Goal:<\/li>\n\n\n\n
As an intern at trustsec IT solutions my task was to migrate the company network onto new devices. We will use solely mikrotik devices as managed switches from now on.
These devices are RouterBoards but we will use them as switches instead of routers. They come with a management webinterface which by default is accessible via http. For security reasons we want to close this port and only make it available via https. Therefore all the switches need certificates. As we do not want to have to repeat the process manually every year, this tutorial is about how to automate this with an SCEP-Server. SCEP stands for Simple Certificate Enrollment Protocol and is just what we want.<\/p>\n\n\n\n
Using an SCEP-server is not the only way to achieve this on these devices. Mikrotik RouterOS comes with a few options:<\/p>\n\n\n\n
- \n
- self-signed certificates<\/li>\n\n\n\n
- let’s encrypt<\/li>\n\n\n\n
- scep
You could also use tools like ansible or puppet to deploy the configurations and certificates, but as this are switches you will only configure once it seems to be a lot of overhead. It makes sense if you have a lot of devices or more than one network to take care of. But we have to manage only a handful of devices and only this network to setup.
So in this case, using a scep server was the best option. Following is a brief overview of strengths and drawbacks of the previously mentioned options:<\/li>\n\n\n\n - self-signed certificates:\n
- \n
- every router could just sign the certificates themselves, directly on the device<\/li>\n\n\n\n
- or you could make one router the source where the other routers can get their certificates signed<\/li>\n\n\n\n
- it is easy and convenient. But from a security perspective you cannot be sure that you actually ended up on the device you wanted to access. Self-signed certs are more suitable for a test setup<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- let’s encrypt:\n
- \n
- this option simple wasn’t feasible for us, because our devices will only be used as switches with no access to the outside network<\/li>\n\n\n\n
- let’s encrypt works via a challenge on a public website. Security: it is not a good idea to expose your admin interface publicly over the internet<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- scep:\n
- \n
- deploying a single scep server in the network<\/li>\n\n\n\n
- as we are self-hosting, simply adding another service is no problem: plus having one central scep-instance has the additional benefit of a source of certificates in case other devices need certificates as well<\/li>\n\n\n\n
- you can create your own CA and use it on your scep-server<\/li>\n\n\n\n
- but: which one to use?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
There are many SCEP-Options out there, or rather, there are big SSL-options out there like openSCEP, EJBCA or DogTag. Most offer many, many features besides SCEP. But we really only need SCEP at the moment. Luckily we found one which only is a scep-server, since this is all we need: micromdm-scep<\/a>. You can either build from source or download the binaries from their release page. If you want to build from source you have to clone the repo and have a go compiler.<\/p>\n\n\n\n
Setting up the scep-server for mikrotik<\/h2>\n\n\n\n
At first I worked with the downloaded release-files, but later switched to build them from source. You will find the description for this in the error section below.<\/p>\n\n\n\n
For building from source you have to clone the repo. This part is also described on the github page, but I will not leave this as an excercise for the reader.<\/p>\n\n\n\n
Compiling<\/h3>\n\n\n\n
Here are the steps from their page:
To compile the SCEP client and server you will need a Go compiler<\/a> as well as standard tools like git, make, etc.<\/p>\n\n\n\n- \n
- Clone the repository and get into the source directory:
git clone https:\/\/github.com\/micromdm\/scep.git && cd scep<\/code><\/li>\n\n\n\n- Compile the client and server binaries:
make<\/code><\/li>\n<\/ol>\n\n\n\nThe binaries will be compiled in the current directory and named after the architecture. I.e.
scepclient-linux-amd64<\/code> andscepserver-linux-amd64<\/code>.<\/p>\n\n\n\nCA-Initiation<\/h3>\n\n\n\n
If you just want to test everything:
.\/scepserver-linux-amd64 ca -init<\/code>
If you want to add more information about the CA, aka not using the default values micromdm provides its the following with the details entered as you need them. You can also see their provided flags for more information.<\/p>\n\n\n\n.\/scepserver-linux-amd64 ca -init -common_name name -organization organisation -country countrycode -depot "path to depot"<\/code><\/p>\n\n\n\nDepot is the folder where the certificates and the CA information are stored. Default is depot, if you use another path you have to specify it.<\/p>\n\n\n\n
Starting the scep-server<\/h2>\n\n\n\n
After initiating the CA you can start the server with
.\/scepserver-linux-amd64<\/code>
In default mode it will only sign certificates as tls-client.
