logo
Back to home

Configuring HTTPS Redirect on MikroTik Hotspot

O

Ohidur Rahman Bappy

MAR 22, 2025

Configuring HTTPS Redirect on MikroTik Hotspot

Summary

Using a Hotspot server without enabling HTTPS login can lead to failed redirections when a client requests a page using the HTTPS protocol. To prevent this issue, it's crucial to enable "HTTPS login."

Benefits of Hotspot HTTPS Login

  • Enhanced security via SSL encryption.
  • Ability to redirect clients from HTTPS URLs.

This guide covers using SSL certificates to enable HTTPS login on a Hotspot server. You can use either a trusted Certificate Authority (CA) signed certificate or a cost-free self-signed certificate.

Self-Signed Certificates

Self-signed certificates are free and don't require public CA involvement. Here's how you can create them using OpenSSL on a Linux machine and RouterOS CLI.

RouterOS Example

Step 1: Create a Certificate Authority (CA):

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
sign ca-template name=myCa

Step 2: Create a Certificate for the Hotspot:

/certificate
add name=Hotspot-template common-name=Hotspot
sign Hotspot-template ca=myCa name=Hotspot

Step 3: Trust the Server Certificate:

set \[find name=Hotspot\] trusted=yes

OpenSSL Example

Step 1: Generate a Private Key:

openssl genrsa -des3 -out Hotspot.key 1024

Step 2: Generate a Certificate Signing Request:

openssl req -new -key Hotspot.key -out Hotspot.csr

Step 3: Sign the Certificate:

openssl x509 -req -days 365 -in Hotspot.csr -signkey Hotspot.key -out Hotspot.crt

Step 4: Import Certificates to the Router:

Upload and import the created key and certificate (CRT file) to the router:

/certificate import file-name=Hotspot.crt

Enter passphrase: ****

/certificate import file-name=Hotspot.key

Enter passphrase: ****

Trusted Certificate Authority

To use HTTPS login without displaying SSL warnings in the client browser, use a Trusted CA signed certificate. The certificate import procedure is the same as the previous example.

Note: Browsers may still warn users about redirections even with a CA signed certificate. This warning cannot be entirely avoided.

Hotspot HTTPS Login

After successfully importing the certificate and private key, enable the SSL service and add the certificate name in /ip service:

/ip service set www-ssl certificate=Hotspot disabled=no

Enable HTTPS Login on Hotspot

/ip hotspot profile set hsprof1 login-by=https ssl-certificate=Hotspot

Now, all HTTPS requests from unauthorized clients will be redirected to your Hotspot login page.

Note: Sites using SSL HSTS, such as Google or Facebook, will show SSL errors and refuse to proceed. Users should access different sites.

SSL Certificate Key Size Impact on CPU Load

The SSL certificate key size affects the server's load for unauthenticated hosts. For example, ~60 hosts with Dropbox can cause 50-60% CPU load on lower-end devices like RB951.

Options to Manage Load:

  1. Disable HTTPS redirect:

    /ip firewall nat add chain=hs-unauth action=return protocol=tcp dst-port=443 place-before=0

    Note: This will stop HTTPS redirection to the portal but reduce device load.

  2. Use smaller-sized SSL keys.

Tags:

mikrotiknetworkingsysadmin