Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] Generating a PKCS10 certificate request

0

0

Article ID: KB10175 KB Last Updated: 12 Feb 2020Version: 8.0
Summary:

This article describes how to generate a PKCS10 certificate request on a J Series or an SRX Series device.

 

Solution:

Additional details about Junos OS and digital certificates can be found here: Digital Certificates

To request a PKI X.509 certificate, perform the following steps by using the Command Line Interface (CLI):

  1. Create a Certificate Authority (CA) profile in security > pki hierarchy.

    Syntax

    Example:

    set security pki ca-profile <ca-profile-name> ca-identity <CA-ID>
    [edit]
    root@CORPORATE# set security pki ca-profile juniper-ca ca-identity TACLAB

    [edit]
    root@CORPORATE# commit
  2. Generate a key pair.

    Note: It is recommended to use a key size of 2048. If Payment Card Industry (PCI) Data Security Standard (DSS) compliance is needed, a key size larger than 1024 must be used. Otherwise, Trustwave and similar scan tests may fail with: "SSL Certificate Public Key Too Small."

    Additionally, Firefox browsers will not allow SSL key size < 2048 bits in length.

    Syntax:

    Example:

    request security pki generate-key-pair certificate-id <cert-id-name> size <size>

    Possible size completions:

    •  1024    1024 bits
    •  2048    2048 bits
    •  512     512 bits

    root@CORPORATE> request security pki generate-key-pair certificate-id ms-cert size 1024   
    Generated key pair ms-cert, key size 1024 bits
  3. Generate a PKCS #10 certificate request. You can either specify a filename or copy and paste the certificate request information (highlighted below) directly in an e-mail to your CA.

    Syntax:

    request security pki generate-certificate-request certificate-id <cert-id-name> subject "subject-details" [ip-address | domain-name | email ] [filename]

    where the "subject-details" format is "DC=<Domain-Component>,CN=<Common-Name>,OU=<Organizational-Unit-name>,O=<Organization-name>,L=<Locality>,ST=<state>,C=<Country>"

    Example:

    root@CORPORATE> request security pki generate-certificate-request certificate-id ms-cert subject "CN=John Doe,OU=Sales,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US" ip-address 172.19.51.162

    Note: The comma delimits the fields in the subject, so you should not include commas within the subject fields. For example "CN=Doe, John" will be understood by the SRX device as "CN=Doe,".

    Generated certificate request
    -----BEGIN CERTIFICATE REQUEST-----
    MIIBzjCCATcCAQAwbDERMA8GA1UEAxMISm9obiBEb2UxDjAMBgNVBAsTBVNhbGVz
    MRkwFwYDVQQKExBKdW5pcGVyIE5ldHdvcmtzMRIwEAYDVQQHEwlTdW5ueXZhbGUx
    CzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
    gYkCgYEA2oEJhU3bkXuL3r+Bpj3fr5A1NqgL7kd7JAUjavcQYq93tjEGKdcCGSVn
    7zOjiuc8uNCk8SqZuyVWjHULeACUjnMs/N134egkl0oDtiEuU9ZStDT6yxbseD3d
    /JnTh2TR1EEUCTQPMPJEce0szXXJnRHXp4pwYk3CRHNAEOoQCikCAwEAAaAiMCAG
    CSqGSIb3DQEJDjETMBEwDwYDVR0RBAgwBocErBMzojANBgkqhkiG9w0BAQUFAAOB
    gQDHUEx0VBDYHj/QgEy4ponzlJNSMKwtZpwARsAfjH4yp2BGpwBPToVwXlDzdKSb
    cJKG4qwzQCsQH7CAav2j7EFDX1kdx7DZ2HbpyTPZEnIgio674aIc15jLm1VPDGdu
    ZT6Gjt1QiHOC4MVSsdIKKcALYcaFtZOYX5PGqE1SMFUTFg==

    -----END CERTIFICATE REQUEST-----
    Fingerprint:
    07:09:4c:0d:fe:5a:51:fc:1b:f0:da:98:0a:3f:bf:64:2f:a8:dd:14 (sha1)
    54:09:9e:96:06:6f:fc:21:c4:e7:e2:13:5f:b4:08:77 (md5)

    root@CORPORATE> show security pki certificate-request detail
    Certificate identifier: ms-cert
      Certificate version: 1
      Issued to: CN = John Doe, OU = Sales, O = Juniper Networks, L = Sunnyvale, ST = CA, C = US
      Public key algorithm: rsaEncryption(1024 bits)
        30:81:89:02:81:81:00:da:81:09:85:4d:db:91:7b:8b:de:bf:81:a6
        3d:df:af:90:35:36:a8:0b:ee:47:7b:24:05:23:6a:f7:10:62:af:77
        b6:31:06:29:d7:02:19:25:67:ef:33:a3:8a:e7:3c:b8:d0:a4:f1:2a
        99:bb:25:56:8c:75:0b:78:00:94:8e:73:2c:fc:dd:77:e1:e8:24:97
        4a:03:b6:21:2e:53:d6:52:b4:34:fa:cb:16:ec:78:3d:dd:fc:99:d3
        87:64:d1:d4:41:14:09:34:0f:30:f2:44:71:ed:2c:cd:75:c9:9d:11
        d7:a7:8a:70:62:4d:c2:44:73:40:10:ea:10:0a:29:02:03:01:00:01
      Fingerprint:
        3d:41:7f:84:9a:3b:11:6e:7e:f2:9d:10:d5:33:fe:8c:16:fd:c2:a9 (sha1)
        71:a2:36:ba:6a:90:b9:16:ac:66:48:b0:cf:d3:58:24 (md5)
  4. Send the certificate request to your CA. Your CA will generate your local certificate and CA certificate.

After you have received the certificate along with the CA certificate and CRL, refer to KB10176 - How to load a PKI x.509 certificate on J Series or SRX Series device. For additional information, refer to Obtaining a Certificate from a Certificate Authority and also Requesting a PKI certificate.

 

Modification History:

2020-02-12: Removed a sentence that was repeated in Step 4 in solution

2018-06-19: Added the note: "The comma delimits the fields in the subject, so you should not include commas within the subject fields. For example "CN=Doe, John" will be understood by the SRX device as "CN=Doe,"."

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search