diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md index fa32654..9df69fa 100644 --- a/INITIAL-COMMANDS.md +++ b/INITIAL-COMMANDS.md @@ -10,7 +10,7 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai / tool fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/R3.pem" dst-path="letsencrypt-R3.pem"; :delay 1s; / certificate import file-name=letsencrypt-R3.pem passphrase=""; - :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ] ] != 3) do={ + :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ] ] != 2) do={ :error "Something is wrong with your certificates!"; } / file remove "letsencrypt-R3.pem"; @@ -22,7 +22,6 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai :global CertificateNameByCN; $CertificateNameByCN "R3"; $CertificateNameByCN "ISRG Root X1"; - $CertificateNameByCN "DST Root CA X3"; } Optional to update the scripts automatically: diff --git a/README.md b/README.md index e102202..c5c0ba5 100644 --- a/README.md +++ b/README.md @@ -66,30 +66,22 @@ files to your MikroTik device. Then we import the certificates. [admin@MikroTik] > / certificate import file-name=letsencrypt-R3.pem passphrase="" - certificates-imported: 3 + certificates-imported: 2 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0 For basic verification we rename the certificates and print their count. Make -sure the certificate count is **three**. +sure the certificate count is **two**. [admin@MikroTik] > / certificate set name="R3" [ find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" ] [admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ] - [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ] - [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" - 3 + [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" + 2 Always make sure there are no certificates installed you do not know or want! -Actually we do not require the certificate named `DST Root CA X3`, but as it -is used by `Let's Encrypt` to cross-sign we install it anyway - this makes -sure things do not go wrong if the intermediate certificate is replaced. -The IdenTrust certificate *should* be available from their -[download page](https://www.identrust.com/support/downloads). The site is -crap and a good example how to *not* do it. - Now let's download the main scripts and add them in configuration on the fly. [admin@MikroTik] > :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); } diff --git a/certs/R3.pem b/certs/R3.pem index ac322ec..837b709 100644 --- a/certs/R3.pem +++ b/certs/R3.pem @@ -235,80 +235,3 @@ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b - Signature Algorithm: sha1WithRSAEncryption - Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 - Validity - Not Before: Sep 30 21:12:19 2000 GMT - Not After : Sep 30 14:01:15 2021 GMT - Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: - 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: - c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: - ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: - 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: - a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: - 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: - 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: - 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: - 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: - 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: - 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: - 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: - d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: - eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: - 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: - 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: - 02:5d - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 - Signature Algorithm: sha1WithRSAEncryption - a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: - 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: - a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: - 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: - b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: - 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: - dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: - e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: - 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: - 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: - 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: - 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: - b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: - 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: - 82:35:35:10 ------BEGIN CERTIFICATE----- -MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow -PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD -Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O -rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq -OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b -xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw -7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD -aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG -SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 -ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr -AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz -R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 -JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo -Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ ------END CERTIFICATE-----