cancel
Showing results for 
Search instead for 
Did you mean: 

Where did you order your official certificate?

Highlighted
Super Contributor

Re: Where did you order your official certificate?

First of all, don't use CN=www.juniper.net. If you're going to use a hostname, use a name for which you control the DNS records.. in answer to your question, I have never generated a ScreenOS CSR that didn't have these fields: cn=[fqdn] cn=[udn] cn=rsa-key cn=[s/n] cn=[ip address] in addition to CN=[phonenumber],OU=xxx,O=xxx,ST=xxx,C=xx which If there is a way, I don't know it. If you have a business security requirement to mask the firewall vendor from being detectable via the certificate, you should open a case with the JTAC.
Highlighted
Super Contributor

Re: Where did you order your official certificate?

Can you enlighten me how to do that in ScreenOS? Junos OS (redundant isn't it), IVE OS: no problem, but I've yet to figure out how to do that on ScreenOS.
Highlighted
Occasional Contributor

Re: Where did you order your official certificate?

Hi ,

The problem in my scenario is when I will generate the certificate.

1st problem: I need the fqdn to be www.xyz.net and rest other field as my email address, ip address etc

Whenever I generate a certificate wih rapidssl.com i get the error as

"cn must be fqdn"

So do I have to use fqdn as something like abc.def.local something.. Means in the previous post as its written that it should be something which should be local and resolved by dns or you control the dns. I apologise but I din't understood that part. So please if you could brief me like what shold be the format of fqdn when generating the certificate with rapidssl.com

when the same certificate I am generating with verisign.com it doesn't throw me an error but in the certificate cn field it shows as the serial number of box. Not as the "www.xyz.net" . when I see the detail of that certificate in the juniper box it do show me 4 things. Cn= serial number, cn= email address, cn= ip address, cn= fqdn but As far as my knowledge is concern when I will use this certificate in the site to site vpn. The fqdn which will be negotiated will be the serial number whereas I want when the vpn negotiation happens it should send the fqdn as "www.xyz.net" not as the serial number of box. Am I wrong? please let me know.

My main concern is when I use the certificate in a site to site vpn the fqdn which should be negotiated in the phase 1 messages should be "www.xyz.net' not as the serial number...

Please let me know..

@stine and kita. I want to give you a kudos but I don't see any option other than add tag near your name. So I don't know how to give kudos. IS kudos is for some special members...

Thank you!

Highlighted
Occasional Contributor

Re: Where did you order your official certificate?

HI Just now I created a dummy certificate with followint detail:

Name: george

Phone: 8087301706

Unit: java

org: itec

county : sdb9

state: CA

country: US

email: certificate@juniper.net

FQDN: ive.acmegizmo.local

and generated a 2048 bit certificate with RSA

The generated certificate is as shown below:

