Pulse Secure formerly SSL VPN
Showing results for 
Search instead for 
Do you mean 
Reply
pkc
Contributor
Posts: 111
Registered: ‎09-24-2008
0

how to create CSR to generate 2048 bits certificate ?

Hi all,

 

I'd like to install a 2048 bits server certificate on my  sa2000 running ive os 6.3r1. 

It looks like the csr the device creates are systematically 1024 bits. 

 

Is it possible to create a 2048 certificate directly via openssl on a linux system ?

 

thanks. 

 

Distinguished Expert
Posts: 2,400
Registered: ‎01-29-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

Have you checked the documentation on importing certs? You don't need to create a CSR first and then bring it in. You can just import a cert and the associated key. I am not in front of my box but there is a chapter called "Certificates" in the admin guide that walks you through it.

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Regular Visitor
Posts: 9
Registered: ‎08-27-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

Sure you can. Using OpenSSL, generate a key pair, get your public key signed by a CA (or use a self signed one), and go to "Configuration -> Certificates -> Device Certificates -> Import Certificate and Key" and import the key file and certificate file (these are stored separately).

 

The commands look something like this:

openssl genrsa -des3 -out "C:\temp\codesign.key" 2048
openssl req -new -key "C:\temp\codesign.key" -out "C:\temp\codesign.csr"

 

You can use codesign.csr to get a signed cert.

 

Hope this helps.

 

Srini

 

New User
Posts: 1
Registered: ‎06-10-2009
0

Re: how to create CSR to generate 2048 bits certificate ?

I have a SA4000-FIPS and web interface defaults to generating certificates requests with key length 1024 bits. It does not appear to have a way to change it.

 

I tried srinix's advice but when I go to go to "Configuration -> Certificates -> Device Certificates ->"  there is no "Import Certificate and Key" option. (that option appears only for code signing certs)

 

 

system version 6.3R3 build 13881

Highlighted
Distinguished Expert
Posts: 2,400
Registered: ‎01-29-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

You can't import a certificate and a key from a non-FIPS compliant device. That is why you don't see the option.
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
New User
Posts: 1
Registered: ‎11-17-2009
0

Re: how to create CSR to generate 2048 bits certificate ?

I am confused.  I have purchased a new Cert from GoDaddy.com.  I want to import it into the SSL Gateway (SA-700), but I cannot since GoDaddy only works with 2048bit keys.  Why can I not get a 2048-bit CSR generated? 

 

Muttbarker, are you saying that I can NEVER get a cert for my device?

Trusted Contributor
Posts: 51
Registered: ‎06-17-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

Hi Scott,

 

What version are you running on your SA-700?  I'm not sure which version Juniper added the feature, but in 6.5R1 you can select 1024 or 2048 bit for your CSR.

 

Regards,

Russ

Distinguished Expert
Posts: 2,400
Registered: ‎01-29-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

Scott - the previous thread had to do with bigger boxes running the FIPS enhanced security. Not sure I understand your question. Did you generate a CSR on the SA 700 and submit it to GoDaddy? I have not worked on the SA-700 in forever but when you generate a CSR you are supposed to have the option of selecting 1024 or 2048 bit CSR.

 

So where did you CSR that you submitted to Go Daddy originate from?

 

As far as I recall the SA 700 does not have any restrictions on generating and applying certs for the Device, only trusted server and code signing which require the core clientless license.

 

 

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Juniper Employee
Posts: 52
Registered: ‎11-06-2007
0

Re: how to create CSR to generate 2048 bits certificate ?

It is now possible to generate RSA-2048 CSR from IVE OS 6.5R1: IVE 6.5 Whats New

 

Previous releases could only do RSA-1024 when generating the CSR on the device (New CSR)

 

Of course for keys above 1024, you still can generate the keypair / CSR externally (e.g using openssl) and import the private key and certificates to the device from plain text files or  from a pkcs12 container.

New User
Posts: 1
Registered: ‎02-14-2010
0

Re: how to create CSR to generate 2048 bits certificate ?

