From 3c0852d6b829d8babc3a57002991e35f7bd31d0a Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 30 Oct 2024 17:46:03 +0100 Subject: introduce CERTIFICATES, guide to find root certificate --- CERTIFICATES.d/01-dialog-A.avif | Bin 0 -> 29972 bytes CERTIFICATES.d/02-dialog-B.avif | Bin 0 -> 28821 bytes CERTIFICATES.d/03-window.avif | Bin 0 -> 48111 bytes CERTIFICATES.d/04-certificate.avif | Bin 0 -> 22386 bytes CERTIFICATES.md | 74 +++++++++++++++++++++++++++++++++++++ 5 files changed, 74 insertions(+) create mode 100644 CERTIFICATES.d/01-dialog-A.avif create mode 100644 CERTIFICATES.d/02-dialog-B.avif create mode 100644 CERTIFICATES.d/03-window.avif create mode 100644 CERTIFICATES.d/04-certificate.avif create mode 100644 CERTIFICATES.md diff --git a/CERTIFICATES.d/01-dialog-A.avif b/CERTIFICATES.d/01-dialog-A.avif new file mode 100644 index 0000000..2fc3c9b Binary files /dev/null and b/CERTIFICATES.d/01-dialog-A.avif differ diff --git a/CERTIFICATES.d/02-dialog-B.avif b/CERTIFICATES.d/02-dialog-B.avif new file mode 100644 index 0000000..5e408ab Binary files /dev/null and b/CERTIFICATES.d/02-dialog-B.avif differ diff --git a/CERTIFICATES.d/03-window.avif b/CERTIFICATES.d/03-window.avif new file mode 100644 index 0000000..96039a3 Binary files /dev/null and b/CERTIFICATES.d/03-window.avif differ diff --git a/CERTIFICATES.d/04-certificate.avif b/CERTIFICATES.d/04-certificate.avif new file mode 100644 index 0000000..e666314 Binary files /dev/null and b/CERTIFICATES.d/04-certificate.avif differ diff --git a/CERTIFICATES.md b/CERTIFICATES.md new file mode 100644 index 0000000..dfd8639 --- /dev/null +++ b/CERTIFICATES.md @@ -0,0 +1,74 @@ +Certificate name from browser +============================= + +[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers) +[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network) +[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers) +[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.14-yellow?style=flat)](https://mikrotik.com/download/changelogs/) +[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts) +[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J) + +[⬅️ Go back to main README](README.md) + +All well known desktop, mobile and server operating systems come with a +certificate store that is populated with a set of well known and trusted +certificates, acting as *trust anchors*. + +However RouterOS does not, still sometimes a specific certificate is +required to properly verify a chain of trust. One example is downloading +the scripts from this repository with `fetch` command, thus the very +first step of [installation](README.md#the-long-way-in-detail) is importing +the certificate. + +The scripts can install additional certificates when required. This happens +from this repository if available, or from [mkcert.org](https://mkcert.org) +as a fallback. + +Get the certificate's CommonName +-------------------------------- + +But how to determine what certificate may be required? Often easiest way +is to use a desktop browser to get that information. This demonstration uses +[Mozilla Firefox](https://www.mozilla.org/firefox/). + +Let's assume we want to make sure the certificate for +[git.eworm.de](https://git.eworm.de/) is available. Open that page in the +browser, then click the *lock* icon in addressbar, followed by "*Connection +secure*". + +![screenshot: dialog A](CERTIFICATES.d/01-dialog-A.avif) + +The dialog will change, click "*More information*". + +![screenshot: dialog B](CERTIFICATES.d/02-dialog-B.avif) + +A new window opens, click the button "*View Certificate*". (That window +can be closed now.) + +![screenshot: window](CERTIFICATES.d/03-window.avif) + +A new tab opens, showing information on the server certificate and its +chain of trust. The leftmost certificate is what we are interested in. + +![screenshot: certificate](CERTIFICATES.d/04-certificate.avif) + +Now we know that "`ISRG Root X2`" is required, some scripts need just +that information. + +Import a certificate by CommonName +---------------------------------- + +Running the function `$CertificateAvailable` with that name as parameter +makes sure the certificate is available in the device's store: + + $CertificateAvailable "ISRG Root X2"; + +If the certificate is actually available already nothing happens, and there +is no output. Otherwise the certificate is downloaded and imported. + +If importing a certificate with that exact name fails a warning is given +and nothing is actually imported. + +--- +[⬅️ Go back to main README](README.md) +[⬆️ Go back to top](#top) -- cgit v1.2.3-70-g09d2