troubleshooting”Certificate Not Accepted by Browser
Section titled “Certificate Not Accepted by Browser”Browsers require a SAN entry matching the hostname. The CN field is ignored. Verify with:
/certificate print detail where name=router-tlsIf subject-alt-name is missing or wrong, regenerate the certificate with the correct SAN before re-assigning it to the service.
Let’s Encrypt Challenge Fails
Section titled “Let’s Encrypt Challenge Fails”Verify port 80 is reachable from the internet and DNS resolves correctly:
/tool fetch url="http://router.example.com/"If a firewall rule blocks inbound HTTP on the WAN interface, add a temporary accept rule before running enable-ssl-certificate.
Import Shows 0 Keys Imported
Section titled “Import Shows 0 Keys Imported”For PKCS12, the passphrase must match exactly — an empty passphrase requires passphrase="". For separate PEM key files, the key must correspond to the previously imported certificate. Verify the file exists and is not zero bytes:
/file print where name~"router"SCEP Enrollment Fails
Section titled “SCEP Enrollment Fails”/log print where message~"scep"/certificate scep-server print detailCommon causes: www service not enabled, SCEP server entry is disabled, ca-cert references a certificate without a private key, or the SCEP URL path does not match the configured path.
Verify Certificate Chain
Section titled “Verify Certificate Chain”/certificate print detailEvery certificate in the chain (end-entity → intermediate → root CA) must be present. The root CA must carry the T (trusted) flag. Missing intermediate CAs are the most common cause of SSTP and EAP-TLS handshake failures.
Expired Certificate
Section titled “Expired Certificate”/certificate print where expiredCertificates with the E flag are past their validity period. Renew or replace them and re-bind to affected services.
See Also
Section titled “See Also”- User Management and Hardening — securing management access with certificates
- SSTP VPN — server and client certificate configuration
- Hotspot — HTTPS captive portal setup
- DNS — DNS over HTTPS configuration