Home / MikroTik

How to Generate an SSL Certificate for HTTPS Access on MikroTik via Winbox

Post a Comment

Securing access to your MikroTik router using HTTPS is a crucial step in protecting your network from unauthorized access. This guide will walk you through creating a self-signed SSL certificate directly via the Winbox GUI, enabling you to safely access WebFig over HTTPS.

Why HTTPS Matters on MikroTik

By default, MikroTik allows access to its web interface via HTTP (port 80). This means that login credentials and other sensitive information are transmitted unencrypted, which can be intercepted by attackers through Man-in-the-Middle (MITM) attacks.

Enabling HTTPS ensures your browser communicates securely with the router, encrypting all traffic.

What You’ll Need

  • A MikroTik router running RouterOS 6.x or 7.x (latest version recommended)
  • Winbox access
  • Local IP/domain name (no public domain required)

Step-by-Step: Creating SSL Certificates via Winbox

Access on MikroTik via Winbox

1. Open Winbox → Go to System > Certificates

2. Create a Certificate Authority (CA)

  • Click “+”
  • In the General tab:
    Name: myCA
    Common Name: myCA
  • Switch to the Key Usage tab and enable:
    • key-cert-sign
    • crl-sign
  • Click OK
Note: This CA will be used to sign other certificates.

3. Create a Certificate for HTTPS (WebFig)

  • Click “+” again
  • In the General tab:
    Name: webCert
    Common Name: router.local (or your router’s IP)
  • In the Key Usage tab, enable:
    • digital signature
    • key encipherment
    • tls server
  • Click OK

4. Sign the CA and Web Certificate

⚠️ Don’t skip this step! Signing activates the certificate.

  • Sign the CA first:
    Right-click myCA → Sign → click Start
  • Then sign the web certificate:
    Right-click webCert → Sign
    Select myCA as the CA → click Start

Once signed, both certificates should show "RSA" status.

5. Mark the Certificates as Trusted (Using Terminal)

RouterOS v7 no longer offers a GUI “Set Trusted” option. Use the Terminal:

/certificate set myCA trusted=yes
/certificate set webCert trusted=yes

6. Enable HTTPS and Apply the Certificate

/ip service set www-ssl certificate=webCert disabled=no
/ip service set www disabled=yes

Now, access your router at https://router-ip. If your browser shows a warning, that’s normal for self-signed certificates.

Optional: Install the CA on Your PC to Remove Browser Warnings

  1. Export the CA certificate:
    /certificate export-certificate myCA export-passphrase=""
  2. Download the .crt file and import it into your system’s Trusted Root Certificate Authorities.

You’re Done! With these steps completed, your MikroTik router is now secured via HTTPS using a self-signed SSL certificate.

Location:

Post a Comment for "How to Generate an SSL Certificate for HTTPS Access on MikroTik via Winbox"