When you create a local certificate request, the
device generates a CA certificate in PKCS-10 format from a key pair
you previously generated using the same certificate ID.
A subject name is associated with the local certificate
request in the form of a common name (CN), organizational unit (OU),
organization (O), locality (L), state (ST), country (C), and domain
component (DC). Additionally, a subject alternative name is associated
in the following form:
IP address
E-mail address
Fully qualified domain name (FQDN)
Note:
Some CAs do not support an e-mail address as the
domain name in a certificate. If you do not include an e-mail address
in the local certificate request, you cannot use an e-mail address
as the local IKE ID when configuring the device as a dynamic peer.
Instead, you can use a fully qualified domain name (if it is in the
local certificate), or you can leave the local ID field empty. If
you do not specify a local ID for a dynamic peer, enter the hostname.domain-name of that peer on the device at
the other end of the IPsec tunnel in the peer ID field.
To generate a certificate request using the certificate
ID (ca-ipsec) of a public-private key pair you previously
generated and specifying the domain name juniper.net and
the associated common name abc, enter the following command:
Copy the generated certificate request and paste
it into the appropriate field at the CA website to obtain a local
certificate. Refer to the CA server documentation to determine where
to paste the certificate-request.
When PKCS-10 content is displayed, the SHA-1 hash
and MD5 hash of the PKCS-10 file is also displayed. For more information
on the certificate, such as the bit length of the key pair, use the
command show security pki certificate-request described in
the JUNOS Software CLI Reference.
