We seem to have a process in my company where we need to send a CSR to the PKI guys so that they can generate a .cer certificate. But if I tried to use this certificate (and a .pem version I created using the windows "certutil -encode" command) with the process you described, I get the same error message as what the previous guy had.
Is there no process for doing it via the CSR path (which means the device already have the private key) or is there the one process where everything to do with the certificate needs to be created outside and independent of the Juniper device?