cancel
Showing results for 
Search instead for 
Did you mean: 

Where did you order your official certificate?

Highlighted
Regular Contributor

Where did you order your official certificate?

hey there,

i wanna know where you ordered your certificate for the ssl vpn gateway and if everything works well with it.

momentarily we are using a self-signed certificate for our sa4000 ssl vpn, because the official one we have causes some trouble for a bunch of users. if i import the official certificate (which is valid for sure) to the SA, lots of users get "the secure gateway denied the connection" - normally a message when a clientfirewall is active. if i go back to the self-signed one - all these user can work without any problems.

all the previous years, the official one was working aswell, but for the latest one the trustcenter has changed anything. its another path with a sub-root-certificate needed. since then its not working, but only for 50% of the users.

root seems to be equifax (OR GeoTrust - depends on whatever, i dont know. some users browser show equifax, some geotrust) and the sub-certificate is tc trustcenter ssl 2.

hope to get some information about where you orderen the certificate and if you are satisfied with it.

thanks a lot

17 REPLIES 17
Highlighted
Valued Contributor

Re: Where did you order your official certificate?

We are a small Juniper reseller so cost is a big issue. We also needed a wild card cert and ended up purchasing ours from Rapid SSL (rapidssl.com). Price was great, process was painless and you got a free cert for a month for testing.

Have had no complaints from any of our employees or customers and we the box all day every day for support, remote meetings, etc.....

Highlighted
Contributor

Re: Where did you order your official certificate?

We also use rapidsll, never a problem!

Highlighted
Contributor

Re: Where did you order your official certificate?

thawte ... works fine ...

Highlighted
Super Contributor

Re: Where did you order your official certificate?

For GoDaddy certs (starfield), you have to locate on their site their cert chain file and import it into the SA. otherwise, any user who only has the starfield CA won't trust your GoDaddy certificate. If they have both the Starfield CA and GoDaddy sub-CA cert, then no problems. I have the same issues with Verisign EV certs, they're signed by a subordinate Verisign CA, so i have to import chain certificates into web-servers, load balancers, etc.

Highlighted
Occasional Contributor

Re: Where did you order your official certificate?

Is there a specific way how juniper generates the certificate with rapidssl?

Do juniper support rapidssl.com

Or if there is a parameter by which rapidssl deny juniper certificate?

I have ns208, ver 5.4r16

I tried generating a certificate from rapidssl.com using the following field like

name=abcde, phone=12345678, unit=xxxx, departmen=xxxx, state=texas, contry=US,email=abc@juniper.net,FQDN=www.juniper.net

when i pasted this csr in the rapidssl.com box it throw me an error saying

"Common Name does not contain fully qualified domain name." this is the error i am getting and not able to generate a certificate from rapidssl.

Am I going wrong somewhere?

Also when i decode my certifcate using csr decoder I am getting

Cn-serial number of box

cn-abcde

cn-123456

cn-www.juniper.net

I want to use cn=www.juniper.net so while negotiating will it negotiate using the cn=www.juniper.net or wil it negotiate using serial number of box. I need it to be negotiated as www.juniper.net as CN , not as anything else..

Please help me and reply if you have any further query

Highlighted
Valued Contributor

Re: Where did you order your official certificate?

Hello szdayal,

When you are generating the certificate signing request, you'll want to put the fully qualified domain name the clients or machines are using to connect to your SA box (for example, ive.acmegizmo.local). If you are not using a FQDN, you may need to contact rapidssl as I do not believe they issue out certificate for internal names. This would need to be discussed with the certificate authority.

Highlighted
Valued Contributor

Re: Where did you order your official certificate?

Nice answer!

Highlighted
Frequent Contributor

Re: Where did you order your official certificate?

There is a major drawback to generating the Certificate Signing Request from the Juniper box itself; you cannot export the private key. If you want to put a web application firewall (WAF) in front of the Juniper box, you need to add the SSL certificate public and private keys to the WAF.

If this will ever be a need, generate the CSR some other way, like from IIS. Then export the certificate from IIS as a PFX and use OpenSSL or another utility to convert it to the .PEM format that is importable into the Juniper box. (As I recall it's .PEM) This way you have the public and private keys that you can import into the WAF.

Ray

PS We used Verisign and it works well.

Highlighted
Occasional Contributor

Re: Where did you order your official certificate?

Hi Kita,

Thank you for the reply.

But my problem is whenever I create a certificate and give FQDN as www.juniper.net I always get the CN=serial number fo the box. How to make firewall to send CN=www.juniper.net inspite of sending the serial number

Regards,

szdayal