Table of Contents

MikroTik: Creating a Self-signed Certificate for use in API-SSL

Mitchell Paul-Soumis Updated by Mitchell Paul-Soumis

Why Would I do this?

Beacuse Sonar requires API-SSL access, this is a quick and easy instructional on how to build a self signed certificate that can be applied to the API-SSL service. All this does is encrypt communication to and from Sonar and the MikroTik. This is not used to limit access or prevent other IPs from access.

Setup Steps:

  1. From a Winbox session of the MikroTik you'd like to generate the certificate for, open a new terminal session.
  2. Make certificate template with the following commands in MikroTik terminal.
/certificate

add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
  1. Sign certificate and add CRL url. We will use IP address of the Sonar Instance as CRL URL. This address can be looked up by typing your instance URL into https://mxtoolbox.com/DNSLookup.aspx.
sign ca-template ca-crl-host=$IP_of_Sonar_instance name=myCa
If signing certificates on mipbe cpu based devices(RB7xx,RB2011,RB9xx) then this process might take a while depending on key-size of specific certificate. With values 4k and higher it might take a substantial time to sign this specific certificate.
Templates are automatically removed after signing certificate
  1. If certificate does not have T flag then you need to set it as trusted before using it:
set myCa trusted=yes

Once these steps are complete you are now able to use the new certificate. Under IP > Services, enable api-ssl, and select 'myCa' for the 'Certificate' drop down.

How did we do?

Data Usage Available Methods

IPAM: Overview

Contact