https://mikrotik…

… or how to enable www-ssl on MikroTik?

By default on MikroTik devices only HTTP tcp/80 is enabled. The traffic going through this protocol is not encrypted and shouldn’t be used where authentication happens. RouterOS offers HTTPS tcp/443 service as well, to enable it you need a certificate and key.

Here is the (as far as I know) easiest way to generate a self-signed certificate and assign it to your MikroTik’s www-ssl service. This was tested on Unix (Linux, FreeBSD, macOS) but if you install openssl on Windows, that should also work. This was tested on RouterOS 6.46.5

Log on to your device with ssh (telnet should be disable by now) or use Terminal from Winbox.

/certificate add name=mikrotik_ssl common-name=mikrotik_SSL key-size=2048
/certificate create-certificate-request template=mikrotik_ssl key-passphrase=XXX

key-passphrase is recommended but not mandatory

Copy the following files to your BSD/Linux/macOS computer, they are under Files on your router:

certificate-request.pem
certificate-request_key.pem

Execute the following commands on your Unix computer. If you used key-passphrase above you’ll have to enter your password at step 1

-days 1460: this is how many days your certificate is going to be valid, after this you’ll have to redo it

1. openssl rsa -in certificate-request_key.pem -text > mikrotik_ssl_certificate.pem
2. openssl x509 -req -days 1460 -in certificate-request.pem -signkey mikrotik_ssl_certificate.pem -out mikrotik_ssl_certificate.crt

Upload mikrotik_ssl_certificate.pem and mikrotik_ssl_certificate.crt to the router and import it:

/certificate import file-name=mikrotik_ssl_certificate.crt/certificate import file-name=mikrotik_ssl_certificate.pem

Check if the certificate is valid:

/certificate print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #         NAME                           COMMON-NAME                                                                           
 0         mikrotik_ssl                   mikrotik_ssl
 1 K     T mikrotik_ssl_certificate.crt_0 mikrotik_ssl  

Enable www-ssl: /ip service set www-ssl address=192.168.88.0/24 certificate=mikrotik_ssl_certificate.crt_0 disabled=no

Visit https://192.168.88.1, or whatever your router’s host is. Your browser is going to complain that Your connection is not private and NET::ERR_CERT_INVALID, that is expected since this is a self-signed certificate.
Now you can disable http 80/tcp ip service disable www, or just stop using it.

2 thoughts on “https://mikrotik…”

  1. I think the first openssl cmd should read:
    1. openssl rsa -in certificate-request_key.pem -text > mikrotik_ssl_certificate.pem
    instead of
    1. openssl rsa -in certificate-request_key.pem -text > mikrotik-certificate-request.pem

    But anyway, thank you very much, that was very helpful!

    Cheers
    Kai

Leave a Reply

Your email address will not be published. Required fields are marked *