Mikrotik and its WinBox interface are virtually inseparable. Most people use it without thinking of any other option. However, Mikrotik supports also has (quite a good) HTTP interface and it also supports a (disabled by default) HTTPS access.
Enabling HTTPS is unfortunately not a straightforward experience.
The easiest way to configure this is to enter commands into New Terminal from WinBox. I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to "translate" into GUI actions if that is your preference.
For HTTPS to work we need to create two certificates, master and apprentice. Ok, actually we need root and HTTPS certificate but master and apprentice sounds much cooler ;):
/certificate
add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MyRouter days-valid=3650
sign ca=root-cert https-certWith certificate signed, we just need to assign it to www-ssl service and enable it, while disabling non-https variant:
/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yesAnd that's it. Now you can access your router via HTTPS.
PS: Never use unencrypted interface like HTTP or FTP toward your router. Your password will travel plain-text and risk is not worth 5 minutes it takes to enable TLS encryption.
what’s the advantage of this not being automatic like everything else I use which claims to be secure and has never been hacked? Reminds me of the episode of the cartoon where the guy invents the flying bicycle but tells the people who need to use it that they have to put the dick shaped seat in their asses. Later they find out they didn’t have to. That’d be like me realizing that I don’t ever need to buy anything from Mirotik.
There is no advantage – it is just different way of doing things. Most of the time you would use WinBox to connect which is encrypted regardless of whether you configure https. Using https (or even http) to access your router is not so common in Mikrotik’s world.
That said, I do prefer to configure https as I am not always accessing my router from Windows machine and WinBox is pretty much Windows-only.
Mikrotik often pisses me off with various settings (trust me, this is not even close to the biggest stupidity) but I am still to find platform that is as powerful (and as much fun) when you get to know it.
great!, thanks for the tips
unfortunately the certificate generated with that commands is invalid in chrome.
Followed the same steps, and Chrome is fine for me.
“Invalid doesn’t give us much to go by. How about an error message?
I did the setup as you said. If I set the port to 443 the service becomes RED and I cannot access the router over https. If I set the port to a totally different port the service works and I can access the device over https using the custom port. What could be the reason ?
It could be that you have other service on that port. VPN maybe?
I have the same problem with SSL on Microtik router.
Did you resolved it?
Yes, this is a problem, you can say “proceed” to keep going to access the web interface. Here is a stack overflow question about how to fix it.
https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate
thanks for sharing. before it little bit difficult to generate the certificate since it need created on another machine. thanks dude
Thanks! Worked like a charm, and now I need to figure out how to accept self-signed certs in Chrome, but one step at a time right! :)
It would probably be a good idea to add “key-size=4096” to your commands so you wind up with 4096-bit keys instead of the default 2048-bit ones.
2048 is still “ok,” but I switched over to 4096 a few years ago and the company that I currently work for mandated 4096-bit keys across the board 2 years ago.
This may not be a problem yet for a home network, but I think it’s good to get in the habit of using the longer keys everywhere.