Skip to main content

Applying SSL Certificates to MikroTik Routers

Overview

To secure your connection to your MikroTik router using SSL (more accurately, TLS, as SSL is outdated but often still used colloquially), you’ll typically want to enable HTTPS access to the router’s web interface (WebFig) or secure other services like SSTP VPN or API with a TLS certificate. Below, I’ll walk you through the steps to secure the WebFig interface with HTTPS using a certificate, as this is a common use case for securing router management. If you have a different service in mind (e.g., VPN), let me know, and I can adjust the instructions.

MikroTik RouterOS supports TLS certificates to encrypt connections. You can either:

  1. Use a self-signed certificate (simpler but shows browser warnings).

  2. Obtain and import a trusted certificate from a Certificate Authority (CA) like Let’s Encrypt or a paid provider (e.g., Namecheap, ZeroSSL).

For this guide, I’ll cover both options, focusing on enabling HTTPS for WebFig. The process involves generating or importing a certificate, assigning it to the www-ssl service, and ensuring proper configuration.

Option 1: Using a Self-Signed Certificate

This is quick and works for personal use, but browsers will display a "not secure" warning because the certificate isn’t trusted by default.

Steps:

  1. Access Your Router

    • Log in to your MikroTik router using WinBox, the terminal (via SSH), or WebFig (initially over HTTP).

  2. Generate a Certificate

    • Open a terminal (in WinBox or SSH) and run:

       

      /certificate add name=router-ssl common-name=your.router.ip days-valid=3650 key-usage=tls-server

      • Replace your.router.ip with your router’s IP address (e.g., 192.168.88.1) or a domain name if you have one.

      • days-valid=3650 sets it for 10 years; adjust as needed.

  3. Sign the Certificate

    • Still in the terminal, sign the certificate:

       

      sign router-ssl

    • Wait a moment for the signing to complete. Check the status with:

       

      print

      Look for router-ssl with KT flags (Key and Trusted).

  4. Enable HTTPS Service

    • Assign the certificate to the www-ssl service:

      text

      CollapseWrapCopy

      /ip service set www-ssl certificate=router-ssl disabled=no

    • Optionally, disable the insecure HTTP service:

       

      set www disabled=yes

  5. Test the Connection

    • Open a browser and navigate to https://your.router.ip.

    • You’ll see a warning about the certificate being untrusted. Accept the risk to proceed (this is expected with self-signed certificates).

    • Your connection is now encrypted, though the warning persists.

Option 2: Using a Trusted Certificate (e.g., Let’s Encrypt)

For a trusted certificate without warnings, you’ll need a public CA-issued certificate. This requires a public domain name pointing to your router’s WAN IP and port 80 open temporarily for validation (if using Let’s Encrypt). Here’s how:

Prerequisites:

  • A domain name (e.g., myrouter.example.com) with a DNS A record pointing to your router’s public IP.

  • Port 80 temporarily accessible from the internet (for Let’s Encrypt validation).

  • MikroTik RouterOS v7.15 or later (for built-in Let’s Encrypt support).

Steps:

  1. Enable Let’s Encrypt (RouterOS v7.15+)

    • In the terminal, run:

       

      /certificate enable-ssl-certificate dns-name=myrouter.example.com

    • Replace myrouter.example.com with your domain. This command uses Let’s Encrypt’s ACME protocol to request and renew the certificate automatically.

    • Ensure port 80 is open (/ip service set www disabled=no) during the initial request.

  2. Verify Certificate Creation

    • Check the certificate status:

       

      /certificate print

    • Look for a certificate with your domain name and KT flags. It may take a minute to generate.

  3. Assign to HTTPS Service

    • Link it to the www-ssl service:

       

      /ip service set www-ssl certificate=myrouter.example.com disabled=no

    • Disable HTTP if desired:

      text

      CollapseWrapCopy

      set www disabled=yes

  4. Test the Connection

    • Visit https://myrouter.example.com in your browser.

