Related Documentation
- J Series
- Understanding Certificates and PKI
- Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server
- SRX Series
- Understanding Certificates and PKI
- Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding Local Certificate Requests
When you create a local certificate request, the device generates a CA certificate in PKCS #10 format from a key pair you previously generated using the same certificate ID.
A subject name is associated with the local certificate request in the form of a common name (CN), organizational unit (OU), organization (O), locality (L), state (ST), country (C), and domain component (DC). Additionally, a subject alternative name is associated in the following form:
- IP address
- E-mail address
- Fully qualified domain name (FQDN)
Note: Some CAs do not support an e-mail address as the domain name in a certificate. If you do not include an e-mail address in the local certificate request, you cannot use an e-mail address as the local IKE ID when configuring the device as a dynamic peer. Instead, you can use a fully qualified domain name (if it is in the local certificate), or you can leave the local ID field empty. If you do not specify a local ID for a dynamic peer, enter the hostname.domain-name of that peer on the device at the other end of the IPsec tunnel in the peer ID field.
Related Documentation
- J Series
- Understanding Certificates and PKI
- Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server
- SRX Series
- Understanding Certificates and PKI
- Example: Manually Generating a CSR for the Local Certificate and Sending it to the CA Server
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
