This guide shows you how to generate a CSR (Certificate Signing Request) on Juniper through the J-Web interface on a Junos SRX device. J-Web builds the CSR and stores the matching private key on the SRX itself, so the request must be generated on the same appliance that will serve the certificate. The flow below matches the J-Web pages shipped with current SRX releases (22.3 and later).
Which Juniper product are you on? The slug juniper historically covered the older Juniper SSL VPN family (Secure Access, then rebranded Pulse Secure, now sold as Ivanti Connect Secure). If your appliance is a Juniper SSL VPN, a Pulse Secure box, or an Ivanti Connect Secure unit, follow our how to generate a CSR on Pulse Secure tutorial instead. The instructions on this page apply to Junos SRX firewalls managed through J-Web.
Before you start
- Sign in to J-Web as a user with permission to manage certificates (typically the super-user or an admin class that includes security).
- Have the exact subject details ready: the fully qualified domain name (FQDN) clients will use, your legal organization name, the city, the state or province, and the two-letter ISO country code.
- Use only standard ASCII characters in every field; non-Latin letters break the request.
- List every hostname and IP address clients will reach in the Subject Alternative Name (SAN) field. Browsers and modern clients validate the hostname against the SAN, not the Common Name.
Generate the CSR on Juniper (J-Web SRX)
Step 1: Open the CSR screen
In J-Web, go to Device Administration > Certificate Management > Certificates. Click Create at the top right, then choose Device Certificate > CSR. The CSR form opens.
On older J-Web builds (Junos OS 19.2 through some 22.x releases) the same screen lives under Administration > Certificate Management > Device Certificates, and you start the request with the plus (+) icon followed by Generate Certificate Request. The fields below are the same in both layouts.
Step 2: Fill out the request
- Digital signature: choose RSA-2048 (the default) or RSA-4096 if your policy mandates a larger key, or ECDSA (P-256 or P-384) if your environment, CA, and clients all support it. Junos offers 2048- and 4096-bit RSA, not 3072.
- Name: a friendly label J-Web uses to identify this certificate entry, for example vpn-2026. The label never leaves the device.
- Subject (use accurate, legal information):
- Common name (CN): the primary FQDN, for example vpn.example.com. For a wildcard certificate, prefix the apex domain with an asterisk, for example *.example.com.
- Organization (O): the full legal name of your company, exactly as registered. Required for OV and EV certificates; ignored for Domain Validation orders.
- Country (C): the two-letter ISO code, for example US, GB, DE.
- State (ST): the full state or province name, for example Washington, not WA.
- Locality (L): the city where your organization is registered, written in full.
- Organizational Unit (OU): a department label such as IT. The CA/Browser Forum has phased out OU in public certificates, so leave it minimal or skip it where the form allows.
- Subject Alt Name (SAN): add every hostname or IP address clients will use to reach the appliance. This is the field browsers and modern TLS libraries actually check, so the CN must also appear here. J-Web exposes separate sub-fields for DNS names, IPv4 addresses, and IPv6 addresses; add one entry per name.
- Advanced > Digest: pick SHA-256. SHA-1 is no longer accepted by any public CA.
Click OK to generate. J-Web creates the key pair on the SRX and adds a certificate entry with status Pending Signing.
Step 3: Download the CSR
Back on the Certificates page, select the entry you just created, then download or view the CSR. The request is a PKCS #10 block that looks like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9u
... (many lines of base64) ...
-----END CERTIFICATE REQUEST-----
Copy the entire block, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, and paste it into the CSR field on your certificate order form. Do not delete the pending entry on the SRX before the CA issues the certificate, or the private key goes with it and the issued certificate becomes unusable.
Before submitting, you can confirm the Common Name, SAN entries, and key size with SSL Dragon’s CSR decoder. This is a quick sanity check that catches typos in the FQDN or a missing SAN entry before the CA validates the request.
Generate the CSR on Junos SRX from the CLI
If you run Junos from the operational CLI rather than J-Web, the same request is produced in two commands. Pick a certificate ID (an arbitrary local label) and reuse it for both the key pair and the request:
request security pki generate-key-pair certificate-id vpn-2026 type rsa size 2048
request security pki generate-certificate-request certificate-id vpn-2026 \
subject "CN=vpn.example.com,O=Example Inc,L=Seattle,ST=Washington,C=US" \
domain-name vpn.example.com \
email [email protected] \
digest sha256 \
filename /var/tmp/vpn-2026.csr
Notes on the values:
- certificate-id is the local handle Junos uses to pair the key with the issued certificate when it comes back; keep the same value across both commands.
- type rsa size 2048 sets a 2048-bit RSA key. Use size 4096 for a larger key (Junos accepts 2048 or 4096 for RSA, not 3072), or type ecdsa size 256 (or 384) for an ECDSA key on supported releases.
- domain-name sets the DNS entry in the Subject Alternative Name; add ip-address or email for an IP or e-mail SAN. This command takes a single value for each, so it yields one DNS name (plus optionally one IP and one e-mail). For several DNS names on one certificate, use the J-Web form above, which accepts multiple SAN entries.
- digest sha256 signs the request with SHA-256. Include it explicitly: for RSA keys Junos defaults to SHA-1, which public CAs reject, so a request built without it is unusable. ECDSA keys already default to SHA-256.
- filename writes the PKCS #10 request to that path on the device. Retrieve it with SCP, then copy the block into your order form. Replace the path with terminal to print the request to the screen instead.
When the CA returns the signed certificate, load it into the same certificate ID and the SRX pairs it with the waiting private key:
request security pki local-certificate load certificate-id vpn-2026 filename /var/tmp/vpn-2026.crt
Submit the CSR to your Certificate Authority
Paste the CSR into the order form during enrollment, then complete the validation steps the CA asks for (DNS, HTTP, or email validation for DV; document checks for OV and EV). The CA emails back the signed certificate together with the intermediate CA chain. With the certificate in hand, continue with the how to install an SSL certificate on Juniper tutorial to import it into the SRX (or the Juniper SSL VPN, if that is what you are running).
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


