Certificate Management in RouterOS: A Complete Guide

Certificate Management in RouterOS: A Complete Guide

RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 45 minutes

Overview

Certificates are the foundation of secure communication in modern networks. RouterOS provides comprehensive PKI (Public Key Infrastructure) capabilities for generating, signing, importing, and managing X.509 certificates. You’ll use certificates for:

• HTTPS Management - Secure web interface (www-ssl)
• VPN Authentication - IPsec IKEv2, OpenVPN, SSTP, WireGuard
• Wireless Security - EAP-TLS for 802.1X/Dot1X
• API Security - Encrypted API connections (api-ssl)
• Secure Fetching - HTTPS downloads with certificate verification

RouterOS v7 includes Let’s Encrypt integration for automated SSL certificate provisioning, plus built-in root CA trust anchors (v7.19+) so you can verify external certificates without manual imports.

Key limitation: Certificate operations require accurate system time. Always configure NTP before working with certificates.

Certificate Concepts

The PKI Triangle

┌─────────────────────────────────────────────────────────────┐
│                    Certificate Authority (CA)                │
│                  Issues and signs certificates               │
│                    (Self-signed root of trust)              │
└─────────────────────────────────────────────────────────────┘
                              │
                              │ Signs
                              ▼
┌───────────────────────┐           ┌───────────────────────┐
│   Server Certificate   │           │   Client Certificate   │
│  Proves server identity │           │  Proves client identity │
│  (www-ssl, VPN server) │           │  (VPN client, EAP-TLS) │
└───────────────────────┘           └───────────────────────┘

Trust chain: When a client connects to your server, it verifies:

1. Server certificate is signed by a trusted CA
2. Certificate hasn’t expired
3. Certificate matches the server’s hostname/IP

Certificate vs Template

In RouterOS, you first create a template (unsigned certificate request), then sign it to create a usable certificate:

Template (unsigned) ──sign──▶ Certificate (usable)

Templates are automatically deleted after signing. This is by design—you work with the signed certificate, not the template.

Menu Reference

Menu	Purpose
/certificate	Certificate management
/certificate/settings	CRL and trust settings
/certificate/scep-server	SCEP enrollment server

Certificate Properties

Template Properties (when creating)

Property	Type	Default	Description
name	string	-	Certificate name (required)
common-name	string	-	Certificate CN - typically hostname (required)
country	string	-	Country code (e.g., “US”)
state	string	-	State/Province
locality	string	-	City
organization	string	-	Organization name
unit	string	-	Organizational Unit
subject-alt-name	list	-	Alternative names (DNS:, IP:, email:)
key-size	integer/curve	2048	Key size or EC curve
key-usage	flags	see below	Certificate usage permissions
days-valid	integer	365	Validity period after signing
digest-algorithm	enum	sha256	Hash algorithm
trusted	yes/no	no	Trust for verification

Key Size Options

Type	Options
RSA	1024, 1536, 2048, 4096, 8192
EC	prime256v1, secp384r1, secp521r1

Recommendation: Use 2048-bit RSA or prime256v1 EC for balance of security and performance.

Key Usage Flags

Flag	Description	Typical Use
digital-signature	Sign data	All certificates
key-encipherment	Encrypt keys	TLS certificates
data-encipherment	Encrypt data	Less common
key-cert-sign	Sign other certificates	CA only
crl-sign	Sign CRLs	CA only
tls-server	TLS server authentication	Server certificates
tls-client	TLS client authentication	Client certificates

Certificate Flags (in print output)

Flag	Meaning
K	Has private key (required for servers)
A	Authority (CA certificate)
T	Trusted for verification
I	Issued by local CA
R	Revoked
E	Expired
L	Has CRL

Configuration Examples

Example 1: Create a Self-Signed CA

Create your own Certificate Authority to sign certificates:

# Step 1: Create CA template
/certificate add name=myCA common-name="My Organization CA" \
    key-usage=key-cert-sign,crl-sign days-valid=3650 key-size=2048

# Step 2: Sign to create self-signed CA
/certificate sign myCA

# Step 3: Verify CA was created
/certificate print where name=myCA

Expected output shows flags KAT (private Key, Authority, Trusted).

