02-15-2010 09:32 AM
OpenSSL can be found at www.openssl.org - the primary site provides detailed documentation and also links to downloadable installs. If you want to run it under Windows you can either do a web search or here is a link to a directory off of the OpenSSL site that provides a Windows executable. http://www.openssl.org/related/binaries.html
The version I use runs from a Dos command box. I suppose there might be a graphical version out there somewhere.
As to how you use it - it depends on what you are trying to do with it.
02-19-2010 05:27 AM
I use XCA. it is a GUI based replacement for openSSL with a file-database. You can generate key, create certificate signing requests (CSR), build an own certificate authority (CA) and sign certificates, create certification revocation lists (CRL) for your CA and use templates for your certificates. All keys, CSR, certificates and can be im- and exported.
I use it for small PKIs and store my official certificates in the XCA database as well to keep all certificates in one place.
XCA runs on Windows and Linux and can be found at
01-25-2011 01:35 AM
How to create CSR to generate 2048 bits Certificate for SA 4000? I can not find any option to create CSR to generate 2048. Please tell me how can i solve this probleem?
Serial Number: 0153122006000079
Last Reboot: 487 days, 3 hours, 29 minutes, 44 seconds
Current version: 6.0R11 (build 14137)
Jafar Vahedi Nikbakht
01-25-2011 08:00 AM
That capability was added in a later release. Your are running 6.0. I don't have access to release notes right now but I think it was around 6.5 Check the release notes for that version.
01-26-2011 02:47 PM
First, you'll want to download openssl to generate the private key and certificate request. Once you have openssl downloaded, you can run the following command with information that pertains to your environment:
openssl req -new -nodes -subj "/C=US/ST=California/L=Sunnyvale/O=Juniper Networks/OU=TEST/CN=test.abc.com" -keyout private.txt -out certreq.txt -newkey rsa:2048
-subj is the DN information for your certificate request
-keyout is the name of the private key file
-out is the name of the certificate request file
-newkey rsa:2048 will create a 2048-bit RSA private key
Once you've submitted your request and received your public key from a CA, import the private key (private.txt) and the public key from the CA using the import certificate option in the administrator console.
01-30-2011 04:57 AM
I have an SA-4000 running 6.5R8...the latest and greatest and it does not give the ability to create a 2048-bit CSR. I also have an SA-2500 running the same code and the option is there. I can only guess since the SA-4000 is EOL, the 2048-bit isn't an option. Since these models are FIPS compliant, you also cannot go with the OpenSSL option many others are stating here.
From the Admin guide:
NOTE: This option is not available on FIPS platforms as importing private keys is not supported. On a FIPS system, you can only create a CSR and then import a signed certificate from the CSR.
01-30-2011 08:46 AM
Updated on the SA-4000. I installed 7.0R4 and it allows for 2048-bit CSR to generate certificates. I used for GoDaddy wildcard cert and it worked fine.
02-04-2011 02:38 PM
Thanks for the update, trjones. I did confirm this as well that it was resolved in 7.0R3 and 7.1R1 for SA-4000FIPS and SA-6000FIPS compliant models.