From f2433b8091a7966db6cf2a8bc6890e576b592d13 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Tue, 30 Apr 2019 15:11:54 +0200
Subject: drop certificate DST Root CA X3

Let's Encrypt planned the transition to ISRG's root certificate ("ISRG Root
X1") on July 8, 2019, but postponed several times.

Finally they found another solution: A certificate 'ISRG Root X1', but
cross-signed with 'DST Root CA X3' and with a livetime that exceeds that
of the root CA. This is said to work for most operating system where root
certificate authorities are just 'trust anchors'.

I doubt this is true for RouterOS, where certificates are just imported
into the certificate store. So let's migrate to 'ISRG Root X1' now.
---
 INITIAL-COMMANDS.md |  3 +--
 README.md           | 16 +++--------
 certs/R3.pem        | 77 -----------------------------------------------------
 3 files changed, 5 insertions(+), 91 deletions(-)

diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md
index fa32654..9df69fa 100644
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@@ -10,7 +10,7 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai
       / tool fetch "https://git.eworm.de/cgit/routeros-scripts/plain/certs/R3.pem" dst-path="letsencrypt-R3.pem";
       :delay 1s;
       / certificate import file-name=letsencrypt-R3.pem passphrase="";
-      :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ] ] != 3) do={
+      :if ([ :len [ / certificate find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ] ] != 2) do={
         :error "Something is wrong with your certificates!";
       }
       / file remove "letsencrypt-R3.pem";
@@ -22,7 +22,6 @@ procedure please follow [the long way in detail](README.md#the-long-way-in-detai
       :global CertificateNameByCN;
       $CertificateNameByCN "R3";
       $CertificateNameByCN "ISRG Root X1";
-      $CertificateNameByCN "DST Root CA X3";
     }
 
 Optional to update the scripts automatically:
diff --git a/README.md b/README.md
index e102202..c5c0ba5 100644
--- a/README.md
+++ b/README.md
@@ -66,30 +66,22 @@ files to your MikroTik device.
 Then we import the certificates.
 
     [admin@MikroTik] > / certificate import file-name=letsencrypt-R3.pem passphrase=""
-         certificates-imported: 3
+         certificates-imported: 2
          private-keys-imported: 0
                 files-imported: 1
            decryption-failures: 0
       keys-with-no-certificate: 0
 
 For basic verification we rename the certificates and print their count. Make
-sure the certificate count is **three**.
+sure the certificate count is **two**.
 
     [admin@MikroTik] > / certificate set name="R3" [ find where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" ]
     [admin@MikroTik] > / certificate set name="ISRG-Root-X1" [ find where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" ]
-    [admin@MikroTik] > / certificate set name="DST-Root-CA-X3" [ find where fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739" ]
-    [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6" or fingerprint="0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739"
-    3
+    [admin@MikroTik] > / certificate print count-only where fingerprint="67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd" or fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6"
+    2
 
 Always make sure there are no certificates installed you do not know or want!
 
-Actually we do not require the certificate named `DST Root CA X3`, but as it
-is used by `Let's Encrypt` to cross-sign we install it anyway - this makes
-sure things do not go wrong if the intermediate certificate is replaced.
-The IdenTrust certificate *should* be available from their
-[download page](https://www.identrust.com/support/downloads). The site is
-crap and a good example how to *not* do it.
-
 Now let's download the main scripts and add them in configuration on the fly.
 
     [admin@MikroTik] > :foreach Script in={ "global-config"; "global-config-overlay"; "global-functions" } do={ / system script add name=$Script source=([ / tool fetch check-certificate=yes-without-crl ("https://git.eworm.de/cgit/routeros-scripts/plain/" . $Script) output=user as-value]->"data"); }
diff --git a/certs/R3.pem b/certs/R3.pem
index ac322ec..837b709 100644
--- a/certs/R3.pem
+++ b/certs/R3.pem
@@ -235,80 +235,3 @@ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
 mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
 emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
 -----END CERTIFICATE-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
-        Signature Algorithm: sha1WithRSAEncryption
-        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
-        Validity
-            Not Before: Sep 30 21:12:19 2000 GMT
-            Not After : Sep 30 14:01:15 2021 GMT
-        Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                RSA Public-Key: (2048 bit)
-                Modulus:
-                    00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90:
-                    82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40:
-                    c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93:
-                    ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2:
-                    2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89:
-                    a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14:
-                    30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80:
-                    65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec:
-                    52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09:
-                    8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd:
-                    70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6:
-                    30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c:
-                    92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72:
-                    d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97:
-                    eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15:
-                    02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83:
-                    69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0:
-                    02:5d
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Subject Key Identifier: 
-                C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
-    Signature Algorithm: sha1WithRSAEncryption
-         a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f:
-         4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b:
-         a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3:
-         20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd:
-         b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94:
-         3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9:
-         dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce:
-         e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf:
-         0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52:
-         67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31:
-         85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64:
-         63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65:
-         b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77:
-         96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d:
-         82:35:35:10
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-- 
cgit v1.2.3-54-g00ecf