Skip to content
MikroTik RouterOS Docs

Certificate Management in RouterOS: A Complete Guide

Certificate Management in RouterOS: A Complete Guide

Section titled “Certificate Management in RouterOS: A Complete Guide”

RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 45 minutes

Overview

Section titled “Overview”

Certificates are the foundation of secure communication in modern networks. RouterOS provides comprehensive PKI (Public Key Infrastructure) capabilities for generating, signing, importing, and managing X.509 certificates. You’ll use certificates for:

  • HTTPS Management - Secure web interface (www-ssl)
  • VPN Authentication - IPsec IKEv2, OpenVPN, SSTP, WireGuard
  • Wireless Security - EAP-TLS for 802.1X/Dot1X
  • API Security - Encrypted API connections (api-ssl)
  • Secure Fetching - HTTPS downloads with certificate verification

RouterOS v7 includes Let’s Encrypt integration for automated SSL certificate provisioning, plus built-in root CA trust anchors (v7.19+) so you can verify external certificates without manual imports.

Key limitation: Certificate operations require accurate system time. Always configure NTP before working with certificates.

Certificate concepts

Section titled “Certificate concepts”

The PKI triangle

Section titled “The PKI triangle”
PKI trust hierarchy showing Certificate Authority at top signing both Server and Client certificates

Trust chain: When a client connects to your server, it verifies:

  1. Server certificate is signed by a trusted CA
  2. Certificate hasn’t expired
  3. Certificate matches the server’s hostname/IP
Certificate concepts - The PKI triangle diagram

Certificate vs template

Section titled “Certificate vs template”

In RouterOS, you first create a template (unsigned certificate request), then sign it to create a usable certificate:

Certificate workflow showing unsigned template being signed to create usable certificate

Templates are automatically deleted after signing. This is by design—you work with the signed certificate, not the template.

Section titled “Menu reference”
MenuPurpose
/certificateCertificate management
/certificate/settingsCRL and trust settings
/certificate/scep-serverSCEP enrollment server

Certificate properties

Section titled “Certificate properties”

Template properties (when creating)

Section titled “Template properties (when creating)”
PropertyTypeDefaultDescription
namestring-Certificate name (required)
common-namestring-Certificate CN - typically hostname (required)
countrystring-Country code (e.g., “US”)
statestring-State/Province
localitystring-City
organizationstring-Organization name
unitstring-Organizational Unit
subject-alt-namelist-Alternative names (DNS:, IP:, email:)
key-sizeinteger/curve2048Key size or EC curve
key-usageflagssee belowCertificate usage permissions
days-validinteger365Validity period after signing
digest-algorithmenumsha256Hash algorithm
trustedyes/nonoTrust for verification

Key size options

Section titled “Key size options”
TypeOptions
RSA1024, 1536, 2048, 4096, 8192
ECprime256v1, secp384r1, secp521r1

Recommendation: Use 2048-bit RSA or prime256v1 EC for balance of security and performance.

Key usage flags

Section titled “Key usage flags”
FlagDescriptionTypical Use
digital-signatureSign dataAll certificates
key-enciphermentEncrypt keysTLS certificates
data-enciphermentEncrypt dataLess common
key-cert-signSign other certificatesCA only
crl-signSign CRLsCA only
tls-serverTLS server authenticationServer certificates
tls-clientTLS client authenticationClient certificates

Certificate flags (in print output)

Section titled “Certificate flags (in print output)”
FlagMeaning
KHas private key (required for servers)
AAuthority (CA certificate)
TTrusted for verification
IIssued by local CA
RRevoked
EExpired
LHas CRL

Configuration examples

Section titled “Configuration examples”

Example 1: Create a self-signed CA

Section titled “Example 1: Create a self-signed CA”

Create your own Certificate Authority to sign certificates:

# Step 1: Create CA template
/certificate add name=myCA common-name="My Organization CA" \
    key-usage=key-cert-sign,crl-sign days-valid=3650 key-size=2048


# Step 2: Sign to create self-signed CA
/certificate sign myCA


# Step 3: Verify CA was created
/certificate print where name=myCA

Expected output shows flags KAT (private Key, Authority, Trusted).

Example 2: Create server certificate for HTTPS

Section titled “Example 2: Create server certificate for HTTPS”

Create a certificate for the router’s web interface:

# Step 1: Create server template with SAN
/certificate add name=router-cert common-name=router.example.com \
    subject-alt-name=DNS:router.example.com,IP:192.168.1.1 \
    key-usage=digital-signature,key-encipherment,tls-server \
    days-valid=365


# Step 2: Sign with your CA
/certificate sign router-cert ca=myCA


# Step 3: Apply to www-ssl service
/ip service set www-ssl certificate=router-cert disabled=no


# Step 4: Verify
/ip service print where name=www-ssl

Now access router at https://192.168.1.1 (browser will warn about untrusted CA unless you import myCA).

