Certificate Related Things

Some stuff related to certificates

Creating a root CA

• Create root key openssl genrsa -out rootCA.key 4096
• Create and self sign the root certificate: openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt

Securing a server with AltName extension

• Generate a key: openssl genrsa -des3 -out fehervari-router.key 4096
• Generate a CSR: openssl req -new -key fehervari-router.key -out fehervari-router.csr -addext "subjectAltName = IP:192.168.88.1"
• Sign the cert: openssl x509 -req -days 3650 -in fehervari-router.csr -CA rootCA.crt -CAkey rootCA.key -set_serial 01 -out fehervari-router.crt -extensions v3_ca -extfile <(echo "[v3_ca]"; echo "extendedKeyUsage=serverAuth"; echo "subjectAltName=IP:192.168.88.1")
• If you want to sign for a domain name, you still need to use that extension:

SYSNAME=xxx
DOMAIN=yyy
openssl x509 \
  -req \
  -days 3650 \
  -in "${SYSNAME}.csr" \
  -CA rootCA.crt \
  -CAkey rootCA.key \
  -set_serial 01 \
  -out "${SYSNAME}.crt" \
  -extensions v3_ca \
  -extfile <(echo "[v3_ca]"; echo "extendedKeyUsage=serverAuth"; echo "subjectAltName=DNS:${DOMAIN}")

Securing Miktotik Router

• Upload the files first (crt and key)
• Then activate the crt, www-ssl service and deactivate http service

/certificate import file-name=fehervari-router.crt
/certificate import file-name=fehervari-router.key
/ip service set www-ssl certificate=fehervari-router.crt_0
/ip service enable www-ssl
/ip service disable www