Where did you order your official certificate?

stine_ · ‎02-14-2011

First of all, don't use CN=www.juniper.net. If you're going to use a hostname, use a name for which you control the DNS records.. in answer to your question, I have never generated a ScreenOS CSR that didn't have these fields: cn=[fqdn] cn=[udn] cn=rsa-key cn=[s/n] cn=[ip address] in addition to CN=[phonenumber],OU=xxx,O=xxx,ST=xxx,C=xx which If there is a way, I don't know it. If you have a business security requirement to mask the firewall vendor from being detectable via the certificate, you should open a case with the JTAC.

stine_ · ‎02-14-2011

Can you enlighten me how to do that in ScreenOS? Junos OS (redundant isn't it), IVE OS: no problem, but I've yet to figure out how to do that on ScreenOS.

szdayal_ · ‎02-23-2011

Hi ,

The problem in my scenario is when I will generate the certificate.

1st problem: I need the fqdn to be www.xyz.net and rest other field as my email address, ip address etc

Whenever I generate a certificate wih rapidssl.com i get the error as

"cn must be fqdn"

So do I have to use fqdn as something like abc.def.local something.. Means in the previous post as its written that it should be something which should be local and resolved by dns or you control the dns. I apologise but I din't understood that part. So please if you could brief me like what shold be the format of fqdn when generating the certificate with rapidssl.com

when the same certificate I am generating with verisign.com it doesn't throw me an error but in the certificate cn field it shows as the serial number of box. Not as the "www.xyz.net" . when I see the detail of that certificate in the juniper box it do show me 4 things. Cn= serial number, cn= email address, cn= ip address, cn= fqdn but As far as my knowledge is concern when I will use this certificate in the site to site vpn. The fqdn which will be negotiated will be the serial number whereas I want when the vpn negotiation happens it should send the fqdn as "www.xyz.net" not as the serial number of box. Am I wrong? please let me know.

My main concern is when I use the certificate in a site to site vpn the fqdn which should be negotiated in the phase 1 messages should be "www.xyz.net' not as the serial number...

Please let me know..

@stine and kita. I want to give you a kudos but I don't see any option other than add tag near your name. So I don't know how to give kudos. IS kudos is for some special members...

Thank you!

szdayal_ · ‎02-23-2011

HI Just now I created a dummy certificate with followint detail:

Name: george

Phone: 8087301706

Unit: java

org: itec

county : sdb9

state: CA

country: US

email: [email protected]

FQDN: ive.acmegizmo.local

and generated a 2048 bit certificate with RSA

The generated certificate is as shown below:

Now when I went to rapidssl.com i pasted it to there site I again got the error saying "Common Name does not contain fully qualified domain name."

Please someone let me know what fields should I give while creating the certificate so that I shouldn't get this error message.

when I went to verisign.com it accepted the certificate but showed me the cn= serial number again.

I want my cn to be alphabetical not a number. Please let me know what shall I do.

Also If some one suggest me some site which support juniper certificate or if there is a special way to create a certificate. Please help me!!

Thank you.

Ray_ · ‎02-24-2011

Going here: http://www.thawte.nl/en/support/test+your+csr/ shows your CSR as below. So however you think you're entering the data is not as it is really working. Are you using a Microsoft product to generate the CSR? If so, that's the problem. They show "Name" on the form when it's really "Common name" that should be entered. I've never seen Thawte return a CSR result that looks like this one.

Ray

Country:	US
Common name:	- JN108FABBADA
	- 8087301706
	- rsa-key
	- ive.acmegizmo.local
	- George
Location:	sdb9
Company name:	Itac
OU:	Java
Province:	CA

Ray_ · ‎02-24-2011

What exactly does this mean: 'I tried generating a certificate from rapidssl.com" ?

Did you go to their website and try to create the CSR there? If so, what is the precise URL?I wouldn't ever do that because it could mean that website has a copy of your private key.

Ray

szdayal_ · ‎02-28-2011

No, I tried to go to rapidssl.com like https://products.geotrust.com/orders/enrollment/OrderInfo.do and pasted the certificate which i pasted above and it throwed me an error saying "cn must be fqdn" You could try going to the site and try pasting my certificate or generate a certifcate in your juniper firewall and paste it in rapidssl.com and it will throw you the error. Don't know what to do

szdayal_ · ‎03-18-2011

Hi Guys,

I got the solution to my problem. The problem was whenever i generate the certificate the juniper was sending the CN field as serial number whereas the public CA site were rejecting it since it was not a FQDN format.

So what I did is I gave this command:

set pki x509 raw-cn enable

save

And than generated the certificate like

Name: www.juniper.net

phone: xxxxx

email address: xxxxx

fqdn: xxxxxx

etc. etc.

and then the generated CSR i pasted on the public ca site like rapidssl, alpha ssl, thwate, global sign, verisign etc etc and all of them accepted it showing the cn=www.juniper.net

So my problem is resolved now. I can paste my CSR on any public site. Thank you for all your co operation.

If any one else face this issue just give the above command and remember whatever you will give in "Name" field while creating CSR wil be taken by the PUBLIC CA sites.

Happy SSL guys!

Re: Where did you order your official certificate?

Re: Where did you order your official certificate?

Re: Where did you order your official certificate?

Re: Where did you order your official certificate?

Re: Where did you order your official certificate?

Re: Where did you order your official certificate?

Re: Where did you order your official certificate?

Re: Where did you order your official certificate?