This post walks through renewing and applying TLS certificates on a MikroTik Hotspot running RouterOS 7.

The flow is: delete existing certificates, upload the new files (domain.cert.pem and private.key.pem), import them and set trusted, and finally assign the correct certificate to the Hotspot profile (the imported object is typically named domain.cert.pem_0).

⚠️ Important: Before deleting anything, make sure you have a router backup and copies of your current certificates. Deleting certificates is irreversible.

Requirements

• RouterOS v7.x (Hotspot with HTTPS login).

PEM files: domain.cert.pem (certificate + chain) and private.key.pem (private key).

If your CA provides intermediate certificates separately, either include them as a single fullchain inside domain.cert.pem or import them as well and mark them trusted.

Step 1 — Delete all existing certificates

We start by clearing the certificate store to avoid conflicts with old objects.

Terminal (WinBox → New Terminal):

# Inspect what is there
/certificate print detail

# Remove all current certificates and keys (use with care!)
/certificate remove [find]

This removes all objects under /certificate. If you need to keep any, remove selectively.

Step 2 — Upload the new files to the router

Copy private.key.pem and domain.cert.pem to the router (WinBox → Files or via SFTP/FTP).

Confirm they appear under Files.

Step 3 — Import and set trusted

On MikroTik, import the key first, then the certificate.

Terminal:

# 1) Import the private key
/certificate import file-name=private.key.pem

# 2) Import the domain certificate (ideally the fullchain)
/certificate import file-name=domain.cert.pem

# 3) (If applicable) Import intermediate/CA certs in PEM
# /certificate import file-name=intermediate-ca.pem

Now mark the relevant objects as trusted:

# Mark the domain certificate as trusted
/certificate set [find where common-name!="" ] trusted=yes

# (If you imported intermediates) mark them as trusted as well
# /certificate set <CA_OBJECT_NAME> trusted=yes

Quick verification:

/certificate print detail
# Expect: private-key: yes | trusted: yes

Step 4 — Identify the certificate with the DNS name (typically domain.cert.pem_0)

When RouterOS imports domain.cert.pem, it usually creates an object named domain.cert.pem_0 (or ..._1 if there are more). That is the one with the private key attached and the SAN/CN matching your FQDN.

Check the exact object name:

/certificate print

Look for the object showing private-key: yes and your DNS under subject-alt-name/common-name.

Step 5 — Assign the certificate to the Hotspot profile

With the name identified (e.g., domain.cert.pem_0), apply it to the Hotspot profile.

# List profiles
/ip hotspot profile print

# Replace PROFILE_NAME and CERT_NAME accordingly
/ip hotspot profile set [find name="PROFILE_NAME"] \
    ssl-certificate="domain.cert.pem_0" login-by=https

If you use other login methods, you can keep login-by=http-chap,https, but ensure https is present.

(Optional) Enable HTTPS for router management

/ip service set www-ssl disabled=no certificate="domain.cert.pem_0"
/ip service set www disabled=yes   ; force management over HTTPS

Make sure TCP/443 to the router is allowed from your admin network:

/ip firewall filter add chain=input action=accept protocol=tcp dst-port=443 \
    comment="allow https to router (admin)"

Step 6 — Test and verify

• Open the portal using the configured FQDN (e.g., https://login.yourdomain.com), check the padlock and for any warnings.
• From the router:

/tool fetch url="https://login.yourdomain.com" output=none

• If something fails, review:

/log print where message~"www-ssl|hotspot|certificate|error"
/certificate print detail

Notes & Troubleshooting

• private-key: no: the key does not match the certificate. Re-import using the correct pair.
• Incomplete chain: include the intermediates in domain.cert.pem (fullchain) or import them and set trusted=yes.
• Incorrect time: configure NTP (TLS depends on correct time).

/system clock set time-zone-name=Europe/Madrid
/system ntp client set enabled=yes
/system ntp client servers add address=pool.ntp.org

• Different object name: if the object is not domain.cert.pem_0, use the actual name you saw in /certificate print.

Summary

1. Delete all certificates: /certificate remove [find].
2. Upload private.key.pem and domain.cert.pem to the router.
3. Import key first, then certificate; set trusted.
4. Identify the object with the DNS (typically domain.cert.pem_0).
5. Assign that name in the Hotspot profile (ssl-certificate).
6. Test the portal and check logs if needed.

Done! Your Hotspot should now serve HTTPS with the renewed certificate.