Difference between revisions of "Mikrotik: Certificate Generate"

From OnnoWiki
Jump to navigation Jump to search
Line 34: Line 34:
 
  # /certificate export-certificate client1 export-passphrase=xxxxxxxx
 
  # /certificate export-certificate client1 export-passphrase=xxxxxxxx
 
  # /certificate export-certificate client2 export-passphrase=xxxxxxxx
 
  # /certificate export-certificate client2 export-passphrase=xxxxxxxx
  /certificate export-certificate client1 export-passphrase=123456
+
  /certificate export-certificate client1 export-passphrase=123456789
  /certificate export-certificate client2 export-passphrase=123456
+
  /certificate export-certificate client2 export-passphrase=123456789
  
 
FTP untuk download file crt & key. Dari Linux Client
 
FTP untuk download file crt & key. Dari Linux Client

Revision as of 14:39, 19 February 2022

Make certificate templates

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2


Sign certificates and add CRL url

Kita menggunakan IP public Mikrotik sebagai CRL URL. Proses ini butuh waktu, harus dilakukan satu per satu; jangan sekaligus.

/certificate 
# sign ca-template ca-crl-host=192.168.88.198 name=myCa
sign ca-template ca-crl-host=192.168.0.150 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

Trust Certificate

/certificate
set myCa trusted=yes
set server trusted=yes

Export Certificate

Export client certificates with keys and CA certificate:

/certificate export-certificate myCa
# /certificate export-certificate client1 export-passphrase=xxxxxxxx
# /certificate export-certificate client2 export-passphrase=xxxxxxxx
/certificate export-certificate client1 export-passphrase=123456789
/certificate export-certificate client2 export-passphrase=123456789

FTP untuk download file crt & key. Dari Linux Client

ftp ip-mikrotik
username admin
mget *
quit

Print

[admin@pe0] /certificate> print 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, 
A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #         NAME               COMMON-NAME               FINGERPRINT              
 0 K L A T myCa               myCa                      7fa636e6576495fe78f1a4...
 1 K   I T server             server                    cf0650a291bf4685f2fbd3...
 2 K   I   client1            client1                   26233de30e89b203b946ab...
 3 K   I   client2            client2                   cf172b62201befaf8d8966...