Mikrotik SSTP VPN with a SSL Certificate HOW TO by Travis Kenner
Mikrotik RB750GL Running Package version 6.0rc11
Go Daddy account with a nice $8.00 SSL Certificate and a domain registered
NOTE: When connecting a Mikrotik to another Mikrotik using SSTP you do NOT need an SSL certificate. Mikrotik to Mikrotik will take care of itself.
PLEASE NOTE: For any configuration examples please visit the Mikrotik Forums for help and support. There are some really knowledgeable people on the forums who will be able to help you with your individual setups.
All I’m going to say is no coffee and no sleep and finally I got it working
Find a Linux Box and use openssl to generate a Private Key:
Depending on your flavor if it does not have open ssl, Google how to add openssl to your linux distro.
GOOGLE is your best friend 😉
Okay from a command line You will most likely need root to do this I was root on my box even though this is a no no most of the time he he 😉 type this in:
openssl genrsa -des3 -out sstp.priv.key 2048
Note: The -out name can be anything you want but I chose a name that had something descriptive for what I was setting up example sstp.somedomain.com so I used the sstp as the beginning and then the .priv.key reminds me that this is the priv key I made.
Enter Your Pass Phrase:
You are now done making the Private Key
Generate Your CSR for the Private Key:
Again from the command line:
openssl req -new -key sstp.priv.key -out sstp.csr -config /etc/ssl/openssl.cnf
Note: the -out for this is the CSR so again I made it descriptive so I remember later what FQDN I made this CSR for
( -out with something like -out 7h3dty36ehd.csr is not very helpful 5 months down the road at 4 am LOL)
Note: I added the -config /etc/ssl/openssl.cnf as I made my .csr on a QNAP linux NAS box and it couldn’t find the openssl config file it needed to run.
Enter Your pass phrase from the Priv Key Pair when it prompts.
Now its going to ask for some Info:
Fill in all your info BUT make sure Common Name is your FQDN eg. sstp.somedomain.com
This is CRUCIAL. You mess up the name and you pooched your SSL Certificate when you submit it with a CN (Comman Name) that was not spelled correctly. Good thing you bought a GoDaddy $8.00 SSL Certificate right . . . .
Enter a Challenge password if it prompts for one
NEWB NOTE: Write this stuff down or record it somewhere so you don’t forget what all your passwords were another 6 months down the road <.<
Now open the CSR file you made on the linux box using vi or nano and paste the contents into your SSL providers CSR text box so you can get it sent off to get your certificate.
I was using Putty to do this so I could paste from Putty to a web browser.
They will process the .csr contents you pasted into the CSR box and then you should be able to download a nice new shiny .CRT file to add to your Mikrotik when you get approved.
Now once it is processed and you can download the CRT, copy the CRT you download from GoDaddy and the Priv Key you generated on your linux box and drop those 2 files into your Mikrotik Routers Files area
Open a new Terminal on your Mikrotik:
Now you need to Import using these command lines:
/certificate import file-name=name-of-your-crt-certificate-you-dumped-in-files
Enter your passphrase from when you created the CSR for the CRT
You wrote it down riiggghhttt?
Now you also need to import the PRIV KEY you made and copied to the Mikrotik
/certificate import file-name=name-of-the-priv-key-you-made
Enter your password for the Priv Key
The Mikrotik should display KR in the left panel of System | Certificate to let you know the priv key and CRT you imported worked
If you don’t get a KR it didn’t work
Now you have a SSL Certificate for connecting to your Mikrotik using SSTP
Make sure when connecting from for example a windows 7 Box that the SSTP client you setup has the FQDN of your Mikrotik as if you don’t use the FQDN then the SSL Certificate CN Name won’ match the Clients connect to server address and the client will drop the connetion.