Example 2: Create Server Certificate for HTTPS

Create a certificate for the router’s web interface:

# Step 1: Create server template with SAN
/certificate add name=router-cert common-name=router.example.com \
    subject-alt-name=DNS:router.example.com,IP:192.168.1.1 \
    key-usage=digital-signature,key-encipherment,tls-server \
    days-valid=365

# Step 2: Sign with your CA
/certificate sign router-cert ca=myCA

# Step 3: Apply to www-ssl service
/ip service set www-ssl certificate=router-cert disabled=no

# Step 4: Verify
/ip service print where name=www-ssl

Now access router at https://192.168.1.1 (browser will warn about untrusted CA unless you import myCA).

Example 3: Let’s Encrypt Certificate (Automated)

Get a free, publicly-trusted SSL certificate:

Prerequisites:

• DNS name pointing to router’s public IP
• Port 80 accessible from internet
• www service can be temporarily enabled

# Option A: Using your own domain
/certificate enable-ssl-certificate dns-name=router.example.com

# Option B: Using IP Cloud (automatic DNS)
/ip cloud set ddns-enabled=yes
# Wait for DNS to propagate, then:
/certificate enable-ssl-certificate
# Uses <serial>.sn.mynetname.net automatically

Let’s Encrypt certificates:

• Valid for 90 days
• Auto-renew at 80% validity (72 days)
• Require port 80 accessible at renewal time

Example 4: Create Client Certificate for VPN

For certificate-based VPN authentication:

# Step 1: Create client template
/certificate add name=vpn-client1 common-name="VPN User 1" \
    key-usage=digital-signature,key-encipherment,tls-client \
    days-valid=365

# Step 2: Sign with CA
/certificate sign vpn-client1 ca=myCA

# Step 3: Export for distribution
/certificate export-certificate vpn-client1 export-passphrase=clientpass type=pkcs12

# Step 4: Export CA (for client trust)
/certificate export-certificate myCA file-name=ca-cert

# Step 5: Download from Files menu
/file print where name~"cert_export"

Give the client both files: the PKCS12 (contains cert + key) and the CA certificate (for trust).

Example 5: Import External Certificate

Import a certificate purchased from a commercial CA:

# Step 1: Upload files to router (via Winbox drag-drop, FTP, or SCP)

# Step 2: Import certificate
/certificate import file-name=server.crt

# Step 3: Import private key (if separate file)
/certificate import file-name=server.key

# Or import PKCS12 bundle (includes both)
/certificate import file-name=server.p12 passphrase=filepassword

# Step 4: Verify import (should show K flag)
/certificate print

Example 6: Enable Built-in Root CA Trust (v7.19+)

Allow RouterOS to verify external HTTPS certificates:

# Enable built-in trust anchors
/certificate settings set builtin-trust-anchors=trusted

# Now fetch with certificate verification works
/tool fetch url=https://example.com check-certificate=yes

This is required for:

• DNS over HTTPS (DoH)
• Secure HTTPS fetches
• Cloud service connections

Example 7: Certificate for OpenVPN Server

# Step 1: Create server certificate
/certificate add name=ovpn-server common-name=vpn.example.com \
    subject-alt-name=DNS:vpn.example.com,IP:203.0.113.1 \
    key-usage=digital-signature,key-encipherment,tls-server \
    days-valid=365

# Step 2: Sign with CA
/certificate sign ovpn-server ca=myCA

# Step 3: Apply to OpenVPN
/interface ovpn-server server set certificate=ovpn-server \
    require-client-certificate=yes

Example 8: Export and Backup Certificates

# Export CA certificate only (for distribution)
/certificate export-certificate myCA file-name=my-ca-public

# Export certificate with private key (for backup)
/certificate export-certificate router-cert export-passphrase=backuppass type=pkcs12

# List exported files
/file print where name~"cert"

Export types:

• pem - PEM format (default, certificate only)
• pkcs12 - PKCS#12 bundle (certificate + key, encrypted)

CRL (Certificate Revocation List)

Enable CRL checking to reject revoked certificates:

# Enable CRL checking
/certificate settings set crl-use=yes crl-download=yes

# Check current settings
/certificate settings print

Note: CRL checking requires:

• HTTP access to CRL distribution points
• Complete certificate chain imported

Subject Alternative Names (SAN)

Modern certificates should include SANs for all ways the server is accessed:

/certificate add name=multi-access common-name=router.example.com \
    subject-alt-name=DNS:router.example.com,DNS:router.lan,IP:192.168.1.1,IP:10.0.0.1

SAN formats:

• DNS:hostname.example.com
• IP:192.168.1.1
• email:[email protected]

Common Problems and Solutions

Problem 1: “Templates are not exportable!”

Cause: Attempting to export an unsigned template.

