<pre>
# thanks to http://wiki.mikrotik.com/wiki/Manual:Create_Certificates
# and http://wiki.mikrotik.com/wiki/SSL_Certificate_setup

# what? YOU haven't stolen OpenVPN's "easy-rsa" directory
# and parleyed that into your very own CA whose signatures are
# trusted by all your devices? shame on you: do that now. ;-)
[grimm@mac keys]$ pwd
/Volumes/NoisePlant_CA/easy-rsa/keys
[grimm@mac keys]$ openssl genrsa -des3 -out mikrotik.office.noiseplant.com.key 2048
...
[grimm@mac keys]$ openssl rsa -in mikrotik.office.noiseplant.com.key -out mikrotik.office.noiseplant.com.key
...
[grimm@mac keys]$ chmod 0400 mikrotik.office.noiseplant.com.key
[grimm@mac keys]$ openssl req -new -key mikrotik.office.noiseplant.com.key -out mikrotik.office.noiseplant.com.csr
...
[grimm@mac keys]$ cd ..
[grimm@mac easy-rsa]$ . vars
...
[grimm@mac easy-rsa]$ ./sign-req mikrotik.office.noiseplant.com
...
[grimm@mac easy-rsa]$ cd keys/
[grimm@mac keys]$ scp mikrotik.office.noiseplant.com.{key,crt} mikrotik:./
...

[grimm@mikrotik] > /certificate import file-name=mikrotik.office.noiseplant.com.crt
passphrase: 
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[grimm@mikrotik] > /certificate import file-name=mikrotik.office.noiseplant.com.key
passphrase: 
     certificates-imported: 0
     private-keys-imported: 1
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

[grimm@mikrotik] > /certificate p
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, 
T - trusted 
 #         NAME           COMMON-NAME         SUBJECT-ALT-NAME                                      FINGERPRINT        
 0 K     T cert_2         mikrotik.office.... email:root@noiseplant.com                             c023d2490730bac4...

[grimm@mikrotik] > /ip service disable www
[grimm@mikrotik] > /ip service set www-ssl certificate=cert_2
[grimm@mikrotik] > /ip service set api-ssl certificate=cert_2

[grimm@mikrotik] > /ip service p
Flags: X - disabled, I - invalid 
 #   NAME                  PORT ADDRESS                                                     CERTIFICATE                
 0 X telnet                  23
 1 X ftp                     21
 2 X www                     80
 3   ssh                     22
 4   www-ssl                443                                                             cert_2                     
 5 X api                   8728
 6 X winbox                8291
 7   api-ssl               8729                                                             cert_2

# hooray!
</pre>