Skip to content

Instantly share code, notes, and snippets.

@xdenb43

xdenb43/MikroTik DoH minimum certificates.md

Last active May 27, 2026 15:19
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save xdenb43/85a537906ea2c3f27b544d0be30032ab to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save xdenb43/85a537906ea2c3f27b544d0be30032ab to your computer and use it in GitHub Desktop.
Download ZIP
Mikrotik DoH servers and certificates
Raw
MikroTik DoH minimum certificates.md

Import minimum certificates to have DoH servers working

Note

  • Check comments carefully to every DoH provider below
  • If MikroTik build-in certificates are OK no need to import additional ones
  • Last check done on RoS 7.23

DoH providers

CloudFlare

Important

Exception - no SSL CA in build-in CA list.
Appears by error "DoH server connection error: SSL: ssl: no trusted CA certificate found"

/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
/certificate import file-name=DigiCertGlobalRootG2.crt.pem passphrase=""
# SSL root CA
/tool fetch https://ssl.com/repo/certs/SSLcomRootCertificationAuthorityECC.pem
/certificate import file-name=SSLcomRootCertificationAuthorityECC.pem passphrase=""
/ip dns set allow-remote-requests=yes use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

Quad9

Warning

  • RoS 7.23 supported again: dns - added HTTP/2 support to DoH on ARM64 and x86/CHR devices;
  • December 15 2025: not supported by MikroTik due to DOH HTTP/1.1 Retirement
  • MikroTik build-in CA: OK
/tool/fetch url="https://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem"
/certificate/import file-name=DigiCertGlobalG3TLSECCSHA3842020CA1-1.crt.pem
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes

Google

/tool fetch url=https://i.pki.goog/r1.pem
/tool fetch url=https://i.pki.goog/r2.pem
/tool fetch url=https://i.pki.goog/r3.pem
/tool fetch url=https://i.pki.goog/r4.pem
/tool fetch url=https://i.pki.goog/gsr4.pem
/certificate/import file-name=r1.pem
/certificate/import file-name=r2.pem
/certificate/import file-name=r3.pem
/certificate/import file-name=r4.pem
/certificate/import file-name=gsr4.pem
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

Comss

Warning

CA switched to GlobalSign GCC R6 AlphaSSL CA
use built-in CA instead of manual import

  • sometimes need to rename .crt to .pem, depends on routerOS version
  • MikroTik build-in CA: OK
#/tool/fetch url=https://www.tbs-x509.com/USERTrustRSACertificationAuthority.crt dst-path=USERTrustRSACertificationAuthority.crt.pem
/tool/fetch url=https://www.tbs-x509.com/USERTrustRSACertificationAuthority.crt
/certificate/import file-name=USERTrustRSACertificationAuthority.crt
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.comss.one/mikrotik verify-doh-cert=yes

Additional

Big CA list with all certificates ~ 2Mb

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""

Check configured DNS server

tool/sniffer/quick port=443 ip-address=$dnsAddress

Any output means DNS is working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment