… or how to enable www-ssl on MikroTik?
By default on MikroTik devices only HTTP tcp/80 is enabled. The traffic going through this protocol is not encrypted and shouldn’t be used where authentication happens. RouterOS offers HTTPS tcp/443 service as well, to enable it you need a certificate and key.
Here is the (as far as I know) easiest way to generate a self-signed certificate and assign it to your MikroTik’s www-ssl service. This was tested on Unix (Linux, FreeBSD, macOS) but if you install openssl on Windows, that should also work. This was tested on RouterOS 6.46.5
Log on to your device with ssh (telnet should be disable by now) or use Terminal from Winbox.
/certificate add name=mikrotik_ssl common-name=mikrotik_SSL key-size=2048
/certificate create-certificate-request template=mikrotik_ssl key-passphrase=XXXkey-passphrase is recommended but not mandatory
Copy the following files to your BSD/Linux/macOS computer, they are under Files on your router:
certificate-request.pem
certificate-request_key.pemExecute the following commands on your Unix computer. If you used key-passphrase above you’ll have to enter your password at step 1
-days 1460: this is how many days your certificate is going to be valid, after this you’ll have to redo it
1. openssl rsa -in certificate-request_key.pem -text > mikrotik_ssl_certificate.pem
2. openssl x509 -req -days 1460 -in certificate-request.pem -signkey mikrotik_ssl_certificate.pem -out mikrotik_ssl_certificate.crtUpload mikrotik_ssl_certificate.pem and mikrotik_ssl_certificate.crt to the router and import it:
/certificate import file-name=mikrotik_ssl_certificate.crt/certificate import file-name=mikrotik_ssl_certificate.pemCheck if the certificate is valid:
/certificate print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME
0 mikrotik_ssl mikrotik_ssl
1 K T mikrotik_ssl_certificate.crt_0 mikrotik_ssl Enable www-ssl: /ip service set www-ssl address=192.168.88.0/24 certificate=mikrotik_ssl_certificate.crt_0 disabled=no
Visit https://192.168.88.1, or whatever your router’s host is. Your browser is going to complain that Your connection is not private and NET::ERR_CERT_INVALID, that is expected since this is a self-signed certificate.
Now you can disable http 80/tcp ip service disable www, or just stop using it.
I think the first openssl cmd should read:
1. openssl rsa -in certificate-request_key.pem -text > mikrotik_ssl_certificate.pem
instead of
1. openssl rsa -in certificate-request_key.pem -text > mikrotik-certificate-request.pem
But anyway, thank you very much, that was very helpful!
Cheers
Kai
Thank you Kai! I fixed that on the post.
Another good way to deal with self signed certificates is ssl-admin. Dan has a good posted about that here: https://dan.langille.org/2013/01/03/ssl-admin/