Difference between revisions of "Mikrotik: Certificate Generate"

Make certificate templates

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2

Sign certificates and add CRL url

Kita menggunakan IP public Mikrotik sebagai CRL URL. Proses ini butuh waktu, harus dilakukan satu per satu; jangan sekaligus.

/certificate 
# sign ca-template ca-crl-host=192.168.88.198 name=myCa
sign ca-template ca-crl-host=192.168.0.219 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

Trust Certificate

/certificate
set myCa trusted=yes
set server trusted=yes

Export Certificate

Export client certificates with keys and CA certificate:

/certificate export-certificate myCa
# /certificate export-certificate client1 export-passphrase=xxxxxxxx
# /certificate export-certificate client2 export-passphrase=xxxxxxxx
/certificate export-certificate client1 export-passphrase=123456789
/certificate export-certificate client2 export-passphrase=123456789

Client Linux - Downloat crt & key

FTP untuk download file crt & key. Dari Linux Client

ftp ip-mikrotik
username admin

mget *
quit

Print

[admin@pe0] /certificate> print 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, 
A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #         NAME               COMMON-NAME               FINGERPRINT              
 0 K L A T myCa               myCa                      7fa636e6576495fe78f1a4...
 1 K   I T server             server                    cf0650a291bf4685f2fbd3...
 2 K   I   client1            client1                   26233de30e89b203b946ab...
 3 K   I   client2            client2                   cf172b62201befaf8d8966...

Client Kali Linux

cd /etc/openvpn/client/

ftp (IP Mikrotik OpenVPN - 192.168.0.219)
username admin
password
mget *
quit

Edit auth.conf

vi /etc/openvpn/client/auth.conf

line 1 username
line 2 password
client1
123456789

Edit client1.ovpn

client
ca cert_export_myCa.crt
cert cert_export_client1.crt
key cert_export_client1.key
auth-user-pass auth.conf
dev tun1
proto tcp-client
tls-client
# remote (IP Public OpenVPN Mikrotik) 1194
remote 192.168.0.219 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC        # Blowfish (default)
auth SHA1
verb 4
keepalive 10 15

Client UBUNTU

Referensi:

• https://labkom.co.id/mikrotik/membuat-openvpn-di-mikrotik-dengan-client-windows
• https://gryzli.info/2014/10/05/mikrotik-configuring-openvpn-server-linux-client/

vi auth.conf

vi client1.ovpn

dev tun
proto tcp-client
remote (IP Public OpenVPN Mikrotik) 1194
ca cert_export_myCa.crt
cert cert_export_client1.crt
key cert_export_client1.key
tls-client
port 1194
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-CBC
auth SHA1
pull
# auth-user-pass 123456789
# route 172.17.0.1 255.255.255.0 172.31.31.1

Contoh lain,

client
ca cert_export_myCa.crt
cert cert_export_client1.crt
key cert_export_client1.key
auth-user-pass 123456789
dev tun1
proto tcp-client
tls-client
remote (IP Public OpenVPN Mikrotik) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC        # Blowfish (default)
auth SHA1
verb 4
keepalive 10 15