aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Christian Hesse <mail@eworm.de>2019-04-30 15:11:54 +0200
committerGravatar Christian Hesse <mail@eworm.de>2021-05-18 16:32:26 +0200
commitf2433b8091a7966db6cf2a8bc6890e576b592d13 (patch)
tree598d53959aae746daf122bdc8e056eb9474026c4
parent862417b8d32f6eef1c05ba9137fe2a7f14436987 (diff)
drop certificate DST Root CA X3
Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root X1") on July 8, 2019, but postponed several times. Finally they found another solution: A certificate 'ISRG Root X1', but cross-signed with 'DST Root CA X3' and with a livetime that exceeds that of the root CA. This is said to work for most operating system where root certificate authorities are just 'trust anchors'. I doubt this is true for RouterOS, where certificates are just imported into the certificate store. So let's migrate to 'ISRG Root X1' now.
-rw-r--r--INITIAL-COMMANDS.md3
-rw-r--r--README.md16
-rw-r--r--certs/R3.pem77
3 files changed, 5 insertions, 91 deletions
diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md
index fa32654..9df69fa 100644
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@@ -10,7 +10,7 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai
/ tool fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/R3.pem" dst-path="letsencrypt-R3.pem";
:delay 1s;
/ certificate import file-name=letsencrypt-R3.pem passphrase="";
- :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ] ] != 3) do={
+ :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ] ] != 2) do={
:error "Something is wrong with your certificates!";
}
/ file remove "letsencrypt-R3.pem";
@@ -22,7 +22,6 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai
:global CertificateNameByCN;
$CertificateNameByCN "R3";
$CertificateNameByCN "ISRG Root X1";
- $CertificateNameByCN "DST Root CA X3";
}
Optional to update the scripts automatically:
diff --git a/README.md b/README.md
index e102202..c5c0ba5 100644
--- a/README.md
+++ b/README.md
@@ -66,30 +66,22 @@ files to your MikroTik device.
Then we import the certificates.
[admin@MikroTik] > / certificate import file-name=letsencrypt-R3.pem passphrase=""
- certificates-imported: 3
+ certificates-imported: 2
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
For basic verification we rename the certificates and print their count. Make
-sure the certificate count is **three**.
+sure the certificate count is **two**.
[admin@MikroTik] > / certificate set name="R3" [ find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" ]
[admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ]
- [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ]
- [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
- 3
+ [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6"
+ 2
Always make sure there are no certificates installed you do not know or want!
-Actually we do not require the certificate named `DST Root CA X3`, but as it
-is used by `Let's Encrypt` to cross-sign we install it anyway - this makes
-sure things do not go wrong if the intermediate certificate is replaced.
-The IdenTrust certificate *should* be available from their
-[download page](https://www.identrust.com/support/downloads). The site is
-crap and a good example how to *not* do it.
-
Now let's download the main scripts and add them in configuration on the fly.
[admin@MikroTik] > :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); }
diff --git a/certs/R3.pem b/certs/R3.pem
index ac322ec..837b709 100644
--- a/certs/R3.pem
+++ b/certs/R3.pem
@@ -235,80 +235,3 @@ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
- Validity
- Not Before: Sep 30 21:12:19 2000 GMT
- Not After : Sep 30 14:01:15 2021 GMT
- Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90:
- 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40:
- c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93:
- ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2:
- 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89:
- a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14:
- 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80:
- 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec:
- 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09:
- 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd:
- 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6:
- 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c:
- 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72:
- d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97:
- eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15:
- 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83:
- 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0:
- 02:5d
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Certificate Sign, CRL Sign
- X509v3 Subject Key Identifier:
- C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
- Signature Algorithm: sha1WithRSAEncryption
- a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f:
- 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b:
- a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3:
- 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd:
- b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94:
- 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9:
- dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce:
- e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf:
- 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52:
- 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31:
- 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64:
- 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65:
- b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77:
- 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d:
- 82:35:35:10
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----