Example 3: Let’s Encrypt certificate (automated)

Section titled “Example 3: Let’s Encrypt certificate (automated)”
Example 3: Let's Encrypt certificate (automated) diagram

Get a free, publicly-trusted SSL certificate:

Prerequisites:

  • DNS name pointing to router’s public IP
  • Port 80 accessible from internet
  • www service can be temporarily enabled
# Option A: Using your own domain
/certificate enable-ssl-certificate dns-name=router.example.com


# Option B: Using IP Cloud (automatic DNS)
/ip cloud set ddns-enabled=yes
# Wait for DNS to propagate, then:
/certificate enable-ssl-certificate
# Uses <serial>.sn.mynetname.net automatically

Let’s Encrypt certificates:

  • Valid for 90 days
  • Auto-renew at 80% validity (72 days)
  • Require port 80 accessible at renewal time

Example 4: Create client certificate for VPN

Section titled “Example 4: Create client certificate for VPN”

For certificate-based VPN authentication:

# Step 1: Create client template
/certificate add name=vpn-client1 common-name="VPN User 1" \
    key-usage=digital-signature,key-encipherment,tls-client \
    days-valid=365


# Step 2: Sign with CA
/certificate sign vpn-client1 ca=myCA


# Step 3: Export for distribution
/certificate export-certificate vpn-client1 export-passphrase=clientpass type=pkcs12


# Step 4: Export CA (for client trust)
/certificate export-certificate myCA file-name=ca-cert


# Step 5: Download from Files menu
/file print where name~"cert_export"

Give the client both files: the PKCS12 (contains cert + key) and the CA certificate (for trust).

Example 5: Import external certificate

Section titled “Example 5: Import external certificate”
Example 5: Import external certificate diagram

Import a certificate purchased from a commercial CA:

# Step 1: Upload files to router (via Winbox drag-drop, FTP, or SCP)


# Step 2: Import certificate
/certificate import file-name=server.crt


# Step 3: Import private key (if separate file)
/certificate import file-name=server.key


# Or import PKCS12 bundle (includes both)
/certificate import file-name=server.p12 passphrase=filepassword


# Step 4: Verify import (should show K flag)
/certificate print

Example 6: Enable built-in root CA trust (v7.19+)

Section titled “Example 6: Enable built-in root CA trust (v7.19+)”

Allow RouterOS to verify external HTTPS certificates:

# Enable built-in trust anchors
/certificate settings set builtin-trust-anchors=trusted


# Now fetch with certificate verification works
/tool fetch url=https://example.com check-certificate=yes

This is required for:

  • DNS over HTTPS (DoH)
  • Secure HTTPS fetches
  • Cloud service connections

Example 7: Certificate for OpenVPN server

Section titled “Example 7: Certificate for OpenVPN server”
# Step 1: Create server certificate
/certificate add name=ovpn-server common-name=vpn.example.com \
    subject-alt-name=DNS:vpn.example.com,IP:203.0.113.1 \
    key-usage=digital-signature,key-encipherment,tls-server \
    days-valid=365


# Step 2: Sign with CA
/certificate sign ovpn-server ca=myCA


# Step 3: Apply to OpenVPN
/interface ovpn-server server set certificate=ovpn-server \
    require-client-certificate=yes

Example 8: Export and backup certificates

Section titled “Example 8: Export and backup certificates”
# Export CA certificate only (for distribution)
/certificate export-certificate myCA file-name=my-ca-public


# Export certificate with private key (for backup)
/certificate export-certificate router-cert export-passphrase=backuppass type=pkcs12


# List exported files
/file print where name~"cert"

Export types:

  • pem - PEM format (default, certificate only)
  • pkcs12 - PKCS#12 bundle (certificate + key, encrypted)

CRL (certificate revocation list)

Section titled “CRL (certificate revocation list)”

Enable CRL checking to reject revoked certificates:

# Enable CRL checking
/certificate settings set crl-use=yes crl-download=yes


# Check current settings
/certificate settings print

Note: CRL checking requires:

  • HTTP access to CRL distribution points
  • Complete certificate chain imported

Subject alternative names (SAN)

Section titled “Subject alternative names (SAN)”

Modern certificates should include SANs for all ways the server is accessed:

/certificate add name=multi-access common-name=router.example.com \
    subject-alt-name=DNS:router.example.com,DNS:router.lan,IP:192.168.1.1,IP:10.0.0.1

SAN formats:

Common problems and solutions

Section titled “Common problems and solutions”

Problem 1: “Templates are not exportable!”

Section titled “Problem 1: “Templates are not exportable!””

Cause: Attempting to export an unsigned template.

