Showing results for 
Search instead for 
Did you mean: 

Where did you order your official certificate?

Super Contributor

Re: Where did you order your official certificate?

First of all, don't use If you're going to use a hostname, use a name for which you control the DNS records.. in answer to your question, I have never generated a ScreenOS CSR that didn't have these fields: cn=[fqdn] cn=[udn] cn=rsa-key cn=[s/n] cn=[ip address] in addition to CN=[phonenumber],OU=xxx,O=xxx,ST=xxx,C=xx which If there is a way, I don't know it. If you have a business security requirement to mask the firewall vendor from being detectable via the certificate, you should open a case with the JTAC.
Super Contributor

Re: Where did you order your official certificate?

Can you enlighten me how to do that in ScreenOS? Junos OS (redundant isn't it), IVE OS: no problem, but I've yet to figure out how to do that on ScreenOS.
Occasional Contributor

Re: Where did you order your official certificate?

Hi ,

The problem in my scenario is when I will generate the certificate.

1st problem: I need the fqdn to be and rest other field as my email address, ip address etc

Whenever I generate a certificate wih i get the error as

"cn must be fqdn"

So do I have to use fqdn as something like abc.def.local something.. Means in the previous post as its written that it should be something which should be local and resolved by dns or you control the dns. I apologise but I din't understood that part. So please if you could brief me like what shold be the format of fqdn when generating the certificate with

when the same certificate I am generating with it doesn't throw me an error but in the certificate cn field it shows as the serial number of box. Not as the "" . when I see the detail of that certificate in the juniper box it do show me 4 things. Cn= serial number, cn= email address, cn= ip address, cn= fqdn but As far as my knowledge is concern when I will use this certificate in the site to site vpn. The fqdn which will be negotiated will be the serial number whereas I want when the vpn negotiation happens it should send the fqdn as "" not as the serial number of box. Am I wrong? please let me know.

My main concern is when I use the certificate in a site to site vpn the fqdn which should be negotiated in the phase 1 messages should be "' not as the serial number...

Please let me know..

@stine and kita. I want to give you a kudos but I don't see any option other than add tag near your name. So I don't know how to give kudos. IS kudos is for some special members...

Thank you!

Occasional Contributor

Re: Where did you order your official certificate?

HI Just now I created a dummy certificate with followint detail:

Name: george

Phone: 8087301706

Unit: java

org: itec

county : sdb9

state: CA

country: US

email: [email protected]

FQDN: ive.acmegizmo.local

and generated a 2048 bit certificate with RSA

The generated certificate is as shown below:


Now when I went to i pasted it to there site I again got the error saying "Common Name does not contain fully qualified domain name."

Please someone let me know what fields should I give while creating the certificate so that I shouldn't get this error message.

when I went to it accepted the certificate but showed me the cn= serial number again.

I want my cn to be alphabetical not a number. Please let me know what shall I do.

Also If some one suggest me some site which support juniper certificate or if there is a special way to create a certificate. Please help me!!

Thank you.

Frequent Contributor

Re: Where did you order your official certificate?

Going here: shows your CSR as below. So however you think you're entering the data is not as it is really working. Are you using a Microsoft product to generate the CSR? If so, that's the problem. They show "Name" on the form when it's really "Common name" that should be entered. I've never seen Thawte return a CSR result that looks like this one.


Common name:- JN108FABBADA
- 8087301706
- rsa-key
- ive.acmegizmo.local
- George
Company name:Itac


Frequent Contributor

Re: Where did you order your official certificate?

What exactly does this mean: 'I tried generating a certificate from" ?

Did you go to their website and try to create the CSR there? If so, what is the precise URL?I wouldn't ever do that because it could mean that website has a copy of your private key.


Occasional Contributor

Re: Where did you order your official certificate?

No, I tried to go to like and pasted the certificate which i pasted above and it throwed me an error saying "cn must be fqdn" You could try going to the site and try pasting my certificate or generate a certifcate in your juniper firewall and paste it in and it will throw you the error. Don't know what to do
Occasional Contributor

Re: Where did you order your official certificate?

Hi Guys,

Smiley Very Happy

I got the solution to my problem. The problem was whenever i generate the certificate the juniper was sending the CN field as serial number whereas the public CA site were rejecting it since it was not a FQDN format.

So what I did is I gave this command:

set pki x509 raw-cn enable


And than generated the certificate like


phone: xxxxx

email address: xxxxx

fqdn: xxxxxx

etc. etc.

and then the generated CSR i pasted on the public ca site like rapidssl, alpha ssl, thwate, global sign, verisign etc etc and all of them accepted it showing the

So my problem is resolved now. I can paste my CSR on any public site. Thank you for all your co operation.

If any one else face this issue just give the above command and remember whatever you will give in "Name" field while creating CSR wil be taken by the PUBLIC CA sites.

Happy SSL guys!

Smiley Wink