Make certificate templates /certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign add name=server-template common-name=server add name=client1-template common-name=client1 add name=client2-template common-name=client2 Sign certificates and add CRL url. We will use IP address of the server as CRL URL. /certificate sign ca-template ca-crl-host=10.5.101.16 name=myCa sign server-template ca=myCa name=server sign client1-template ca=myCa name=client1 sign client2-template ca=myCa name=client2 Note: If signing certificates on mipbe cpu based devices(RB7xx,RB2011,RB9xx) then this process might take a while depending on key-size of specific certificate. With values 4k and higher it might take a substantial time to sign this specific certificate. If certificate does not have T flag then you need to set it as trusted before using it: /certificate set myCa trusted=yes set server trusted=yes Exp...