    • If successful, you’ll see WebFig with no security warnings, and the connection is encrypted.

Notes:

  • Let’s Encrypt certificates last 90 days but renew automatically if the command remains active.

  • If your router isn’t publicly accessible or you’re on an older RouterOS version, you’ll need to manually obtain a certificate (e.g., via ZeroSSL or another CA) and import it. See below for manual import steps.

Manual Import (Alternative for Trusted Certificates)

If you’ve obtained a certificate elsewhere (e.g., ZeroSSL, Namecheap), here’s how to import it:

  1. Obtain Certificate Files

    • You’ll typically get:

      • A certificate file (.crt or .pem).

      • A private key file (.key).

      • Optionally, a CA bundle (intermediate certificate).

  2. Upload Files to Router

    • Open WinBox, go to Files, and drag-and-drop the .crt and .key files (and CA bundle if provided) into the file list.

    • Alternatively, use FTP to upload them.

  3. Import the Certificate

    • In the terminal:

      text

      CollapseWrapCopy

      /certificate import file-name=certificate.crt passphrase="" import file-name=private.key passphrase=""

      • If the files are password-protected, provide the passphrase.

      • Check with print to see the imported certificate (e.g., certificate.crt_0).

  4. Assign to HTTPS

    • Link it to www-ssl:

      text

      CollapseWrapCopy

      /ip service set www-ssl certificate=certificate.crt_0 disabled=no

    • Disable HTTP if desired:

      text

      CollapseWrapCopy

      set www disabled=yes

  5. Test

    • Visit https://your.router.ip or domain. If the certificate matches the domain/IP, it should work without warnings.

Additional Security Tips

  • Firewall: Restrict HTTPS access to trusted IPs:

    text

    CollapseWrapCopy

    /ip firewall filter add chain=input protocol=tcp dst-port=443 action=accept src-address=your.trusted.ip add chain=input protocol=tcp dst-port=443 action=drop

  • Strong Password: Ensure your router’s admin password is robust.

  • Update RouterOS: Keep your firmware updated (as of March 10, 2025, check for the latest stable version).

Final Thoughts

  • Self-Signed: Quick, but you’ll deal with warnings. Fine for local use.

  • Trusted Certificate: Ideal for public access or avoiding warnings, but requires more setup.

  • If your router isn’t internet-facing, a self-signed certificate is usually sufficient.



Using OpenSSL

Two scenarios:

  1. Generating a Self-Signed Certificate with OpenSSL (simpler, no CA involved).

  2. Generating a CSR to get a trusted certificate from a CA (e.g., ZeroSSL, Namecheap).

After generating the certificate files, import them into your MikroTik router to secure your connection with SSL/TLS (e.g., for WebFig HTTPS).

Option 1: Generate a Self-Signed Certificate with OpenSSL

A self-signed certificate encrypts the connection but isn’t trusted by browsers, so you’ll see a warning. This is fine for personal use or internal networks.

Steps:

  1. Install OpenSSL

    • Ensure OpenSSL is installed on your system:

      • Linux/macOS: Usually pre-installed or install via sudo apt install openssl (Debian/Ubuntu) or brew install openssl (macOS).

      • Windows: Download from a trusted source (e.g., OpenSSL binaries) or use WSL.

  2. Generate a Private Key and Certificate

    • Open a terminal and run:

       

      openssl req -x509 -newkey rsa:2048 -keyout router.key -out router.crt -days 3650 -nodes

       

      • Explanation:

        • -x509: Creates a self-signed certificate.

        • -newkey rsa:2048: Generates a 2048-bit RSA private key.

        • -keyout router.key: Outputs the private key.

        • -out router.crt: Outputs the certificate.

        • -days 3650: Valid for 10 years (adjust as needed).

        • -nodes: No passphrase on the key (simplifies import).

