cancel
Showing results for 
Search instead for 
Did you mean: 

how to create CSR to generate 2048 bits certificate ?

Highlighted
Contributor

how to create CSR to generate 2048 bits certificate ?

Hi all,

I'd like to install a 2048 bits server certificate on my sa2000 running ive os 6.3r1.

It looks like the csr the device creates are systematically 1024 bits.

Is it possible to create a 2048 certificate directly via openssl on a linux system ?

thanks.

19 REPLIES 19
Highlighted
Valued Contributor

Re: how to create CSR to generate 2048 bits certificate ?

Have you checked the documentation on importing certs? You don't need to create a CSR first and then bring it in. You can just import a cert and the associated key. I am not in front of my box but there is a chapter called "Certificates" in the admin guide that walks you through it.

Highlighted
Occasional Contributor

Re: how to create CSR to generate 2048 bits certificate ?

Sure you can. Using OpenSSL, generate a key pair, get your public key signed by a CA (or use a self signed one), and go to "Configuration -> Certificates -> Device Certificates -> Import Certificate and Key" and import the key file and certificate file (these are stored separately).

The commands look something like this:

openssl genrsa -des3 -out "C:\temp\codesign.key" 2048
openssl req -new -key "C:\temp\codesign.key" -out "C:\temp\codesign.csr"

You can use codesign.csr to get a signed cert.

Hope this helps.

Srini

Highlighted
Not applicable

Re: how to create CSR to generate 2048 bits certificate ?

I have a SA4000-FIPS and web interface defaults to generating certificates requests with key length 1024 bits. It does not appear to have a way to change it.

I tried srinix's advice but when I go to go to "Configuration -> Certificates -> Device Certificates ->" there is no "Import Certificate and Key" option. (that option appears only for code signing certs)

system version 6.3R3 build 13881

Highlighted
Valued Contributor

Re: how to create CSR to generate 2048 bits certificate ?

You can't import a certificate and a key from a non-FIPS compliant device. That is why you don't see the option.
Highlighted
Not applicable

Re: how to create CSR to generate 2048 bits certificate ?

I am confused. I have purchased a new Cert from GoDaddy.com. I want to import it into the SSL Gateway (SA-700), but I cannot since GoDaddy only works with 2048bit keys. Why can I not get a 2048-bit CSR generated?

Muttbarker, are you saying that I can NEVER get a cert for my device?

Highlighted
Contributor

Re: how to create CSR to generate 2048 bits certificate ?

Hi Scott,

What version are you running on your SA-700? I'm not sure which version Juniper added the feature, but in 6.5R1 you can select 1024 or 2048 bit for your CSR.

Regards,

Russ

Highlighted
Valued Contributor

Re: how to create CSR to generate 2048 bits certificate ?

Scott - the previous thread had to do with bigger boxes running the FIPS enhanced security. Not sure I understand your question. Did you generate a CSR on the SA 700 and submit it to GoDaddy? I have not worked on the SA-700 in forever but when you generate a CSR you are supposed to have the option of selecting 1024 or 2048 bit CSR.

So where did you CSR that you submitted to Go Daddy originate from?

As far as I recall the SA 700 does not have any restrictions on generating and applying certs for the Device, only trusted server and code signing which require the core clientless license.

Highlighted
Contributor

Re: how to create CSR to generate 2048 bits certificate ?

It is now possible to generate RSA-2048 CSR from IVE OS 6.5R1: IVE 6.5 Whats New

Previous releases could only do RSA-1024 when generating the CSR on the device (New CSR)

Of course for keys above 1024, you still can generate the keypair / CSR externally (e.g using openssl) and import the private key and certificates to the device from plain text files or from a pkcs12 container.

Highlighted
Not applicable

Re: how to create CSR to generate 2048 bits certificate ?

Hi,

Please can you explain how can i use openSSL and from where to download openSSL