All well known desktop, mobile and server operating systems come with a certificate store that is populated with a set of well known and trusted certificates, acting as trust anchors.
However RouterOS does not, still sometimes a specific certificate is
required to properly verify a chain of trust. One example is downloading
the scripts from this repository with fetch
command, thus the very
first step of installation is importing
the certificate.
The scripts can install additional certificates when required. This happens from this repository if available, or from mkcert.org as a fallback.
But how to determine what certificate may be required? Often easiest way is to use a desktop browser to get that information. This demonstration uses Mozilla Firefox.
Let's assume we want to make sure the certificate for git.eworm.de is available. Open that page in the browser, then click the lock icon in addressbar, followed by "Connection secure".
The dialog will change, click "More information".
A new window opens, click the button "View Certificate". (That window can be closed now.)
A new tab opens, showing information on the server certificate and its chain of trust. The leftmost certificate is what we are interested in.
Now we know that "ISRG Root X2
" is required, some scripts need just
that information.
Running the function $CertificateAvailable
with that name as parameter
makes sure the certificate is available in the device's store:
$CertificateAvailable "ISRG Root X2";
If the certificate is actually available already nothing happens, and there is no output. Otherwise the certificate is downloaded and imported.
If importing a certificate with that exact name fails a warning is given and nothing is actually imported.
- Download, import and update firewall address-lists
- Manage DNS and DoH servers from netwatch
- Send notifications via Matrix
- Send notifications via Ntfy