Just quickly answering my own question on the very off chance anyone else has a similar problem and stumbles over this post. RouterOS doesn't send the certificate chain automatically, it has to be specifically told to do so. Hence internal PKI server certificates were accepted by the client, since we have the internal root and intermediates preloaded on them, as opposed to public intermediates.
My setup was:The intermediate has to be added to the certificate parameter:
Ordering seems to matter, like with a chain in a PEM file, so "<server-certificate>,<server-certificate-ca>" works and "<server-certificate-ca>,<server-certificate>" doesn't.
Only thanks to WinBox that I even realised the parameter takes multiple options. The help pages seem very specific about the option taking "a certificate", singular and with a private key, so I'm not sure if this is the correct way, but it worked and the server now sends the chain as it should.
My setup was:
Code:
/ip ipsec identityadd auth-method=digital-signature certificate=<server-certificate> generate-policy=port-strict match-by=certificate mode-config=example peer=example policy-template-group=example remote-certificate=<client-certificate>Code:
/ip ipsec identityadd auth-method=digital-signature certificate=<server-certificate>,<server-certificate-ca> generate-policy=port-strict match-by=certificate mode-config=example peer=example policy-template-group=example remote-certificate=<client-certificate>Only thanks to WinBox that I even realised the parameter takes multiple options. The help pages seem very specific about the option taking "a certificate", singular and with a private key, so I'm not sure if this is the correct way, but it worked and the server now sends the chain as it should.
Statistics: Posted by HFalch — Tue Feb 13, 2024 1:00 am