Hi,

 

Please can you explain how can i use openSSL and from where to download openSSL

Distinguished Expert
Posts: 2,400
Registered: ‎01-29-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

OpenSSL can be found at www.openssl.org - the primary site provides detailed documentation and also links to downloadable installs. If you want to run it under Windows you can either do a web search or here is a link to a directory off of the OpenSSL site that provides a Windows executable. http://www.openssl.org/related/binaries.html

 

The version I use runs from a Dos command box. I suppose there might be a graphical version out there somewhere.

 

As to how you use it - it depends on what you are trying to do with it.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Posts: 74
Registered: ‎04-03-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

Hi,

 

I use XCA. it is a GUI based replacement for openSSL with a file-database. You can generate key, create certificate signing requests (CSR), build an own certificate authority (CA) and sign certificates, create certification revocation lists (CRL) for your CA and use templates for your certificates. All keys, CSR, certificates and can be im- and exported.

 

I use it for small PKIs and store my official certificates in the XCA database as well to keep all certificates in one place.

 

XCA runs on Windows and Linux and can be found at

   http://xca.sourceforge.net/

 

- Steffen

New User
Posts: 2
Registered: ‎08-04-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

Hello Supportdesk,

 

How to create CSR to generate 2048 bits Certificate for SA 4000? I can not find any option to create CSR to generate 2048. Please tell me how can i solve this probleem?

 

Hardware Information:

Hostname:   toegang2
Model:  SA-4000
Serial Number:  0153122006000079
Last Reboot:  487 days, 3 hours, 29 minutes, 44 seconds
Current version:  6.0R11 (build 14137)

 

Regards,

 

Jafar Vahedi Nikbakht

 

Jafar.vahedinikbakht@getronics.com

 

 

Distinguished Expert
Posts: 2,400
Registered: ‎01-29-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

That capability was added in a later release. Your are running 6.0. I don't have access to release notes right now but I  think it was around 6.5 Check the release notes for that version.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Recognized Expert
Posts: 607
Registered: ‎12-23-2010
0

Re: how to create CSR to generate 2048 bits certificate ?

Hello RemoLodder,

 

First, you'll want to download openssl to generate the private key and certificate request.  Once you have openssl downloaded, you can run the following command with information that pertains to your environment:

 

openssl req -new -nodes -subj "/C=US/ST=California/L=Sunnyvale/O=Juniper Networks/OU=TEST/CN=test.abc.com" -keyout private.txt -out certreq.txt -newkey rsa:2048

 

-subj is the DN information for your certificate request

-keyout is the name of the private key file

-out is the name of the certificate request file

-newkey rsa:2048 will create a 2048-bit RSA private key

 

Once you've submitted your request and received your public key from a CA, import the private key (private.txt) and the public key from the CA using the import certificate option in the administrator console.

Visitor
Posts: 1
Registered: ‎01-30-2011
0

Re: how to create CSR to generate 2048 bits certificate ?

I have an SA-4000 running 6.5R8...the latest and greatest and it does not give the ability to create a 2048-bit CSR. I also have an SA-2500 running the same code and the option is there. I can only guess since the SA-4000 is EOL, the 2048-bit isn't an option. Since these models are FIPS compliant, you also cannot go with the OpenSSL option many others are stating here.

 

From the Admin guide:

 

NOTE: This option is not available on FIPS platforms as importing private keys is not supported. On a FIPS system, you can only create a CSR and then import a signed certificate from the CSR.

Regular Visitor
Posts: 1
Registered: ‎02-18-2008
0

Re: how to create CSR to generate 2048 bits certificate ?

Updated on the SA-4000. I installed 7.0R4 and it allows for 2048-bit CSR to generate certificates. I used for GoDaddy wildcard cert and it worked fine.

Recognized Expert
Posts: 607
Registered: ‎12-23-2010
0

Re: how to create CSR to generate 2048 bits certificate ?

Thanks for the update, trjones.  I did confirm this as well that it was resolved in 7.0R3 and 7.1R1 for SA-4000FIPS and SA-6000FIPS compliant models.

DLP
New User
Posts: 1
Registered: ‎11-18-2013
0

Re: how to create CSR to generate 2048 bits certificate ?

I have the same issue and yes I do need to generate a CSR, per the CA.  

Moderator
Posts: 2,347
Registered: ‎11-19-2007
0

Re: how to create CSR to generate 2048 bits certificate ?

@DLP: what version are you using? What hardware are you using?