Hi Stefan,
ScreenOS by default is generating the DN with several CN fields as you specified (one of them is the serial number). This is not incorrect, but some CAs are rejecting it.
You can change this behavior with the following:
set pki x509 raw-cn enable
With the raw-cn option enabled, the "cn=rsa-key" and "cn=<serial number>" will be excluded from the DN.
Best regards,
Igor