Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Cannot paste CSR (Certificate Signing Request) to CA Server. Error message specifies CN field is wrong

0

0

Article ID: KB20878 KB Last Updated: 11 Aug 2011Version: 2.0
Summary:
When submitting a CSR (Certificate Signing Request) to a CA server, error messages such as CN field must be FQDN or CN field must be an email address are displayed.
Symptoms:
The CSR (Certificate Signing Request) is rejected, after it is generated in the firewall and pasted in the private or public CA server such as rapidssl.com, thwate.com, alphassl.com, globalsign.com, etc. Error messages such as CN field must be FQDN and CN field must be an e-mail address are displayed.

By design, the firewall's CSR contains multiple fields as CN.
When the firewall generates the certificate, it has the following fields as CN:
  1. Serial number
  2. IP address
  3. Email address
  4. FQDN
Solution:
Depending on the CA server policies, it may or may not be able to select the right CN value; so it rejects the CSR request sent by the firewall. To avoid such a scenario, the following command can be executed in the firewall:
set pki x509 raw-cn enable
Then the certificate is generated.

The raw-cn option excludes the 'cn=rsa-key' and 'cn=serial number' from the certificate request. The value entered as the certificate name, when the CSR is created, is selected as it's CN.

Therefore, if the CA is not able to handle the request when the serial number is used in one of the fields as CN, then it is advised to use the raw-cn option.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search