-----BEGIN CERTIFICATE REQUEST-----
MIIDRDCCAiwCAQAwgbQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTENMAsGA1UE
BxMEc2RiOTENMAsGA1UEChMESXRhYzENMAsGA1UECxMESmF2YTEVMBMGA1UEAxMM
Sk4xMDhGQUJCQURBMRMwEQYDVQQDEwo4MDg3MzAxNzA2MRAwDgYDVQQDEwdyc2Et
a2V5MRwwGgYDVQQDExNpdmUuYWNtZWdpem1vLmxvY2FsMQ8wDQYDVQQDEwZHZW9y
Z2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkCRCRd3KxVoeohIQK
nKIe2FY0kTyOsuYQRvaw1U9rWh4SjWiimOPN8Gou/cnsip2VOnkQIcrsgrUMUf3k
PCCg21o5Wmd81Z+oOnMFp+NvQgKfyRlvbY8jkg+FCtY4rt0yv8o7BRdSgC6OJNpA
/fT1h21V3bGAw7/4pEQju/ZpXuDStuis94Pl1WNwXN99DGEx0fGq3XT/Tl9em3lM
jARrteLHlStsR3XGoPP2PiR0Rir47zwqLU9MhLuj05vvTcjs1OrmLpENRgaiUB/t
J6fHUyZQl3Morwjvy8mCaGfPTE2EuyzZBxYuSR8djl47ly31dQl5l0qQ4evZTofQ
kaNbAgMBAAGgSjBIBgkqhkiG9w0BCQ4xOzA5MDcGA1UdEQQwMC6CE2l2ZS5hY21l
Z2l6bW8ubG9jYWyBF2NlcnRpZmljYXRlQGp1bmlwZXIubmV0MA0GCSqGSIb3DQEB
BQUAA4IBAQBm67ECWN1t17U8tEuGDpuXJxSyCkk50C0Rn5rCQBOZTqeOPyGS2nR2
WmcINNKf8s/isPB8CSf2GSJOfrPAVMtgazt9cQ+dvO7fJHeycAclaKfB57Gvkd30
0IfECg6tms10fz8OYyd26poA90JYEFtjQps8YfSL6oBmSujSZ4us/I+4GhVrpsku
Fi8lOhEKY6hodVLtMuc54uXvuXN1zJOg2jMGjmJ/i+Y0wc8v51PUKEn7jJrW91Lu
U2QvCbalgOyb7sMy4OOB14YxTE9Bl0WlZ0TIpDXiHOJBXo6OSgD1TpYs5wvQGx40
O5XyyZs2CcjL8Kv2P2gtv/CEDYHR0OiT
-----END CERTIFICATE REQUEST-----

Now when I went to rapidssl.com i pasted it to there site I again got the error saying "Common Name does not contain fully qualified domain name."

Please someone let me know what fields should I give while creating the certificate so that I shouldn't get this error message.

when I went to verisign.com it accepted the certificate but showed me the cn= serial number again.

I want my cn to be alphabetical not a number. Please let me know what shall I do.

Also If some one suggest me some site which support juniper certificate or if there is a special way to create a certificate. Please help me!!

Thank you.

Highlighted
Frequent Contributor

Re: Where did you order your official certificate?

Going here: http://www.thawte.nl/en/support/test+your+csr/ shows your CSR as below. So however you think you're entering the data is not as it is really working. Are you using a Microsoft product to generate the CSR? If so, that's the problem. They show "Name" on the form when it's really "Common name" that should be entered. I've never seen Thawte return a CSR result that looks like this one.

Ray

Country:US
Common name:- JN108FABBADA
- 8087301706
- rsa-key
- ive.acmegizmo.local
- George
Location:sdb9
Company name:Itac
OU:Java
Province:

CA

Highlighted
Frequent Contributor

Re: Where did you order your official certificate?

What exactly does this mean: 'I tried generating a certificate from rapidssl.com" ?

Did you go to their website and try to create the CSR there? If so, what is the precise URL?I wouldn't ever do that because it could mean that website has a copy of your private key.

Ray

Highlighted
Occasional Contributor

Re: Where did you order your official certificate?

No, I tried to go to rapidssl.com like https://products.geotrust.com/orders/enrollment/OrderInfo.do and pasted the certificate which i pasted above and it throwed me an error saying "cn must be fqdn" You could try going to the site and try pasting my certificate or generate a certifcate in your juniper firewall and paste it in rapidssl.com and it will throw you the error. Don't know what to do
Highlighted
Occasional Contributor

Re: Where did you order your official certificate?

Hi Guys,

Smiley Very Happy

I got the solution to my problem. The problem was whenever i generate the certificate the juniper was sending the CN field as serial number whereas the public CA site were rejecting it since it was not a FQDN format.

So what I did is I gave this command:

set pki x509 raw-cn enable

save

And than generated the certificate like

Name: www.juniper.net

phone: xxxxx

email address: xxxxx

fqdn: xxxxxx

etc. etc.

and then the generated CSR i pasted on the public ca site like rapidssl, alpha ssl, thwate, global sign, verisign etc etc and all of them accepted it showing the cn=www.juniper.net

So my problem is resolved now. I can paste my CSR on any public site. Thank you for all your co operation.

If any one else face this issue just give the above command and remember whatever you will give in "Name" field while creating CSR wil be taken by the PUBLIC CA sites.

Happy SSL guys!

Smiley Wink