As I needed a tls-server I had to pass another argument:.\/scepserver-linux-amd64 -sign-server-attrs<\/code>
The server is now up and running and provides an http-endpoint where the certificates can be requested. By default it is on port 8080, by-port string<\/code> you can use another port. If you want to add a challenge password its.\/scepserver-linux-amd64 -sign-server-attrs -challenge string<\/code><\/p>\n\n\n\nRequesting certificates from mikrotik<\/h2>\n\n\n\n
As the server is running now we can head over to our mikrotik router. In the GUI under System->Certificates you can add a new one. Important: mark tls-server under key usage! The mikrotik-switches are the servers, because we want to access them via the browser.
<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2024\/01\/Pasted-image-20231012170154-1-817x1024.png\")
<\/a><\/figure>\n\n\n\n
Click sign via SCEP. If asked to apply changes click yes.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2024\/01\/Pasted-image-20231012170516.png\")
<\/a><\/figure>\n\n\n\n
Enter the http-address to your server. It can either be localhost or in my case the IP from the private network that I set up on my computer for testing reasons. See more on this in the misc section of this post. You can see the status of the certificate. If it is signed with KT it means that it has a key and is trusted. KET means it is expired. The CA will also be downloaded to the router and is signed with a T.<\/p>\n\n\n\nEnabling https<\/h3>\n\n\n\n
After the certificate is installed https is enabled by going to IP->Services and enabling www-https. Here you have to enter which certificate to use.<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2024\/01\/Pasted-image-20231012173807-1024x426.png\")
<\/a><\/figure>\n\n\n\n![\"\"](\"https:\/\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2024\/01\/Pasted-image-20231012173659.png\")
<\/a><\/figure>\n\n\n\n
As I am still testing, www is enabled, but in production the http port will be closed.
You also have to add the CA to the trusted authorities in your browser. If you then go to the webpage you get the information that the connection is not secure but you can go on the page when you accept the risks. As you signed the certificates yourself you hopefully can trust yourself \ud83d\ude42<\/p>\n\n\n\nOn the terminal<\/h2>\n\n\n\n
The mikrotik switches also come with a terminal. You can either use the webconfig or winbox to open a terminal there, but you can also connect to your switches via ssh. This is a really handy way because clicking your way through the GUI can be very tedious. Using the cmd also have the benefit that you can write the configuration once and deliver it to all your devices.<\/p>\n\n\n\n
The commands to request the certificates from your scep-server on the mikrotik-switch look like this:<\/p>\n\n\n\n
\/certificate add name="Server" subject-alt-name="altname" common-name="commonname.fully.qualified.com" country="DE" state="Baden-Wuerttemberg" locality="Stuttgart" organization="your organization" unit="Systems Administration" key-usage=digital-signature,key-encipherment,tls-server,tls-client days-valid=365\n\n\/certificate add-scep template=Server scep-url="http:\/\/your-server-IP1:8080\/scep" challenge-password="YourSuperSecretPassword"\n\n\/ip service set www-ssl certificate=Server\n\n<\/code><\/pre>\n\n\n\nConclusion<\/h2>\n\n\n\n
With this, you have set up your scep-server for your mikrotik-switches. I hope you found this tutorial helpful. In the Error-Section and the Misc-Section you will find additional information of mistakes I have made, so that you don’t get stuck there.<\/p>\n\n\n\n
Errors<\/h2>\n\n\n\n
I downloaded the binaries from the release page. At first I thought that would work fine because signing the certificates worked. But I always got errors that there is no cipher overlap. A deep dive into the code revealed that by default it would only sign for the keyusage of tls-client. Since this certificate should be used for webaccess to the webconfig, it needed to be a tls-server. <\/p>\n\n\n\n
Therefore when starting the server the attribute -sign-server-attrs has to be added. But when starting the server with the release-binaries it said that the option was not implemented. So I cloned the repo from github, installed a go compiler and build it. With this version it finally worked. You have to be careful though: after I finally had a certificate with tls-server keyusage, I got another SSL-Error: that the issuer was already used. I generated so many CAs and certificates with duplicates that I got this error. As this were only for testing, I did not really care. I initiated a new CA with ca -init and this time I provided the proper name and finally it worked: I had a certificate for accessing the webfig via https!<\/p>\n\n\n\n
Misc<\/h2>\n\n\n\n
Private Network<\/h3>\n\n\n\n
Working with network devices can be really challenging especially if you have to test them but don’t want to mess up the network for other people. Therefore I set up a small private network on an external interface.
