Mikrotik… need I say More?
Show MenuHide Menu

SSTP VPN with SSL Certificate with Mirkotik

February 20, 2013

Mikrotik SSTP VPN with a SSL Certificate  HOW TO by Travis Kenner

Mikrotik RB750GL Running Package version 6.0rc11
Go Daddy account with a nice $8.00 SSL Certificate and a domain registered

NOTE: When connecting a Mikrotik to another Mikrotik using SSTP you do NOT need an SSL certificate. Mikrotik to Mikrotik will take care of itself.

PLEASE NOTE: For any configuration examples please visit the Mikrotik Forums for help and support. There are some really knowledgeable people on the forums who will be able to help you with your individual setups.


All I’m going to say is no coffee and no sleep and finally I got it working

Find a Linux Box and use openssl to generate a Private Key:
Depending on your flavor if it does not have open ssl,  Google how to add openssl to your linux distro.

GOOGLE is your best friend 😉

Okay from a command line You will most likely need root to do this I was root on my box even though this is a no no most of the time he he 😉 type this in:


openssl genrsa -des3 -out sstp.priv.key 2048


Note: The -out name can be anything you want but I chose a name that had something descriptive for what I was setting up  example  sstp.somedomain.com so I used the sstp as the beginning and then the .priv.key reminds me that this is the priv key I made.

Enter Your Pass Phrase:
You are now done making the Private Key

Generate Your CSR for the Private Key:
Again from the command line:


openssl req -new -key sstp.priv.key -out sstp.csr -config /etc/ssl/openssl.cnf


Note: the -out for this is the CSR so again I made it descriptive so I remember later what FQDN I made this CSR for

( -out with something like   -out  7h3dty36ehd.csr     is not very helpful 5 months down the road at 4 am LOL)

Note: I added the -config /etc/ssl/openssl.cnf  as I made my .csr on a QNAP linux NAS box and it couldn’t find the openssl config file it needed to run.

Enter Your pass phrase from the Priv Key Pair when it prompts.
Now its going to ask for some Info:

Fill in all your info BUT make sure Common Name is your FQDN  eg.   sstp.somedomain.com

This is CRUCIAL. You mess up the name and you pooched your SSL Certificate when you submit it with a CN (Comman Name) that was not spelled correctly. Good thing you bought a GoDaddy $8.00 SSL Certificate right . . . .

Enter a Challenge password if it prompts for one

NEWB NOTE: Write this stuff down or record it somewhere so you don’t forget what all your passwords were another 6 months down the road <.<


Now open the CSR file you made on the linux box using vi or nano and paste the contents into your SSL providers CSR text box so you can get it sent off to get your certificate.
I was using Putty to do this so I could paste from Putty to a web browser.

They will process the .csr contents you pasted into the CSR box and then you should be able to download a nice new shiny .CRT file to add to your Mikrotik when you get approved.
Now once it is processed and you can download the CRT, copy the CRT you download from GoDaddy and the Priv Key you generated on your linux box and drop those 2 files into your Mikrotik Routers Files area


Open a new Terminal on your Mikrotik:
Now you need to Import using these command lines:

/certificate import file-name=name-of-your-crt-certificate-you-dumped-in-files

Enter your passphrase from when you created the CSR for the CRT
You wrote it down riiggghhttt?


Now you also need to import the PRIV KEY you made and copied to the Mikrotik

/certificate import file-name=name-of-the-priv-key-you-made

Enter your password for the Priv Key

The Mikrotik should display KR in the left panel of System | Certificate to let you know the priv key and CRT you imported worked
If you don’t get a KR it didn’t work

Now you have a SSL Certificate for connecting to your Mikrotik using SSTP

Make sure when connecting from for example a windows 7 Box that the SSTP client you setup has the FQDN of your Mikrotik as if you don’t use the FQDN then the SSL Certificate CN Name won’ match the Clients connect to server address and the client will drop the connetion.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 visitors online now
3 guests, 0 members
Max visitors today: 8 at 12:33 am UTC
This month: 39 at 10-18-2016 03:30 pm UTC
This year: 39 at 10-18-2016 03:30 pm UTC
All time: 39 at 10-18-2016 03:30 pm UTC