Enabling HTTPS on MikroTik

Mikrotik and its WinBox interface are virtually inseparable. Most people use it without thinking of any other option. However, Mikrotik supports also has (quite a good) HTTP interface and it also supports a (disabled by default) HTTPS access.

Enabling HTTPS is unfortunately not a straightforward experience.

The easiest way to configure this is to enter commands into New Terminal from WinBox. I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to "translate" into GUI actions if that is your preference.

For HTTPS to work we need to create two certificates, master and apprentice. Ok, actually we need root and HTTPS certificate but master and apprentice sounds much cooler ;):

/certificate
add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MyRouter days-valid=3650
sign ca=root-cert https-cert

With certificate signed, we just need to assign it to www-ssl service and enable it, while disabling non-https variant:

/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes

And that's it. Now you can access your router via HTTPS.

PS: Never use unencrypted interface like HTTP or FTP toward your router. Your password will travel plain-text and risk is not worth 5 minutes it takes to enable TLS encryption.

13 thoughts to “Enabling HTTPS on MikroTik”

  1. what’s the advantage of this not being automatic like everything else I use which claims to be secure and has never been hacked? Reminds me of the episode of the cartoon where the guy invents the flying bicycle but tells the people who need to use it that they have to put the dick shaped seat in their asses. Later they find out they didn’t have to. That’d be like me realizing that I don’t ever need to buy anything from Mirotik.

    1. There is no advantage – it is just different way of doing things. Most of the time you would use WinBox to connect which is encrypted regardless of whether you configure https. Using https (or even http) to access your router is not so common in Mikrotik’s world.

      That said, I do prefer to configure https as I am not always accessing my router from Windows machine and WinBox is pretty much Windows-only.

      Mikrotik often pisses me off with various settings (trust me, this is not even close to the biggest stupidity) but I am still to find platform that is as powerful (and as much fun) when you get to know it.

  2. unfortunately the certificate generated with that commands is invalid in chrome.

  3. I did the setup as you said. If I set the port to 443 the service becomes RED and I cannot access the router over https. If I set the port to a totally different port the service works and I can access the device over https using the custom port. What could be the reason ?

  4. thanks for sharing. before it little bit difficult to generate the certificate since it need created on another machine. thanks dude

  5. Thanks! Worked like a charm, and now I need to figure out how to accept self-signed certs in Chrome, but one step at a time right! :)

  6. It would probably be a good idea to add “key-size=4096” to your commands so you wind up with 4096-bit keys instead of the default 2048-bit ones.

    2048 is still “ok,” but I switched over to 4096 a few years ago and the company that I currently work for mandated 4096-bit keys across the board 2 years ago.

    This may not be a problem yet for a home network, but I think it’s good to get in the habit of using the longer keys everywhere.

Leave a Reply

Your email address will not be published. Required fields are marked *