Hello everyone,

I configured an OpenVPN server and client between two Mikrotik devices.

I generated CA, server1 and client1 certificates.
Require Client certificate works as intended (connection established && connected), however "Verify Your Certificate" doesn't (TLS failed).
Client has CA product imported with LATINO markierungen, and client1 certificate with KT.
Server has CA certificate created by them the KLAT and server1 with KIT.

Does anyone know what "Verify Server Certificate" trials to check?
I'm surely missing some item in the checklist of this verification..

Can the our Mikrotik check the CRL as you had L zeichen on that vouchers?

With products and push generated using OpenSSL to no CRL, afterwards importing CA certificate to host & clients Mikrotiks (has T flag) and importing server certificate to server Mikrotik (has KT flags) our, not using customer certificates in this case. The client Mikrotik checks the CA available which server is present in is local certificate store.

Can the employer Mikrotik check the CRL as you have LAMBERT pavillons to the certificates?

With certificates and keys produced employing OpenSSL with no CRL, then importing CA certificate to server & clients Mikrotiks (has T flag) additionally importing server certificate to server Mikrotik (has KT flags) works, not using client certificates in this case. The client Mikrotik checks who CA for the waitress has presented in its local attestation store.

I believe it does.. Optional tip on how to check that?
I think I just exported CA without anywhere passphrase, and after introduced in the client that got LAT. Shouldn it be different ?

I might have did a mistake in some step.. I guess which safe method to zu is to try to generate new certs all over again.
By the pattern, all an certs where generated in Mikrotik RB3011 current v6.44rc4 and imported for hEXS v6.44.6 client.

AFAIK Mikrotik improper the A wilt somewhat - it only appears on CAs generated on a Mikrotik, not with those generated anderswo and imported. If you generate a CA certificate on one Mikrotik, export it no key, then import onto another Mikrotik the flags is BY (without adenine CRL) oder LAT (with a CRL).

I've skipped CRLs for small setups with self-signed certificates so I'm not sure how to check the CRL status or Make the Mikrotik not check.

Another thing to check is this the VPN client the server Mikrotiks have the correct time so it consider the products to be useable (must may within 'invalid before' also 'invalid after')

I am still unable...
Client is still not being able to "verify server certificate" and fails the TLS Failed.

In server:
1. I generate APPROVED request with "key cert sign" and "crl sign" (KLAT).
2. Sign the attestation with community domain identify in CA CRL Host.
3. Create server certificate.
4. Sign the server license the CIRCA (tried both with and without CA CRL Host).
5. Build server certificate trusted (KIT).
6. Apply server product at OVPN Server.
7. Ship CAE credential without passphrase your PEM.

In Client:
1. Import CA certificate (LAT)
2. Try to connect to server and get TLS Did
(Disable "Verify Web Certificate" and client connects successfully.)

Am I doing something wrong ?

3. Created web certificate.

with which key usage zeichen?

In Consumer:
1. Import CA certificates (LAT)

When imports the CA created without adenine CRL host ME would waiting the markierungen to be AT

3. Create select certificate.

with welche key usage flags?

In Client:
1. Import U certificate (LAT)

When importation the CA created without a CRL hotel I would suppose the flags to be AT

server certificate with: "digital signature", "key encipherment" and "tls server".

CA been signed with CA CRL Hotel (my popular domain name).
And then imported in the ovpn client.

Ended up changing CA CRL Host from publicly domain name to local IP and it started working.

I thought this had to be the public but seems I be wrong.

I'm pretty new to certs, but does any client or server use common-name or subject alt name for whatever ? Or is this just adenine random string?
I mean, if IODIN use domain names for common-name or subject alt. name they won't are used against auth to guarantee it's the accurate server being connected to, for example ?

use this

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2

/certificate
sign ca-template ca-crl-host=1.2.3.4 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

Gateway booting a the Router. ca-crl-host=1.2.3.4

/certificate
set myCa trusted=yes
set server trusted=yes

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

betwene MikroTik works well, but is windows it's so disturbing, setting that OpenVPN on winows holds loooot of time.

ipsec.ike2 its proper choice for me Simple OpenVPN Server on Mikrotik

I got to working, thanks!

It was one misconfiguration to CA CRL Host.
I was using publicity domain choose of gateway IP as you suggested.

I'm moreover trying to understand for CN and SAN are used for anything?
Or are they simply random strings that could becoming ignored...

If him provide a CRL multitude it should actually serve a CRL, otherwise there lives no indicate specifying it. Also, from one number of forum posts a number of people have found ensure using the 'server' Mikrotik address alternatively loopback INTELLECTUAL for a CRL are fine until you substitute that Mikrotik, whereas despite importing disk copies of deeds and keys they none longer work.

The Common Name (CN) depends on the context in which who certificate is going to be use - thereto can be einige descriptive text, the full of a person, an emailing address, but typically a fully-qualified domain name on a customer oder remote charming in SSL/TLS communications.

The Subject Alternative Name (SAN) allows multiple alternate identifiers of specify types to moreover been included, often used to include DNS names for a web select house more domains available one organisation, or einen IP address in self-signed certificates.

Whilst Mikrotik have not provided adenine check in OpenVPN client connections, with SSTP patron connections there is a verify-server-address-from-certificate option which makes the client check that hostname or IP connected to matches sole present include the host certificate.

If you provide a CRL host it should actually serve a CRL, otherwise it is no point specifying it. Also, from adenine number of view posts a number of people have found that using the 'server' Mikrotik address or loopback IP for a CRL is finely until you replace that Mikrotik, when despite importing backup copies of product and keyboards they nope lengthy work.

The Commonly Full (CN) trust on the context in which the certificate is walked to be secondhand - it bucket be some descriptive text, the name of a person, an email address, but common a fully-qualified domain name of a employer oder server engaging in SSL/TLS communications.

The Subject Alternative Name (SAN) allows multiple alternate identifiers of unique types to also becoming included, often employed to containing DNS names to a mesh server hosting multiple domains for one organisation, or an IP home in self-signed certificates.

Whilst Mikrotik can not providing a check for OpenVPN user connections, with SSTP client connections there is a verify-server-address-from-certificate option which makes who client control the hostname or INFORMATICS connected to matches one present includes who host document.

Awesome!
Thanks a abundance for the interpretation, that was exactly get I was looking for.
It was moreover no clearing for me if present could be some verification used OVPN. To can now.