I simply had an USB-C adapter and connected the router.<\/p>\n\n\n\n
Withip addr add 10.0.0.3\/24 dev enx5<\/code> I gave my computer an IP address just for this interface. You can find your own interfaces and the device names viaip a<\/code>orip addr show<\/code>and use this in the command. I needed to run my own ntp-server as well, so I made it listen on the same interface as well. It is important that your mikrotiks have the correct time. If they don’t have connection to an ntp-server the certificates will be issued in the 1970 because that is when the computer time started \ud83d\ude09 and all certificates will be expired of course.<\/p>\n\n\n\nAccessing mikrotik<\/h3>\n\n\n\n
As it can be difficult to access the mikrotik via IP at first if DHCP for example is a bit tricky, I found the easiest way to access the routers via winbox, a tool provided by mikrotik. This only works on Windows, but you can run it on Linux with wine. I connected myself via the MAC-address of the device and changed the IP-address to one on my private network.
I also had my own isc-dhcp-server running, which listened solely on the interface on which I connected the mikrotiks. This was necessary because<\/p>\n\n\n\nRessources<\/h1>\n\n\n\n
- \n
- https:\/\/github.com\/micromdm\/scep<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Certificates are everywhere. But they also expire. Who would want to have to issue new certificates for every device on the company infrastructure? Every year?Not only is it time consuming, but also error prone. You could forget one device or how it is done. Therefore it is useful to invest time into automating this process. […]<\/p>\n","protected":false},"author":1182,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[96,999,997,998],"ppma_author":[996],"class_list":["post-26058","post","type-post","status-publish","format-standard","hentry","category-allgemein","tag-certificates","tag-mikrotik","tag-network","tag-scep"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":11186,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2020\/09\/14\/the-development-of-the-intranet-into-beyondcorp\/","url_meta":{"origin":26058,"position":0},"title":"The development of the intranet into BeyondCorp","author":"Aron K\u00f6cher","date":"14. September 2020","format":false,"excerpt":"Aron K\u00f6cher, Miro Bilge Only a few years earlier, the solution to exchange digital information like documents or pictures was to establish a physical connection between the participants. A usb stick was passed around the class to exchange music, you went to your friends house to print some urgent papers\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/09\/Bildschirmfoto-2020-09-14-um-17.06.48.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":1967,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2017\/02\/28\/microservices-legolizing-software-development-3\/","url_meta":{"origin":26058,"position":1},"title":"Microservices \u2013 Legolizing Software Development III","author":"Calieston Varatharajah, Christof Kost, Korbinian Kuhn, Marc Schelling, Steffen Mauser","date":"28. February 2017","format":false,"excerpt":"Security is a topic that always occurs with microservices. We\u2019ll present our solution for managing both, authentication and authorization at one single point.","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/02\/auth_login_gesamt03.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/02\/auth_login_gesamt03.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/02\/auth_login_gesamt03.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/02\/auth_login_gesamt03.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/02\/auth_login_gesamt03.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2017\/02\/auth_login_gesamt03.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":3348,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/03\/30\/continuous-integration-pipeline-for-unity-development-using-gitlab-ci-and-aws\/","url_meta":{"origin":26058,"position":2},"title":"Continuous Integration Pipeline for Unity Development using GitLab CI and AWS","author":"Jonas Graf, Christian Gutwein","date":"30. March 2018","format":false,"excerpt":"This blog entry describes the implementation of a Continous Integration (CI) pipeline especially adapted for Unity projects. It makes it possible to automatically execute Unity builds on a configured build server and provide it for a further deployment process if required.","rel":"","context":"In "DevOps"","block_context":{"text":"DevOps","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/devops\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/CI_process.