You do not have to use a verisign type cert authority. You can use your in-house CA, or one of the good "free" CA's like cacert.org -- the issue will be that you users may not have that CA's root certificate in their browser so when they go to login they will get a cert error. They will need to put the root cert in to get around the errors or just do an exception for the cert from the SA box.

I tried to use my CA but it told gave me an error message:

"The request contains no certificate template information. Denied by Policy Module, the request does not contain a certificate template extension or the Certificate Template request attribute. "

I looked that up at MS website and it refers to another technet article talking about domain controllers and certificates. I think my best bet is just to go with VeriSign. Thanks for the info though.

Hey Jon - your choice obviously. I can tell you that we use a cert from cacert.org with no problems on all our internal boxes rather than paying for verisign and it works just fine.

Welcome to the Juniper Forums by the way!

initially when you setup the SA it asks you to create a cert and that is a self signed cert. you can use that cert if you want but like Kevin said your users will get the trusted CA error. If you do decide to go with verisign do not fall for their GIMMICKS get the cheapest cert you can find as the more expensive certs do not give you anything additional just alot of HOOO HAA