top of page
Search
Sep 154 min read

Complaint: Revoked certificates continue to work! How to Fully Configure OpenVPN on MikroTik with CRL (Certificate Revocation List) Feature

Introduction

In today's world, securing remote connections is more critical than ever, and OpenVPN has become a go-to solution for many network administrators. However, setting up a VPN server isn't just about establishing connectivity; it's about ensuring that only authorized users have access. This is where features like certificate revocation come into play.

Recently, I was contacted by a customer who had set up an OpenVPN server on his MikroTik router using a local Certificate Authority (CA). Despite having revoked the client certificate, the client was still able to log in. Initially, I assumed that the customer had not enabled the option to verify client certificates, but after receiving and reviewing the router's support file, I found the issue: although the certificate had been revoked, no Certificate Revocation List (CRL) was configured on the server.

This prompted me to develop a script that not only automates the OpenVPN server setup on MikroTik but also ensures that the CRL feature is implemented, preventing revoked certificates from accessing the server. In this blog post, I will walk you through the background, explain how the script works, and share the complete solution.

The Problem: Misconfigured VPN Server without CRL

The customer had correctly revoked the certificate for a client who should no longer have access to the VPN. However, the client was still able to log in despite the revocation. After reviewing the support file from the customer's router, I discovered that the "Verify Client Certificate" option was enabled, but there was no CRL in place. Without this, even revoked certificates remain valid, allowing unauthorized access.

The CRL is crucial in such cases because it provides the server with a list of certificates that should no longer be trusted. Without it, revoking a certificate becomes ineffective. That's why I created this script — to automate the process of setting up OpenVPN with all the necessary security measures, including CRL enforcement.


When setting up an OpenVPN server on MikroTik, ensuring that revoked certificates are properly handled is critical. However, several issues can arise during the process:

  1. Providing the CRL Host for the CA:

    • When you generate a Certificate Authority (CA) certificate, you need to specify the host address where the Certificate Revocation List (CRL) will be hosted. If this is not configured correctly, revoked certificates will not be checked.

  2. Adding Correct CRL File Path to the MikroTik CRL list

    • The CRL file path on MikroTik’s web server has a tricky format: http://YourRouterAddress/crl/X.crl. The challenge is that X represents the CA's ID in decimal form, but the ID provided by MikroTik is in hexadecimal. This requires conversion to avoid errors in the CRL path.

  3. Forcing MikroTik to Download the CRL:

    • After setting up the CRL host and path, you must ensure that the router downloads the CRL and keeps it updated. Often, users forget this step, which results in revoked certificates not being rejected.

  4. Instructing MikroTik to Honor the CRL:

    • Even after configuring the CRL, the router needs to be explicitly told to use the CRL when verifying client certificates. Without this setting, revoked certificates will still be allowed to connect.

Solution: Step-by-Step Guide to Configuring CRL for OpenVPN on MikroTik


1. Providing the CRL Host for the CA

To properly configure the Certificate Authority (CA) and specify the CRL host, use the following command when generating the CA certificate:

routeros

/certificate add name="MYCA01" common-name="yourdomain.com" key-usage=crl-sign,key-cert-sign days-valid=3650 ca-crl-host=192.168.1.1 
/certificate sign MYCA01

This command sets the ca-crl-host to the router's IP address where the CRL will be hosted. Make sure to replace 192.168.1.1 with your actual router address


2. Determining the Correct CRL File Path

MikroTik uses a specific format for the CRL file path: http://YourRouterAddress/crl/X.crl. However, you need to replace X with the CA’s decimal ID. Here's how to find and convert the ID:

  1. Use this command to find the hexadecimal ID of your CA certificate:

:foreach id in=[/certificate find] do={:local name [/certificate get $id name]; :put ($id." ".$name)}

Result

*1 MYCA01
*2 SERVER
*3 CLIENT-01

2.  Convert the hexadecimal ID to decimal. For example, if the ID is 0xa, convert it to decimal using an online tool or calculator, which gives 10.

3. Your CRL path will be:

3. Adding the CRL to MikroTik’s CRL List

Once you have the correct CRL path, add it to MikroTik’s CRL list:

/certificate crl add url="http://192.168.1.1/crl/1.crl"

This command informs the router where to retrieve the CRL file for revoked certificates.


4. Forcing the Router to Download the CRL

After adding the CRL path, you need to force the router to download the CRL immediately:

/certificate crl download

This ensures the router downloads the CRL and starts using it to validate certificates.


5. Instructing MikroTik to Honor the CRL

Finally, tell the OpenVPN server to check the CRL when verifying client certificates:

/certificate settings set crl-download=yes crl-use=yes

This command ensures that the OpenVPN server will only accept clients whose certificates are valid and not revoked.


Complete solution

For a complete automated script taking care of setting up the Open VPN server on MikroTik RouterOS, take a look at this repository https://github.com/MoLuke-CA/MikroTik-Snippets/tree/main/OpenVPN


Comments

bottom of page