Nov 112016

Mikrotik and its WinBox interface are virtually inseparable. Most people use it without thinking of any other option. However, Mikrotik supports also has (quite a good) HTTP interface and it also supports a (disabled by default) HTTPS access.

Enabling HTTPS is unfortunately not a straightforward experience.

The easiest way to configure this is to enter commands into New Terminal from WinBox. I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

For HTTPS to work we need to create two certificates, master and apprentice. Ok, actually we need root and HTTPS certificate but master and apprentice sounds much cooler ;):

add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MyRouter days-valid=3650
sign ca=root-cert https-cert

With certificate signed, we just need to assign it to www-ssl service and enable it, while disabling non-https variant:

/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes

And that’s it. Now you can access your router via HTTPS.

PS: Never use unencrypted interface like HTTP or FTP toward your router. Your password will travel plain-text and risk is not worth 5 minutes it takes to enable TLS encryption.

  8 Responses to “Enabling HTTPS on MikroTik”

Comments (8)
  1. what’s the advantage of this not being automatic like everything else I use which claims to be secure and has never been hacked? Reminds me of the episode of the cartoon where the guy invents the flying bicycle but tells the people who need to use it that they have to put the dick shaped seat in their asses. Later they find out they didn’t have to. That’d be like me realizing that I don’t ever need to buy anything from Mirotik.

    • There is no advantage – it is just different way of doing things. Most of the time you would use WinBox to connect which is encrypted regardless of whether you configure https. Using https (or even http) to access your router is not so common in Mikrotik’s world.

      That said, I do prefer to configure https as I am not always accessing my router from Windows machine and WinBox is pretty much Windows-only.

      Mikrotik often pisses me off with various settings (trust me, this is not even close to the biggest stupidity) but I am still to find platform that is as powerful (and as much fun) when you get to know it.

  2. great!, thanks for the tips

  3. unfortunately the certificate generated with that commands is invalid in chrome.

  4. I did the setup as you said. If I set the port to 443 the service becomes RED and I cannot access the router over https. If I set the port to a totally different port the service works and I can access the device over https using the custom port. What could be the reason ?

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>