xdenb43/MikroTik DoH minimum certificates.md

## MikroTik DoH minimum certificates.md

      
    Raw
  

              MikroTik DoH minimum certificates.md
            
          
    Import minimum certificates to have DoH servers working

--> by xdenb43 | tested on hap ac lite tc/hap ax3, RoS 7.17+
CloudFlare


default DoH link https://cloudflare-dns.com/dns-query
secure DoH link https://secure.cloudflare-dns.com/dns-query
MikroTik build-in CA - OK partly

Important
Exception - no SSL CA in build-in CA list.

Appears by error "DoH server connection error: SSL: ssl: no trusted CA certificate found"

/tool fetch https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem
/certificate import file-name=DigiCertGlobalRootG2.crt.pem passphrase=""
# SSL root CA
/tool fetch https://ssl.com/repo/certs/SSLcomRootCertificationAuthorityECC.pem
/certificate import file-name=SSLcomRootCertificationAuthorityECC.pem passphrase=""
/ip dns set allow-remote-requests=yes use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

Quad9

Warning
Jan 2026: not supported by MikroTik since December 15 2025 due to DOH HTTP/1.1 Retirement

/tool/fetch url=https://cacerts.digicert.com/DigiCertGlobalG3TLSECCSHA3842020CA1-2.crt.pem
/certificate/import file-name=DigiCertGlobalG3TLSECCSHA3842020CA1-2.crt.pem
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes

Google


CA list https://pki.goog/repository/
Jan 2026: MikroTik build-in CA not found?

/tool fetch url=https://i.pki.goog/r1.pem
/tool fetch url=https://i.pki.goog/r2.pem
/tool fetch url=https://i.pki.goog/r3.pem
/tool fetch url=https://i.pki.goog/r4.pem
/tool fetch url=https://i.pki.goog/gsr4.pem
/certificate/import file-name=r1.pem
/certificate/import file-name=r2.pem
/certificate/import file-name=r3.pem
/certificate/import file-name=r4.pem
/certificate/import file-name=gsr4.pem
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query verify-doh-cert=yes

Comss


sometimes need to rename .crt to .pem, depends on routerOS version
Jan 2026: MikroTik build-in CA differs a little, but working?

#/tool/fetch url=https://www.tbs-x509.com/USERTrustRSACertificationAuthority.crt dst-path=USERTrustRSACertificationAuthority.crt.pem
/tool/fetch url=https://www.tbs-x509.com/USERTrustRSACertificationAuthority.crt
/certificate/import file-name=USERTrustRSACertificationAuthority.crt
/ip dns set allow-remote-requests=yes use-doh-server=https://dns.comss.one/mikrotik verify-doh-cert=yes	

Big CA list with all certificates ~ 2Mb

/tool fetch url=https://curl.se/ca/cacert.pem
/certificate import file-name=cacert.pem passphrase=""
No results found