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/CI_process.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/CI_process.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/CI_process.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":3421,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/03\/28\/take-me-home-project-overview\/","url_meta":{"origin":26058,"position":3},"title":"Take Me Home – Project Overview","author":"cp054","date":"28. March 2018","format":false,"excerpt":"Related articles:\u00a0\u25baCI\/CD infrastructure: Choosing and setting up a server with Jenkins as Docker image\u00a0\u25baDockerizing Android SDK and Emulator for testing\u00a0 \u25baAutomated Unit- and GUI-Testing for Android in Jenkins\u00a0 \u25baTesting a MongoDB with NodeJS, Mocha and Mongoose During the winter term 2017\/2018, we created an app called Take Me Home. The\u2026","rel":"","context":"In "Mobile Apps"","block_context":{"text":"Mobile Apps","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/interactive-media\/mobile-apps\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/tmh_admin_usermanagement_bearbeitet.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/tmh_admin_usermanagement_bearbeitet.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/tmh_admin_usermanagement_bearbeitet.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/tmh_admin_usermanagement_bearbeitet.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/tmh_admin_usermanagement_bearbeitet.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/03\/tmh_admin_usermanagement_bearbeitet.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":3910,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/08\/14\/beyond-corp-a-new-approach-to-enterprise-security\/","url_meta":{"origin":26058,"position":4},"title":"Beyond Corp – Google’s approach to enterprise security","author":"Domenik Jockers","date":"14. August 2018","format":false,"excerpt":"What is Beyond Corp? Beyond corp is a concept which was developed and is used by Google and is by now adopted by some other companies. The idea behind it was to get away from the intranet and its perimeter defense, where, if you breach the perimeter you can access\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/08\/pipeline.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":4306,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/09\/14\/yet-another-connected-vehicle-cloud-platform\/","url_meta":{"origin":26058,"position":5},"title":"Yet another Connected Vehicle Cloud Platform","author":"dl045","date":"14. September 2018","format":false,"excerpt":"Getting Ideas...\u00a0write a User Story When I thought about an idea for a project, part of the lecture \"Software Development for Cloud Computing\", I had two related use-cases in mind. So I wrote down those high-level user-stories: As a user who owns a non-connected car, I want to access some\u2026","rel":"","context":"In "Cloud Technologies"","block_context":{"text":"Cloud Technologies","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/scalable-systems\/cloud-technologies\/"},"img":{"alt_text":"Material Data Logger","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2018\/09\/datalogger-sm-300x240.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"jetpack_sharing_enabled":true,"authors":[{"term_id":996,"user_id":1182,"is_guest":0,"slug":"jannika_seybold","display_name":"Jannika Seybold","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/77548e83f7150ff4d3d614691af4d0d2134cba448a69ffac4caf4400b713c438?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/26058","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/users\/1182"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/comments?post=26058"}],"version-history":[{"count":1,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/26058\/revisions"}],"predecessor-version":[{"id":26063,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/26058\/revisions\/26063"}],"wp:attachment":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/media?parent=26058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/categories?post=26058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/tags?post=26058"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/ppma_author?post=26058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Compile the client and server binaries:
- Clone the repository and get into the source directory: