ScreenOS Certificates

I implemented a public SSL certificate on a Netscreen today, it was a little tricky to get the CA (Comodo) to accept the CSR generated from the web interface of the Netscreen. The problem was that the Netscreen inserts multiple CN= attributes into the request. the CA is only expecting to see one, which is the domain name for the certificate.

XYZ-SSG140-Cluster:Hostname-XYZ-ACT(M)-> get pki x509 dn

Hostname-XYZ-ACT's X509 Distinguish Name:
CN=0165072008070226

CN=domain.example.org

CN=0044 20 1234 5678

CN=rsa-key

CN=admin@example.org

CN=Root

C =GB

O =Example Company Ltd

The fix for this is to enable the raw common name command which tells the Netscreen to only use the domain name for the CN attribute.

set pki x509 raw-cn enable

Now we get the following output from the get pki x509 dn command:

XYZ-SSG140-Cluster:Hostname-XYZ-ACT(M)-> get pki x509 dn

Note: *** Raw CN mode enabled ***

CN=domain.example.org

C =GB

O =Example Company Ltd

So to recap - the full commands to generate the certificate areset pki x509 raw-cn enable

set pki x509 dn country-name "GB"
set pki x509 dn org-name "Example Company Ltd"
set pki x509 dn org-unit-name "Testing"
set pki x509 dn email "admin@example.org"
set pki x509 cert-fqdn domain.example.org

exec pki rsa new-key 1024

This will output the CSR, it will look something like this, you need to copy everything including the BEGIN and END REQUEST statements and give that to your CA.

-----BEGIN CERTIFICATE REQUEST-----
MIIB0zjCCATsCAQAwZTENMAsGaA1UEChMESk5QUjEZMB
cGA1UEAxMQMDsA0MzAyMjAwMjAwMDE4NjEQMA4GA1UE
AxMHcnNhLWtleTEYMBYGA1UEAxMPd3d3Lmp1b
-----END CERTIFICATE REQUEST-----