decrypt - decrypt and cache public keys
• passphrase - passphrase for the found encrypted private key
• keys-decrypted - how many keys were successfully decrypted and cached
create-certificate-request - creates an RSA certificate request to be signed by a Certificate
Authority. After this, download both private key and certificate request files from the router. When
you receive your signed certificate from the CA, upload it and the private key (that is made by this
command) to a router and use /certificate import command to install it
• certificate request file name - name for the certificate request file (if it already exists, it will be
overwritten). This is the original certificate that will be signed by the Certificate Authority
• file name - name of private key file. If such file does not exist, it will be created during the next
step. Private key is used to encrypt the certificate
• passphrase - the passphrase that will be used to encrypt generated private key file. You must
enter it twice to be sure you have not made any typing errors
• rsa key bits - number of bits for RSA (encryption) key. Longer keys take more time to
generate. 4096 bit key takes about 30 seconds on Celeron 800 system to generate
• country name - (C) ISO two-character country code (e.g., LV for Latvia)
• state or province name - (ST) full name of state or province
• locality name - (L) locality (e.g. city) name
• organization name - (O) name of the organization or company
• organization unit name - (OU) organization unit name
• common name - (CN) the server's common name. For SSL web servers this must be the fully
qualified domain name (FQDN) of the server that will use this certificate (like
www.example.com). This is checked by web browsers
• email address - (Email) e-mail address of the person responsible for the certificate
• challenge password - the challenge password. It's use depends on your CA. It may be used to
revoke this certificate
• unstructured address - unstructured address (like street address). Enter only if your CA
accepts or requires it
Notes
Server certificates may have ca property set to no, but Certificate Authority certificates must have it
set to yes
Certificates and encrypted private keys are imported from and exported to the router's FTP server.
Public keys are not stored on a router in unencrypted form. Cached decrypted private keys are
stored in encrypted form, using key that is derived from the router ID. Passphrases are not stored on
router.
Configuration backup does not include cached decrypted private keys. After restoring backup all
certificates with private keys must be decrypted again, using decrypt command with the correct
passphrase.
No other certificate operations are possible while generating a key.
When making a certificate request, you may leave some of the fields empty. CA may reject your
certificate request if some of these values are incorrect or missing, so please check what are the
Page 564 of 695
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.