Shulou(Shulou.com)06/01 Report--

Overview:

If enterprise interconnection uses protocols such as ONPN and SSTP, certificates are generally needed to enhance the security of the tunnel.

Previously, in the 5.x version, you had to use open ssl to generate it yourself. Only after 6.x, the Router OS component has gradually perfected and can be self-signed.

This chapter is devoted to how to generate certificates.

1. After upgrading from Router OS to 6.4X.X version, certificates can be generated graphically, and the certificate registration process has been optimized. So be sure to upgrade your router system to get better security support and experience.

two。 In Router OS, the SCEP is used, and the Chinese name is simple Certificate Registration Protocol. The English name is Simple Certificate Enrollment protocol. However, this article still uses the traditional way to sign the certificate.

There are two ways to generate a certificate:

Standard: use a hierarchical approach, similar to our root certificate + intermediate certificate + client certificate. The client certificate can be revoked separately.

Quick: only one encryption certificate is generated, and if it is revoked, it will all be revoked.

The way of this tutorial is implemented in a standard way.

Generate a certificate:

Open winbox, open the router management interface of HQ

Click System > Certificates

1. Generate root certificate

Click the + sign to create a new certificate application, fill in the following information, and click OK when you are finished.

Switch to key usage, leaving only the following two items:

two。 Generate intermediate certificate

Add a new certificate with the name server (for authentication connections)

In key usage, check these two items.

3. Generate client certificate

Add another certificate named Client

Check this item in key usage:

Finally, we got the following three certificates:

Signing certificate:

1. Sign the root certificate, and this is the crl-host server

Select the CA certificate, right-click, and select sign to sign the certificate.

Enter the crl address, and then click start directly to start generating the certificate.

Depending on the number of encrypted digits, the time required varies, as follows after completion.

There will be four more options when it is finished.

two。 Sign the intermediate certificate, and the root certificate bit CA

Right-click the Server certificate, select sign, configure as shown below, and then click start directly

Double-click the Server certificate to set the Server certificate to trust

The certificate appears as KIT

3. Sign the Client certificate

This certificate is relatively simple, right-click sign is good, do not need to do what settings.

The following three certificates are completed:

Export certificate

Certificates are exported so that other clients (such as routers, computers, mobile devices) can use certificates to encrypt data.

It is also easy for Router OS to export certificates now.

We need to export two files, one is CA and the other is Client

CA does not need a password, Client needs to set a password.

1. Export CA

Right-click the CA certificate to be exported, and select Export

Just click Export.

2.Client needs to set a password

Also right-click to export, enter the password and then export

Note: there are two kinds of certificates, one is PEM, the other is PCKS12

PEM user router access, PCKS12 for Apple and windows computer devices.

Download certificate

Certificate download

The exported certificate is generally stored in the router's storage.

Click Files and you can see the certificate.

There are three files in it, one is CA certificate, one is Client certificate and KEY.

We need to drag and drop these three files to the desktop or right-click Download.

Final download result:

In the next section, we begin to import the certificate in the ROS routing of the branch company. And use ONPN to dial in.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.