MikroTik Hotspot HTTPS Redirect with Free SSL Certificate
SSL Certificate is required to enable HTTPS Login and HTTPS Redirect in MikroTik Hotspot. In one of my last articles I discussed how to configure MikroTik Hotspot HTTPS redirect and HTTPS login with MikroTik self-signed certificate. But self-signed certificate is not trusted by operating system. So, we get the following two issues if we configure HTTPS Login and HTTPS Redirect with self-signed certificate.
- Ask to proceed unsafe site: As browsers cannot trust self-signed certificate, it shows a warning message and asks to proceed unsafe site every time the login page redirected with HTTPS redirect. Users may face disgusting seeing this warning message again and again.
- Error or Warning icon in URL bar: Although we proceed the login page warning, browser also shows a red or yellow icon in URL bar. It also makes us confused whether the connection is secured or not.
Although self-signed certificate always establish secure connection by encrypting data, the above two issues make us confused and disgusting sometimes. To solve the above two issues we need to use public CA certificate that will be trusted by operating system and browsers.
Public CA requires yearly subscription fee to get their service. Although this payment is not so high for enterprise organizations but small business companies sometimes face trouble to pay yearly subscription fee. Don’t be worried if subscription fee goes out of budget. Some public CA organizations provide free SSL certificate to make internet completely secure. ZeroSSL is one of them who provides fast, reliable and free SSL/TL certificate for anyone. In my previous article I discussed how to get free SSL certificate from ZeroSSL. In this article I will discuss how to configure MikroTik Hotspot HTTPS Login and HTTPS Redirect with trusted public SSL certificate to overcome the above two issues.
MikroTik Hotspot HTTPS Redirect Configuration with Free ZeroSSL Certificate
We will now configure MikroTik Hotspot HTTPS Redirect with trusted ZeroSSL certificate. Complete HTTPS redirect configuration with free ZeroSSL certificate can be divided into the following four steps.
- Getting free SSL Certificate from ZeroSSL
- Importing SSL certificate to MikroTik certificate store
- Enabling HTTPS Server in MikroTik Router and
- Enabling HTTPS Login and HTTPS Redirect in MikroTik Hotspot
Step 1: Getting Free SSL Certificate from ZeroSSL
In my last article I discussed how to get free SSL certificate from ZeroSSL. If you don’t have free SSL certificate from ZeroSSL yet, visit how to get free SSL certificate from ZeroSSL and get your free SSL certificate now. According to my previous article I have free SSL certificate from ZeroSSL for mikrotik.itechsheet.com subdomain like the following image.
If you buy SSL certificate from any trusted public CA, you will have similar certificate (ca-bundle.crt, certificate.crt and private.key) files those you can rename like me or whatever you like.
Step 2: Importing SSL Certificates to MikroTik Certificate Store
After getting SSL certificate from public CA, we will now import certificate files in MikroTik certificate store. The following steps will show how to import SSL certificate to MikroTik SSL certificate store.
- Login to MikroTik with Winbox using full permission user credentials.
- Click on Files menu item. File List window will appear.
- Drag and drop certificate files downloaded from ZeroSSL into this File List window.
- Uploaded certificate files in File List window will look like the following image.
- Now go to System > Certificates menu item. Certificates window will appear.
- From Certificates tab, click on Import button. Import window will appear.
- Choose CA certificate (example: ZeroSSL CA.crt) from Only File dropdown menu and click on Import button. CA certificate will be imported now. Imported certificate will be named appending a numeric value. It will be better to rename the CA file with a meaning name rather keeping auto generated name. For this, double click on imported CA file and put a meaning name in Name input filed and click Apply and OK button.
- Click on Import button again and choose certificate file (example: mikrotik.itechsheet.com.crt) from Only File dropdown menu and then click Import button. Certificate file will be uploaded. Rename the auto generated certificate file like the CA file.
- Click on Import button again and choose key file (example: mikrotik.itechsheet.key) from Only File dropdown menu and then click on Import button. Key file will be uploaded and accumulate with certificate file. So, K flag will be found before certificate file name.
Step 3: Enabling HTTPS Server in MikroTik Router
After importing certificates, we will now enable HTTPS Server in MikroTik Router. The following steps will show how to enable HTTPS Server in MikroTik Router.
- From Winbox, go to IP > Services. IP Service List window will appear and you will find all available services are present here.
- Double click on www-ssl service. IP Service <www-ssl> window will appear.
- From Certificate drop down menu, choose SSL certificate (mikrotik.itechsheet.com.crt) that we have imported at second step.
- Click Apply and OK button.
Suggestion: it is better to disable HTTP (Port 80) service so that HTTP login page does not appear accidently.
Step 4: Enabling HTTPS Login and HTTPS Redirect in MikroTik Hotspot
After enabling HTTPS Server, we will now enable HTTPS Login and HTTPS Redirect in MikroTik Hotspot. The following steps will show how to enable HTTPS Redirect in MikroTik Hotspot Server.
- From Winbox, go to IP > Hotspot. Hotspot window will appear.
- Click on Server Profiles tab and double click on your Server profile. Hotspot Server Profile window will appear.
- From general tab, put domain or subdomain name (example: mikrotik.itechsheet.com) for which SSL certificate has been issued in DNS Name input field.
- Click on Login tab and from Login By panel, click on HTTPS checkbox.
- From SSL Certificate drop down menu, choose SSL certificate (mikrotik.itechsheet.com.crt) that we have imported at second step.
- Make sure HTTPS Redirect checkbox is checked.
- Click Apply and OK button.
HTTPS Redirect is now enabled in MikroTik Hotspot Server. Visit any HTTPS website (example: https://systemzone.net) before authentication and you will find the redirected HTTPS Login Page.
You will also find that the login page is appearing without certificate warning because ZeroSSL certificate is a trusted certificate. Also you will find that there is no yellow or warning icon in URL bar.
OOPS!!! I visit Facebook, YouTube or Google but HTTPS Login Page don’t appear. Why?
Because Facebook, YouTube and Google use HSTS (HTTP Strict Transport Security) and HTTPS Redirection is not possible to HSTS enabled websites that was visited before. In this case, use another HTTPS site such as https://systemzone.net or https://www.itechsheet.com or any other website that doesn’t use HSTS will redirect to HTTPS Login Page.
If you face any confusion to follow the above steps, watch the following video on MikroTik Hotspot HTTPS Redirect Setup with Free SSL Certificate. I hope it will reduce your any confusion.
How to Configure HTTPS Redirect and HTTPS Login in MikroTik Hotspot with free SSL certificate from ZeroSSL has been discussed in this article. I hope you will now be able to configure HTTPS Redirect and HTTPS Login in MikroTik Hotspot Server with free public SSL certificate. However, if you face any confusion to configure HTTPS Redirect and HTTPS Login, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?