Commit graph

20 commits

Author SHA1 Message Date
Christian Hesse
3c61cf57c4 certs: add Cloudflare certificates...
... for later use.
2023-06-13 20:26:55 +02:00
Christian Hesse
589492621b certs: add GlobalSign certificates...
... for later use.
2023-06-13 20:26:55 +02:00
Christian Hesse
e927c6b08b global-functions: $GetMacVendor: switched to Let's Encrypt (R3)
So let's check for the correct one, and drop the other.
2022-09-13 15:18:28 +02:00
Christian Hesse
15e60da7f0 certs: drop old chain GTS CA 1O1 / GlobalSign 2021-09-21 21:26:09 +02:00
Christian Hesse
44d2f04e0e certs: add new chain GTS CA 1C3 / GTS Root R1
This is used by Google DNS (8.8.8.8).

$CertificateAvailable "GTS CA 1C3"
/ip dns set use-doh-server=https://8.8.8.8/dns-query verify-doh-cert=yes
2021-09-20 20:56:55 +02:00
Christian Hesse
ec7c88a780 certs: drop old intermediate cert DigiCert ECC Secure Server CA 2021-09-20 20:54:11 +02:00
Christian Hesse
a3798ff656 certs: add new intermediate cert DigiCert TLS Hybrid ECC SHA384 2020 CA1
This is used by Cloudflare DNS (1.1.1.1) and Quard9 (9.9.9.9).

$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

$CertificateAvailable "DigiCert TLS Hybrid ECC SHA384 2020 CA1"
/ip dns set use-doh-server=https://9.9.9.9/dns-query verify-doh-cert=yes
2021-09-20 20:52:03 +02:00
Christian Hesse
f2433b8091 drop certificate DST Root CA X3
Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root
X1") on July 8, 2019, but postponed several times.

Finally they found another solution: A certificate 'ISRG Root X1', but
cross-signed with 'DST Root CA X3' and with a livetime that exceeds that
of the root CA. This is said to work for most operating system where root
certificate authorities are just 'trust anchors'.

I doubt this is true for RouterOS, where certificates are just imported
into the certificate store. So let's migrate to 'ISRG Root X1' now.
2021-05-18 16:32:26 +02:00
Christian Hesse
b0e52aa2d1 global-functions: $GetMacVendor: requires certificate "Cloudflare Inc ECC CA-3" now 2021-02-24 21:48:36 +01:00
Christian Hesse
97ade535d9 certs: add plain text info about certificates
Also order certificates, so we have:
 * intermediate
 * root
 * alternative root, if any

Let's add 'ISRG Root X1' for 'E1' as there will be a valid cross-signed
chain 'E1' -> 'ISRG Root X2' -> 'ISRG Root X1'.
2020-12-30 00:45:11 +01:00
Christian Hesse
05a9531dac certs: remove Let's Encrypt Authority X3 2020-12-18 20:32:29 +01:00
Christian Hesse
50199a57a0 certs: add new Let's Encrypt certificates
https://letsencrypt.org/certificates/
2020-12-17 21:58:53 +01:00
Christian Hesse
3589416840 add certificate 'GTS CA 1O1'
This is used by DNS over HTTPS services:

https://dns.google/dns-query
2020-06-10 11:08:18 +02:00
Christian Hesse
8a88743e9f add certificate 'DigiCert ECC Secure Server CA'
This is used by DNS over HTTPS services:

https://cloudflare-dns.com/dns-query
https://dns9.quad9.net/dns-query (secured)
https://dns10.quad9.net/dns-query (unsecured)

https://github.com/curl/curl/wiki/DNS-over-HTTPS
2020-03-20 12:07:11 +01:00
Christian Hesse
42834e9de1 global-functions: $CertificateAvailable: fetch by CommonName
Now that we have a proper $UrlEncode function... Fetch certificates
by CommonName.

Also remove the PEM after import.
2019-04-30 16:52:53 +02:00
Christian Hesse
bc36fb74c3 update-tunnelbroker: verify certificate 2019-01-02 15:02:42 +01:00
Christian Hesse
f4673928ef global-functions: make $CertificateAvailable work on CommonName
This should prevent endless certificate switching for Let's Encrypt
cross-signed intermediate certificates.
2018-12-20 22:21:00 +01:00
Christian Hesse
abdc9b0cbd README: add Root CA certificate DST Root CA X3
This is used by Let's Encrypt to cross-sign.
2018-12-20 17:25:23 +01:00
Christian Hesse
f111669673 README: download certificates from repository 2018-10-16 16:31:57 +02:00
Christian Hesse
d81e1bf195 global-functions: import certificates if required
Signed-off-by: Christian Hesse <mail@eworm.de>
2018-10-16 16:06:25 +02:00