The problem in my scenario is when I will generate the certificate.
1st problem: I need the fqdn to be www.xyz.net and rest other field as my email address, ip address etc
Whenever I generate a certificate wih rapidssl.com i get the error as
"cn must be fqdn"
So do I have to use fqdn as something like abc.def.local something.. Means in the previous post as its written that it should be something which should be local and resolved by dns or you control the dns. I apologise but I din't understood that part. So please if you could brief me like what shold be the format of fqdn when generating the certificate with rapidssl.com
when the same certificate I am generating with verisign.com it doesn't throw me an error but in the certificate cn field it shows as the serial number of box. Not as the "www.xyz.net" . when I see the detail of that certificate in the juniper box it do show me 4 things. Cn= serial number, cn= email address, cn= ip address, cn= fqdn but As far as my knowledge is concern when I will use this certificate in the site to site vpn. The fqdn which will be negotiated will be the serial number whereas I want when the vpn negotiation happens it should send the fqdn as "www.xyz.net" not as the serial number of box. Am I wrong? please let me know.
My main concern is when I use the certificate in a site to site vpn the fqdn which should be negotiated in the phase 1 messages should be "www.xyz.net' not as the serial number...
Please let me know..
@stine and kita. I want to give you a kudos but I don't see any option other than add tag near your name. So I don't know how to give kudos. IS kudos is for some special members...
HI Just now I created a dummy certificate with followint detail:
county : sdb9
and generated a 2048 bit certificate with RSA
The generated certificate is as shown below:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Now when I went to rapidssl.com i pasted it to there site I again got the error saying "Common Name does not contain fully qualified domain name."
Please someone let me know what fields should I give while creating the certificate so that I shouldn't get this error message.
when I went to verisign.com it accepted the certificate but showed me the cn= serial number again.
I want my cn to be alphabetical not a number. Please let me know what shall I do.
Also If some one suggest me some site which support juniper certificate or if there is a special way to create a certificate. Please help me!!
Going here: http://www.thawte.nl/en/support/test+your+csr/ shows your CSR as below. So however you think you're entering the data is not as it is really working. Are you using a Microsoft product to generate the CSR? If so, that's the problem. They show "Name" on the form when it's really "Common name" that should be entered. I've never seen Thawte return a CSR result that looks like this one.
|Common name:||- JN108FABBADA|
What exactly does this mean: 'I tried generating a certificate from rapidssl.com" ?
Did you go to their website and try to create the CSR there? If so, what is the precise URL?I wouldn't ever do that because it could mean that website has a copy of your private key.
I got the solution to my problem. The problem was whenever i generate the certificate the juniper was sending the CN field as serial number whereas the public CA site were rejecting it since it was not a FQDN format.
So what I did is I gave this command:
set pki x509 raw-cn enable
And than generated the certificate like
email address: xxxxx
and then the generated CSR i pasted on the public ca site like rapidssl, alpha ssl, thwate, global sign, verisign etc etc and all of them accepted it showing the cn=www.juniper.net
So my problem is resolved now. I can paste my CSR on any public site. Thank you for all your co operation.
If any one else face this issue just give the above command and remember whatever you will give in "Name" field while creating CSR wil be taken by the PUBLIC CA sites.
Happy SSL guys!