Solution: Sign the template first:

/certificate sign template-name
/certificate export-certificate template-name

Problem 2: Certificate has no private key (missing K flag)

Section titled “Problem 2: Certificate has no private key (missing K flag)”

Cause: Key file not imported or key doesn’t match certificate.

Solution:

# Import key separately
/certificate import file-name=server.key


# Or use PKCS12 which bundles both
/certificate import file-name=server.p12 passphrase=password

Problem 3: Let’s Encrypt “HTTP challenge validation failed”

Section titled “Problem 3: Let’s Encrypt “HTTP challenge validation failed””

Causes:

  • Port 80 not accessible from internet
  • DNS not pointing to router
  • www service disabled

Solution:

# Ensure www is enabled
/ip service enable www


# Check firewall allows port 80
/ip firewall filter print where dst-port=80


# Verify DNS resolves correctly (from external)
# nslookup router.example.com should return your public IP

Problem 4: Can’t sign - imported CA not recognized

Section titled “Problem 4: Can’t sign - imported CA not recognized”

Cause: Imported CA lacks key-cert-sign permission.

Solution: Generate CA on RouterOS instead:

/certificate add name=newCA common-name="My CA" \
    key-usage=key-cert-sign,crl-sign days-valid=3650
/certificate sign newCA

Problem 5: “Unable to get local issuer certificate” on fetch

Section titled “Problem 5: “Unable to get local issuer certificate” on fetch”

Cause: Root CA not trusted (v7.19+).

Solution:

/certificate settings set builtin-trust-anchors=trusted

Problem 6: Certificate expired

Section titled “Problem 6: Certificate expired”

Check expiration:

/certificate print detail where name=server-cert
# Look at "expires-after" field

For Let’s Encrypt: Renewal happens automatically at 80% validity if port 80 is accessible.

For self-signed: Create new certificate and re-apply to services.

Problem 7: CA removal deleted all certificates

Section titled “Problem 7: CA removal deleted all certificates”

Cause: Removing a CA removes all certificates it issued.

Prevention: Export certificates before removing CA:

/certificate export-certificate child-cert type=pkcs12 export-passphrase=backup

Verification commands

Section titled “Verification commands”
# List all certificates
/certificate print


# Show certificate details
/certificate print detail where name=router-cert


# Find certificates with private keys
/certificate print where private-key=yes


# Find CA certificates
/certificate print where ca=yes


# Find expired certificates
/certificate print where expired=yes


# Check certificate assignment to services
/ip service print where certificate!=""


# Verify settings
/certificate settings print


# Test HTTPS fetch (requires trusted roots)
/tool fetch url=https://example.com check-certificate=yes

Security best practices

Section titled “Security best practices”
  1. Use appropriate key sizes: 2048-bit RSA minimum, 4096-bit for long-lived CAs
  2. Set reasonable validity: 1-2 years for server certs, 5-10 years for CAs
  3. Include SANs: Modern browsers require Subject Alternative Names
  4. Protect private keys: Use strong export passphrases
  5. Enable CRL checking: For environments requiring revocation
  6. Keep system time accurate: Certificates depend on valid timestamps
  7. Back up CA certificates: CA loss means all issued certs become unverifiable
Section titled “Related features”
  • IP Services (/ip service) - Apply certificates to www-ssl, api-ssl
  • OpenVPN (/interface ovpn-server) - TLS-based VPN
  • SSTP (/interface sstp-server) - SSL-based VPN
  • IPsec (/ip ipsec) - Certificate-based IKEv2
  • Dot1X (/interface dot1x) - EAP-TLS authentication
  • Fetch (/tool fetch) - HTTPS with certificate verification
  • DoH (/ip dns) - DNS over HTTPS

Version notes

Section titled “Version notes”
VersionFeature
v7.19+Built-in root CA trust anchors
v7.7+Certificate import format changes
v7.1+Let’s Encrypt integration
v7.xACME support for alternative CAs

Summary

Section titled “Summary”

Certificate management in RouterOS follows a straightforward workflow:

  1. Create template with properties (name, CN, key-usage, validity)
  2. Sign to create usable certificate (self-signed or with CA)
  3. Apply to services (www-ssl, VPN, etc.)
  4. Export/Import for distribution or backup

For public-facing services, Let’s Encrypt provides free automated certificates. For internal services, create your own CA and distribute it to clients. Always verify certificates have the K flag (private key) before applying to services.

Section titled “Related topics”

Prerequisites

Section titled “Prerequisites”
  • NTP Client - accurate time required for certificate validation

Services using certificates

Section titled “Services using certificates”
Section titled “Related security”
Section titled “Related topics”
  • IP Cloud - DDNS for Let’s Encrypt certificates
  • DNS Server - DNS resolution for ACME validation