i wanna know where you ordered your certificate for the ssl vpn gateway and if everything works well with it.
momentarily we are using a self-signed certificate for our sa4000 ssl vpn, because the official one we have causes some trouble for a bunch of users. if i import the official certificate (which is valid for sure) to the SA, lots of users get "the secure gateway denied the connection" - normally a message when a clientfirewall is active. if i go back to the self-signed one - all these user can work without any problems.
all the previous years, the official one was working aswell, but for the latest one the trustcenter has changed anything. its another path with a sub-root-certificate needed. since then its not working, but only for 50% of the users.
root seems to be equifax (OR GeoTrust - depends on whatever, i dont know. some users browser show equifax, some geotrust) and the sub-certificate is tc trustcenter ssl 2.
hope to get some information about where you orderen the certificate and if you are satisfied with it.
thanks a lot
We are a small Juniper reseller so cost is a big issue. We also needed a wild card cert and ended up purchasing ours from Rapid SSL (rapidssl.com). Price was great, process was painless and you got a free cert for a month for testing.
Have had no complaints from any of our employees or customers and we the box all day every day for support, remote meetings, etc.....
For GoDaddy certs (starfield), you have to locate on their site their cert chain file and import it into the SA. otherwise, any user who only has the starfield CA won't trust your GoDaddy certificate. If they have both the Starfield CA and GoDaddy sub-CA cert, then no problems. I have the same issues with Verisign EV certs, they're signed by a subordinate Verisign CA, so i have to import chain certificates into web-servers, load balancers, etc.
Is there a specific way how juniper generates the certificate with rapidssl?
Do juniper support rapidssl.com
Or if there is a parameter by which rapidssl deny juniper certificate?
I have ns208, ver 5.4r16
I tried generating a certificate from rapidssl.com using the following field like
name=abcde, phone=12345678, unit=xxxx, departmen=xxxx, state=texas, contry=US,firstname.lastname@example.org,FQDN=www.juniper.net
when i pasted this csr in the rapidssl.com box it throw me an error saying
"Common Name does not contain fully qualified domain name." this is the error i am getting and not able to generate a certificate from rapidssl.
Am I going wrong somewhere?
Also when i decode my certifcate using csr decoder I am getting
Cn-serial number of box
I want to use cn=www.juniper.net so while negotiating will it negotiate using the cn=www.juniper.net or wil it negotiate using serial number of box. I need it to be negotiated as www.juniper.net as CN , not as anything else..
Please help me and reply if you have any further query
When you are generating the certificate signing request, you'll want to put the fully qualified domain name the clients or machines are using to connect to your SA box (for example, ive.acmegizmo.local). If you are not using a FQDN, you may need to contact rapidssl as I do not believe they issue out certificate for internal names. This would need to be discussed with the certificate authority.
There is a major drawback to generating the Certificate Signing Request from the Juniper box itself; you cannot export the private key. If you want to put a web application firewall (WAF) in front of the Juniper box, you need to add the SSL certificate public and private keys to the WAF.
If this will ever be a need, generate the CSR some other way, like from IIS. Then export the certificate from IIS as a PFX and use OpenSSL or another utility to convert it to the .PEM format that is importable into the Juniper box. (As I recall it's .PEM) This way you have the public and private keys that you can import into the WAF.
PS We used Verisign and it works well.