Graphic Web Design, Computer Network, Balinese Culture

Redirect HTTPS Hotspot Login Page Mikrotik Self-Signed Certificate
In order to provide the best service for your client, and for those of you who just start a new business or just want to share the internet connection using mikrotik hotspot servers, you need to know the aspects of the accessing https hotspot login page. Before we go further to create the web login template/interface to the hotspot login, I think it is require to improve the understanding of the access https hotspot login page, so that can be resolve the problems that may be found in the future, this is the one of the important things that we must know in building hotspot server systems.

HTTPS is a secure HTTP connection that using SSL (Secure Socket Layer) protocol to encrypt transmissions to provide protection from eavesdroppers attacks that use port 443. In other word, HTTPS is using for the secure connection over the clients that will increase the confidence of the client to use the website page connection. Using HTTPS connections associated with SSL Certificates that contains the data files of the organization's.

To use HTTPS connections that allow the clients access Hotspot login page, we need to install SSL certificate that will initiate secure sessions to the browsers. Keep in mind Hotspot login page will act as the web server to our hotspot client that the files is located in the router. Actually when the clients want to access the login page the internet connection is already up to the clients but to use the internet they have to login through the hotspot server rules.  So the clients request to use firewall rules into hotspot login page using the account member.

Look at the picture above! This is the previous configuration of the hotspot server profile that only use HTTP CHAP. This is the standard method access the hotspot login page, HTTP CHAP is unencrypted connection for the security consideration it is not recommended, so that the client can access the login page Using HTTP Connection.
The client will be redirecting to the login page when typing such, that only use HTTP connection, and, that uses both connection, HTTP and HTTPS.

But when the client using such a,, this is very strict just only use HTTPS connections as their trusted identity. or inadvertently entered through the complete url like this Our clients will not redirecting to the login page.

What do you think if the clients meet like this, oh error, trouble, bad service. Actually the internet connection is already but where is the login page? they should use the HTTP connection to login or just typing such or hotspot dns name such But not any advice, the something like a boom and they have stuck and this is likely not a good service for them.

As I said before, to use redirect HTTPS hotspot login page connections, we must use SSL Certificate. For widespread use for the professional website server, the SSL certificates should be excluded from the authorities, actually we must pay for this to be signed by trusted authority. When we have decided to buy SSL certificate make sure you must have domain name to be certified. Or when you have public IP you can create a free domain for the hotspot login page.

Ok no matter whether buy or get for free of the SSL certificate, I will show Self-Signed Certificate to prove how the process redirect https login page works using openSSL. You can download openssl-0.9.8k_WIN32 and openssl-0.9.8k_WIN64 depending on your system. Extract the zip file, and just put the folder/directory OpenSSL on the desktop and rename the folder as “openssl”. On the folder openssl, go to bin folder and click on openssl.exe to run openssl command prompt.

1. Creating self –signed our own CA (Certificate Authority)

First we generate the RSA Private Key in order Create CA (Certificate Authority). Certificate is containing our identity and organization details. For more faster just paste it on openssl command prompt one by one (look at the number of this command lines!).
genrsa -des3 -out ca.key 4096
req -config C:\Users\agus\Desktop\openssl\openssl.cnf -new -x509 -days 3650 -key ca.key -out ca.crt

The final goal in this step is creating “ca.key and ca.crt”. “C:\Users\agus\Desktop\openssl\openssl.cnf” is the path where the openssl.cnf  file is located. “Common Name :” is a dns name of the hotspot server profile that used.

2. Creating self-signed hotspot server certificate

We generate the RSA Private Key, Certificate Signing Request (CSR) and finally self-signed hotspot server certificate itself.
genrsa -des3 -out server.key 4096
req -config C:\Users\agus\Desktop\openssl\openssl.cnf -new -key server.key -out server.csr
x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

After this we can close openSSL command prompt, and now we have three hotspot server certificate files, that is server.key, server.csr, and server.crt.

3. Upload  and Import the self-signed certifate hotspot server files

Copy that tree server files and place into 1 folder, just named as key. Now we are going to upload the three files in folder key, we can also use winSCP, fireFTP, etc,  to make easier to upload and put the certificate files against another files on the router.

After upload the files we are going to import them to the router as the self-signed sertificate on the router system. Using winbox click System>Certificates. On the tab certificates, press import and and we look for the files that have been uploaded, as shown like the right picture above.  First we have to import server.crt, then server.key. In this case we just require server certificate the file that has extension .crt and the key files. We can see the information identity details of the self-signed certificate.

4. Change the configuration of the hotspot server mikrotik

After import the certificate, now we have certificate on the router system with the name cert_1. Go to the hotspot server profiles and activate HTTPS option Login by and use SSL certificate cert_1.  Don’t to activate SSL service port on the IP Service List that now using cert_1 certificate. Look at the pictures below!