  3. Fill in Certificate Details

    • You’ll be prompted for details (e.g., Country, Organization). The most important field is:

      • Common Name (CN): Set this to your router’s IP (e.g., 192.168.88.1) or domain (e.g., myrouter.example.com).

    • Example:

       

      Country Name: US State or Province Name: California Locality Name: San Francisco Organization Name: Home Common Name: 192.168.88.1

  4. Verify Files

    • You’ll now have:

      • router.key: Private key.

      • router.crt: Self-signed certificate.

    • Check them with:

       

       

      openssl x509 -in router.crt -text -noout

       

  5. Import into MikroTik

    • Follow the steps in the "Manual Import" section below to upload and apply these files to your router.

Option 2: Generate a CSR with OpenSSL for a Trusted Certificate

To get a certificate trusted by browsers (no warnings), you’ll generate a CSR with OpenSSL, submit it to a CA, and import the resulting certificate.

Steps:

  1. Generate a Private Key and CSR

    • Run:

       

       

      openssl req -new -newkey rsa:2048 -nodes -keyout router.key -out router.csr

       

      • -new: Creates a new CSR.

      • -newkey rsa:2048: Generates a 2048-bit RSA key.

      • -nodes: No passphrase.

      • -keyout router.key: Private key file.

      • -out router.csr: CSR file.

  2. Fill in Details

    • Enter details as prompted. Set the Common Name (CN) to your router’s public domain (e.g., myrouter.example.com) or IP (though some CAs require a domain).

    • Example:

       

      Common Name: myrouter.example.com

  3. Submit CSR to a CA

    • Open the router.csr file in a text editor and copy its contents (including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----).

    • Go to a CA’s website (e.g., ZeroSSL, Let’s Encrypt via a client, or Namecheap):

      • ZeroSSL: Free, paste the CSR, verify domain ownership (e.g., via HTTP-01 or DNS-01 challenge).

      • Namecheap: Paid, paste CSR, complete purchase and verification.

    • After verification, the CA provides a certificate file (e.g., router.crt) and possibly a CA bundle (e.g., ca-bundle.crt).

  4. Download Certificate Files

    • You’ll have:

      • router.key (from step 1).

      • router.crt (from the CA).

      • Optionally, ca-bundle.crt (intermediate certificates).

  5. Import into MikroTik

    • See the "Manual Import" section below.

Manual Import into MikroTik Router

Once you have your certificate files (router.key and router.crt, and optionally a CA bundle), import them into your MikroTik router:

  1. Upload Files

    • WinBox: Go to Files, drag-and-drop router.crt and router.key (and ca-bundle.crt if provided).

    • FTP: Use an FTP client to upload to the router’s root directory.

  2. Import Certificates

    • Open a terminal in MikroTik:

       

       

      /certificate 
import file-name=router.crt 
import file-name=router.key

       

      • If you have a CA bundle:

         

         

        import file-name=ca-bundle.crt

         

      • Check the import:

         

        print

        • Look for names like router.crt_0 and router.key_0 with appropriate flags (e.g., KT for key and trusted).

  3. Assign to HTTPS Service

    • Enable HTTPS with the certificate:

       

       

      /ip
service set www-ssl certificate=router.crt_0 disabled=no

       

    • Optionally disable HTTP:

       

       

      service set www disabled=yes

       

  4. Test

    • Visit https://your.router.ip or https://myrouter.example.com.

    • Self-signed: Expect a warning (accept it).

    • CA-issued: No warning if the domain matches and the CA bundle is imported correctly.

Notes

  • Self-Signed: Quick, but less professional due to warnings. Use OpenSSL if you just need encryption fast.

  • Trusted Certificate: Requires a domain and CA process, but it’s seamless for users. OpenSSL generates the CSR, but the CA issues the certificate.

  • MikroTik Compatibility: Ensure your files are in PEM format (MikroTik’s default). OpenSSL outputs PEM by default, so you’re good there.



Back to top