Overview:
Internet companies use ONPN and SSTP this type of agreement, generally require the use of a certificate, to enhance the safety of the tunnel.
In the previous version 5.x you need to generate their own use open ssl to come and go. From only after 6.X, Router OS component gradual improvement, already self-signed certificate.
This chapter is written specifically how to generate the certificate.
1. After upgrading to 6.4XX from Router OS version, already fully graphical to generate certificates and certificate enrollment process and optimized. So be sure to upgrade your router systems, better security support and experience.
2. Router OS inside, using SCEP, Chinese name is Simple Certificate Enrollment Protocol. English is the Simple Certificate Enrollment protocol. But this article and use the traditional way to signing certificate.
When generating a certificate in two ways:
Standard: using a hierarchical manner, similar to our root certificate + intermediate certificate + client certificate. The client certificate may be revoked separately.
Shortcut: only generate encrypted with a certificate of revocation, it would all be revoked.
This tutorial mode using a standard manner.
Generate a certificate:
Open winbox, opens HQ router management interface,
Click System> Certificates
1. The root certificate generation
Click the + sign to create a new certificate request, fill in the following information when finished click OK.
Switch to the key usage, leaving only the following two:
2. Generate intermediate certificate
Add a new certificate, name server (use authentication connection is made with)
In the key usage inside, check these two
3. Generate client certificates
Add a certificate, called Client
In the key usage inside check this one:
Finally we get the following three certificates:
Signed certificate:
1. signed root certificate, and this is crl-host server
Select the CA certificate, right, select the sign, a signature on the certificate.
Enter the crl address, then click on start, began to generate the certificate.
According to encrypt the median time required varies, after the completion of the following.
Upon completion of these four options will be more
2. Signed intermediate certificate and root CA certificate bit
Right Server certificate, select the sign, the configuration as shown below, and then click on start
Double-click Server certificate, the certificate as a trusted Server
The certificate is displayed as KIT
3. Signature Client Certificate
This certificate is relatively simple, right sign look like, what do not need to be set.
After the completion of three certificates as follows:
Export Certificate
Certificate Export to other clients (e.g., router, computer, mobile device) can be used to encrypt data certificate.
Router OS export certificate is now very simple.
We need to export two files, one CA, is a Client
CA does not require a password, Client need to set a password.
1. Export CA
Right to be exported CA certificate, select Export
Click Export to direct
2.Client need to set a password
The same right to export, enter a password and then export to
Note: There are two certificates, one is PEM, one is PCKS12
PEM user access router, PCKS12 and windows for Apple computer equipment.
Download certificate
Download certificate
Export certificate generally stored in the storage router inside.
Click Files, you can see the certificate.
There are three files, one CA certificate, a certificate and Client KEY.
We need these three file onto the desktop or right to select Download.
Download the final result:
In the next section we begin to import the certificate ROS routing branch of the company. And use the dial-up connection ONPN come.