Now we can see how the Self-Signed Certificate redirect https login page works on the hotspot clients. When I use 2 options login by “HTTP and HTTPS” with SSL Certificate “cert_1
The clients type :,,, all the kind web server that use 2 type connections (HTTPS and HTTP) or the web server that just only have HTTP access, such It’s no problem, the client could be redirected to login page

The clients using the complete url :,  https:// /,  https:// that means the clients use https access for the kind web server. In this case the clients will meet the security warning with add exception choice,  before could be redirected to login page
The clients type :, and other web server that very strict just only use HTTPS connections. In this case the clients will meet the security warning with the notification only valid for 

But the security warning will be different on another browser, in this case I have use Mozilla Firefox. Self-signed certificate is the internal application that just signed by me or yourself, this is for our local system, but when using the internet connection, it won't recognize as trusted unless you buy the external certificate authority to remove the security warning.  But at least self-signed certificate as the prove how the process redirecting HTTPS works,  and the clients got the security warning that can add the exception and notification to access the hotspot login page.

Somebody said that this security warning can be resolve using the squid proxy on the internal network, but I still can not prove it. So the best choice to remove the security warning is the external certificate authority for your hotspot login page. Using a certificate free version still can not recognize your hotspot login page as trusted.

If you still consider that it is important and you have decided to buy an external certificate authority, you will get the certificate file and the key, and just need to  import the files as I show above on your router. But you must prepare your domain name. This is the best way for those of you who already have the website domain, and the hotspot login page is using a sub domain, such a There are much websites that provide SSL certificate authority services like

So that's all I can inform you about redirecting HTTPS hotspot login page, have a try and good luck!
Share This Article :
Related Articles


  1. Your post is really collection of such useful information and I personally would like to appreciate the efforts. Once again thanks for your post. I was looking for ssl certificates information your post gave me well guide.

  2. You have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site cardboard boxes

  3. Mas, saya bikin certificate kok Days Validnya ga aktif ya? Suksma

  4. Any way I'll be subscribing to your feed and I hope you post again soon.
    download free descargar whatsapp and download baixar whatsapp online and descargar whatsapp gratis , baixar whatsapp gratis

  5. Hi,
    regarding this statement:
    ...but when using the internet connection, it won't recognize as trusted unless you buy the external certificate authority to remove the security warning. But at least self-signed certificate as the prove how the process redirecting HTTPS works, and the clients got the security warning that can add the exception and notification to access the hotspot login page.

    This is not true really. Certificate for your hotspot won't help you much, because it will be valid only for your hotspot's hostname, not for whatever external site user's browser thinks is connecting to.
    The "facebook screenshot" shows that you are trying to open and you get a message that the site that IS opening (your hotspot) has a certificate that is valid ONLY for the hotspot - it excpected the Facebook certificate. This means there is no way to get past this... at least not yet.
    Further reading - HSTS explained (the reason for these things happening):

  6. What about:
    Deprecation of Internal Server Names and Reserved IP Addresses


    I'm presuming the client will be blocked, ie no way to negate the warning as of next year?

    Even with a self-signed CA the common name, be it a private IP or DNS needs to be validated?

    and as hotspots are public the client does not hold the self signed CA as a trusted body which is what CAB suggest as a work around?

  7. Hello! Your site is awesome! keep it on. thanks for sharing this information. California individual asset search

  8. You’ve written nice post, I am gonna bookmark this page, thanks for info. I actually appreciate your own position and I will be sure to come back here.
    i like play games happy wheels online and play happy wheels 2 games and agario , fireboy watergirl , agar io

  9. Hi, This one thing what has been searching for quite a while.

  10. Posts shared useful information and meaningful life, I'm glad to be reading this article and hope to soon learn the next article. thank you
    Download retrica online includes more than eighty different filters with many different styles and include retrica indir , and zombie tsunami is the ideal game for anyone who loves the running game genre and happy wheels , agario , happywheels , agar ,

  11. When you're tired, you want to relax after a stressful working hours, you need to have time to take care of the kids active.
    Please visit our website and play exciting flash games.
    Thanks you for sharing!
    Friv 4

  12. Dear admin,
    How can I buy external certificate? My website domain was hosting in Godaddy. So do I need to buy in godaddy?

  13. It's true Bluehost is the industry leading hosting provide and they are best For wordpress Hosting, I written an Bluehost wordpress Hosting review and The about Bluehost Discount coupon code.
    Bluehost Discount

  14. Which type of SSL should I buy for browsers trusted. I have one domain. Please advise me.

  15. Today I want to introduce you to some games for entertainment after hours of work stress, relax and give me feedback about it
    baixar musicas l snapchat l run 2 l geometry dash 2.0

  16. DreamHost is ultimately the best web-hosting provider for any hosting plans you might require.