Solution: Sign the template first:

/certificate sign template-name
/certificate export-certificate template-name

Problem 2: Certificate Has No Private Key (Missing K Flag)

Cause: Key file not imported or key doesn’t match certificate.

Solution:

# Import key separately
/certificate import file-name=server.key

# Or use PKCS12 which bundles both
/certificate import file-name=server.p12 passphrase=password

Problem 3: Let’s Encrypt “HTTP Challenge Validation Failed”

Causes:

• Port 80 not accessible from internet
• DNS not pointing to router
• www service disabled

Solution:

# Ensure www is enabled
/ip service enable www

# Check firewall allows port 80
/ip firewall filter print where dst-port=80

# Verify DNS resolves correctly (from external)
# nslookup router.example.com should return your public IP

Problem 4: Can’t Sign - Imported CA Not Recognized

Cause: Imported CA lacks key-cert-sign permission.

Solution: Generate CA on RouterOS instead:

/certificate add name=newCA common-name="My CA" \
    key-usage=key-cert-sign,crl-sign days-valid=3650
/certificate sign newCA

Problem 5: “Unable to Get Local Issuer Certificate” on Fetch

Cause: Root CA not trusted (v7.19+).

Solution:

/certificate settings set builtin-trust-anchors=trusted

Problem 6: Certificate Expired

Check expiration:

/certificate print detail where name=server-cert
# Look at "expires-after" field

For Let’s Encrypt: Renewal happens automatically at 80% validity if port 80 is accessible.

For self-signed: Create new certificate and re-apply to services.

Problem 7: CA Removal Deleted All Certificates

Cause: Removing a CA removes all certificates it issued.

Prevention: Export certificates before removing CA:

/certificate export-certificate child-cert type=pkcs12 export-passphrase=backup

Verification Commands

# List all certificates
/certificate print

# Show certificate details
/certificate print detail where name=router-cert

# Find certificates with private keys
/certificate print where private-key=yes

# Find CA certificates
/certificate print where ca=yes

# Find expired certificates
/certificate print where expired=yes

# Check certificate assignment to services
/ip service print where certificate!=""

# Verify settings
/certificate settings print

# Test HTTPS fetch (requires trusted roots)
/tool fetch url=https://example.com check-certificate=yes

Security Best Practices

1. Use appropriate key sizes: 2048-bit RSA minimum, 4096-bit for long-lived CAs
2. Set reasonable validity: 1-2 years for server certs, 5-10 years for CAs
3. Include SANs: Modern browsers require Subject Alternative Names
4. Protect private keys: Use strong export passphrases
5. Enable CRL checking: For environments requiring revocation
6. Keep system time accurate: Certificates depend on valid timestamps
7. Back up CA certificates: CA loss means all issued certs become unverifiable

Related Features

• IP Services (/ip service) - Apply certificates to www-ssl, api-ssl
• OpenVPN (/interface ovpn-server) - TLS-based VPN
• SSTP (/interface sstp-server) - SSL-based VPN
• IPsec (/ip ipsec) - Certificate-based IKEv2
• Dot1X (/interface dot1x) - EAP-TLS authentication
• Fetch (/tool fetch) - HTTPS with certificate verification
• DoH (/ip dns) - DNS over HTTPS

Version Notes

Version	Feature
v7.19+	Built-in root CA trust anchors
v7.7+	Certificate import format changes
v7.1+	Let’s Encrypt integration
v7.x	ACME support for alternative CAs

Summary

Certificate management in RouterOS follows a straightforward workflow:

1. Create template with properties (name, CN, key-usage, validity)
2. Sign to create usable certificate (self-signed or with CA)
3. Apply to services (www-ssl, VPN, etc.)
4. Export/Import for distribution or backup

For public-facing services, Let’s Encrypt provides free automated certificates. For internal services, create your own CA and distribute it to clients. Always verify certificates have the K flag (private key) before applying to services.

Related Topics

Prerequisites

• NTP Client - accurate time required for certificate validation

Services Using Certificates

• IP Services (SSH) - enable secure management access
• OpenVPN - TLS-based VPN
• IPsec IKEv2 - certificate-based VPN authentication
• SSTP VPN - SSL-based VPN
• Dot1X - EAP-TLS authentication

Related Security

• User Management - manage admin access
• Firewall Basics - protect management interfaces

Related Topics

• IP Cloud - DDNS for Let’s Encrypt certificates
• DNS Server - DNS resolution for ACME validation