We are a small Juniper reseller so cost is a big issue. We also needed a wild card cert and ended up purchasing ours from Rapid SSL (rapidssl.com). Price was great, process was painless and you got a free cert for a month for testing.

Have had no complaints from any of our employees or customers and we the box all day every day for support, remote meetings, etc.....

We also use rapidsll, never a problem!

thawte ... works fine ...

For GoDaddy certs (starfield), you have to locate on their site their cert chain file and import it into the SA. otherwise, any user who only has the starfield CA won't trust your GoDaddy certificate. If they have both the Starfield CA and GoDaddy sub-CA cert, then no problems. I have the same issues with Verisign EV certs, they're signed by a subordinate Verisign CA, so i have to import chain certificates into web-servers, load balancers, etc.

Is there a specific way how juniper generates the certificate with rapidssl?

Do juniper support rapidssl.com

Or if there is a parameter by which rapidssl deny juniper certificate?

I have ns208, ver 5.4r16

I tried generating a certificate from rapidssl.com using the following field like

name=abcde, phone=12345678, unit=xxxx, departmen=xxxx, state=texas, contry=US,[email protected],FQDN=www.juniper.net

when i pasted this csr in the rapidssl.com box it throw me an error saying

"Common Name does not contain fully qualified domain name." this is the error i am getting and not able to generate a certificate from rapidssl.

Am I going wrong somewhere?

Also when i decode my certifcate using csr decoder I am getting

Cn-serial number of box

cn-abcde

cn-123456

cn-www.juniper.net

I want to use cn=www.juniper.net so while negotiating will it negotiate using the cn=www.juniper.net or wil it negotiate using serial number of box. I need it to be negotiated as www.juniper.net as CN , not as anything else..

Please help me and reply if you have any further query

Hello szdayal,

When you are generating the certificate signing request, you'll want to put the fully qualified domain name the clients or machines are using to connect to your SA box (for example, ive.acmegizmo.local). If you are not using a FQDN, you may need to contact rapidssl as I do not believe they issue out certificate for internal names. This would need to be discussed with the certificate authority.

Nice answer!

There is a major drawback to generating the Certificate Signing Request from the Juniper box itself; you cannot export the private key. If you want to put a web application firewall (WAF) in front of the Juniper box, you need to add the SSL certificate public and private keys to the WAF.

If this will ever be a need, generate the CSR some other way, like from IIS. Then export the certificate from IIS as a PFX and use OpenSSL or another utility to convert it to the .PEM format that is importable into the Juniper box. (As I recall it's .PEM) This way you have the public and private keys that you can import into the WAF.

Ray

PS We used Verisign and it works well.

Hi Kita,

Thank you for the reply.

But my problem is whenever I create a certificate and give FQDN as www.juniper.net I always get the CN=serial number fo the box. How to make firewall to send CN=www.juniper.net inspite of sending the serial number

Regards,

szdayal