user would change something in a CA (but not the name):
```tf
resource "routeros_system_certificate" "root_ca" {
name = "Test-Root-CA"
common_name = "RootCA"
key_usage = ["key-cert-sign", "crl-sign"]
trusted = true
sign {
ca_crl_host = "10.1.1.1"
}
}
resource "routeros_system_certificate" "server_crt" {
name = "Server-Certificate"
common_name = "server.crt"
// KUs: igitalSignature, keyEncipherment or keyAgreement
key_usage = ["digital-signature", "key-encipherment", "tls-server"]
sign {
ca = routeros_system_certificate.root_ca.name
}
}
then there are errors that resource not found. It's because RouterOS removes all dependent certificates with a CA and the provider can't handle it for now.
An ability to remove certificates was added to RouterOS 7.12 (https://mikrotik.com/download/changelogs#c-stable-v7_12: certificate - allow to remove issued certificates when CRL is not used), but when CA certificate doen't have crl set. I didn't find a helper to check RouterOS version in the provider. But maybe it can be implemented simpler: just try to delete certificate, and in case there is an error, that certificate can only be revoked, then revoke it. It can be useful for changing certificate attributes without changing the name (otherwise there is a name conflict).
add-scep
command)challenge_password
parameter (present only with scep client)ForceNew
is not enough onsign
set. It need to be set on all elements or recreation won't workThere are still some quirks I found:
resource "routeros_system_certificate" "server_crt" { name = "Server-Certificate" common_name = "server.crt" key_usage = ["digital-signature", "key-encipherment", "tls-server"] sign { ca = routeros_system_certificate.root_ca.name } }
then there are errors that resource not found. It's because RouterOS removes all dependent certificates with a CA and the provider can't handle it for now.
certificate - allow to remove issued certificates when CRL is not used
), but when CA certificate doen't have crl set. I didn't find a helper to check RouterOS version in the provider. But maybe it can be implemented simpler: just try to delete certificate, and in case there is an error, that certificate can only be revoked, then revoke it. It can be useful for changing certificate attributes without changing the name (otherwise there is a name conflict).