Skip to content

Secure API (API SSL)

Ben Thompson edited this page Nov 9, 2017 · 4 revisions

Introduction

There are two ways to connect to a router. Using Connect and ConnectSecure. Both are functionally identical, however, ConnectSecure employs a layer of security that stop evil people from doing evil things to your router. This extra security prevents someone from:

  • Seeing your communications with the router
  • Injecting additional commands into your communication, effectively being able to take control of your router
  • Tricking you into thinking your connecting to your router, when in fact they have redirected you to a fake alternative

It is a really good idea to use ConnectSecure instead of Connect.

ConnectSecure can be used in two ways:

  1. Using a traditional CA-signed certificate (eg, you buy a certificate from Comodo every few years)
  2. Using public key verification (eg, like SSH)

Using a traditional CA-signed certificate

Personally I think that using a traditional CA_signed certificate is dumb. It costs money, and every year or so you need to replace every certificate on every router. We're an ISP, and we don't have time in our lives for that.

Because of the above, I'm not going to spend too much time discussing this topic, except to say that here's the code you need:

using (var link = Link.ConnectSecure("{router-hostname}", "{router-username}", "{router-password}")) {
    // ...
}

IF the router has a properly setup certificate that matches it's hostname, then you'll be able to connect. Huzzah.

Using public key verification (recommended)

Rather than using a CA to sign a certificate, we create a self-signed certificate ourselves. You could follow the instructions in the MikroTik Manual, or you could call the following method that automates the process for you:

Link.EnableSecure("{router-hostname}", "{router-username}", "{router-password}"));

That will have:

  • created a new certificate
  • self-signed it
  • enabled API-SSL (if it's not already)
  • associated the new self-signed certificate with API-SSL

Next, you'll need to get the certificate's public key. There's slow and painful manual ways to do this. Or else you could use the following method:

var publicKey = Link.GetSecurePublicKey("{router-hostname}");

It's important that you run this command over a trusted network. It defeats the entire point of the process if an evil person intercepts your connection now. Once you have the publicKey, save it somewhere, along with the router's username and password. You'll need it to connect to the router.

Now, when you want to connect to the router, do it like this:

using (var link = Link.ConnectSecure("{router-hostname}", "{router-username}", "{router-password}", "{router-public-key}")) {
    // ...
}

Rather than using a CA to verify the router is who it claims to be, we instead it will compare the router's public key with the one you have on file. For complicated magic-certificate reasons, it's not (easily) possible for an evil person to fake that key.

Clone this wiki locally