… or how to enable www-ssl on MikroTik?
By default on MikroTik devices only HTTP tcp/80 is enabled. The traffic going through this protocol is not encrypted and shouldn’t be used where authentication happens. RouterOS offers HTTPS tcp/443 service as well, to enable it you need a certificate and key.
Here is the (as far as I know) easiest way to generate a self-signed certificate and assign it to your MikroTik’s www-ssl service. This was tested on Unix (Linux, FreeBSD, macOS) but if you install openssl on Windows, that should also work. This was tested on RouterOS 6.46.5
Log on to your device with ssh (telnet should be disable by now) or use Terminal from Winbox.
/certificate add name=mikrotik_ssl common-name=mikrotik_SSL key-size=2048
/certificate create-certificate-request template=mikrotik_ssl key-passphrase=XXX
key-passphrase is recommended but not mandatory
Copy the following files to your BSD/Linux/macOS computer, they are under Files on your router:
Execute the following commands on your Unix computer. If you used key-passphrase above you’ll have to enter your password at step 1
-days 1460: this is how many days your certificate is going to be valid, after this you’ll have to redo it
1. openssl rsa -in certificate-request_key.pem -text > mikrotik_ssl_certificate.pem
2. openssl x509 -req -days 1460 -in certificate-request.pem -signkey mikrotik_ssl_certificate.pem -out mikrotik_ssl_certificate.crt
Upload mikrotik_ssl_certificate.pem and mikrotik_ssl_certificate.crt to the router and import it:
/certificate import file-name=mikrotik_ssl_certificate.crt/certificate import file-name=mikrotik_ssl_certificate.pem
Check if the certificate is valid:
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME
0 mikrotik_ssl mikrotik_ssl
1 K T mikrotik_ssl_certificate.crt_0 mikrotik_ssl
/ip service set www-ssl address=192.168.88.0/24 certificate=mikrotik_ssl_certificate.crt_0 disabled=no
Visit https://192.168.88.1, or whatever your router’s host is. Your browser is going to complain that Your connection is not private and NET::ERR_CERT_INVALID, that is expected since this is a self-signed certificate.
Now you can disable http 80/tcp
ip service disable www, or just stop using it.