Import certificates

[tofkamp]

Is your feature request related to a problem? Please describe. Want to make a openVPN connection from external source, so I have to import the certificates.

Describe the solution you'd like I do a resource "routeros_file" "VPN_CA", and want to import the certificate, but I can not because the function is not present. /certificate/import file-name="VPN_CA.crt" name="VPN_CA"

Additional context This could also be used to config https-access with your own certificates.

[vaerh]

Ok, I need time to think about whether it is possible to implement it and how best to do it.

[vaerh]

:tada: This issue has been resolved in version 1.51.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

[vaerh]

data "routeros_x509" "cert" {
  data = <<EOT
    -----BEGIN CERTIFICATE-----
    MIIBlTCCATugAwIBAgIINLsws71B5zIwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
    RXh0ZXJuYWwgQ2VydGlmaWNhdGUwHhcNMjQwNTE3MjEyOTUzWhcNMjUwNTE3MjEy
    OTUzWjAfMR0wGwYDVQQDDBRFeHRlcm5hbCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
    AgEGCCqGSM49AwEHA0IABKE1g0Qj4ujIold9tklu2z4BUu/K7xDFF5YmedtOfJyM
    1/80APNboqn71y4m4XNE1JNtQuR2bSZPHVrzODkR16ujYTBfMA8GA1UdEwEB/wQF
    MAMBAf8wDgYDVR0PAQH/BAQDAgG2MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
    BQcDAjAdBgNVHQ4EFgQUNXd5bvluIV9YAhGc5yMHc6OzXpMwCgYIKoZIzj0EAwID
    SAAwRQIhAODte/qS6CE30cvnQpxP/ObWBPIPZnHtkFHIIC1AOSXwAiBGCGQE+aJY
    W72Rw0Y1ckvlt6sU0urkzGuj5wxVF/gSYA==
    -----END CERTIFICATE-----
EOT
}

resource "routeros_file" "key" {
  name = "external.key"
  # The lines of the certificate must not contain indentation.
  contents = <<EOT
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiy/wEW6/MglgICCAAw
HQYJYIZIAWUDBAEqBBD6v8dLA2FjPn62Xz57pcu9BIGQhclivPw1eC2b14ea58Tw
nzDdbYN6/yUiMqapW2xZaT7ZFnbEai4n9/utgtEDnfKHlZvZj2kRhvYoWrvTkt/W
1mkd5d/runsn+B5GO+CMHFHh4t41WMpZysmg+iP8FiiehOQEsWyEZFaedxfYYtSL
Sk+abxJ+NMQoh+S5d73niu1CO8uqQjOd8BoSOurURsOh
-----END ENCRYPTED PRIVATE KEY-----
EOT
}

resource "routeros_file" "cert" {
  name = "external.crt"
  # Normalized certificate
  contents = data.routeros_x509.cert.pem
}

resource "routeros_system_certificate" "external" {
  name        = "external.crt"
  common_name = data.routeros_x509.cert.common_name
  import {
    cert_file_name = routeros_file.cert.name
    key_file_name  = routeros_file.key.name
    passphrase     = "11111111"
  }
  depends_on = [routeros_file.key, routeros_file.cert]
}

[tofkamp]

Thank you for makeing this possible, but I see a flaw. Usual certificates are signed by sub-CA or CA's. The public keys of the CA has to be imported also. I could use this feature to import the CA certificate, but this implementation demands a key in order to import the certificate, which I do not have of the CA (or sub-CA). And even if I have the private key, I do not want to install it on the switch because of security. I tried concatenated the public key of the CA, to the public key of the certificate, but that did not solve the problem neither. What if the CA was already present on the mikrotik switch ? It should be a seperate entity in terraform, so it can be managed by terraform (expiration/renew etc).

[vaerh]

You can easily import a certificate that does not contain a private key. To do this, you only need to specify the certificate data. I don't quite understand the problem regarding the root CA. Please explain it in more detail. You can import a resource for any certificate.

[tofkamp]

Yes, you are right. I read the documentation wrong. I can import a certificate (CA or not) without a key.