ProSafe SRX5308 Certificate creation

I want to install a new certificate on my SRX5308.  The first step is just to create and install the certificate authority (root certificate) and I have spent several hours in the router's interface trying to simply do that.  I checked the manual and it is absolutely useless, giving only vague, general instructions with no what settings nor step-by-step instructions.  I've tried probably 100 different methods/settings and searched the Net for answers.  I've found the following things I THINK are true:

1. The best I can use is SHA1 with 2048.  The "Generate Self Certificate Request" section of the interface only offers:

   -Hash: MD5 or SHA1 (yes, I know SHA1 is depreciated)

   -Algorithm: RSA

   -Key Length: 512, 1024, or 2048

2. The system doesn't support the "ST" (state/province) field in certificates.  This seems odd and, of course, this very random, specific, quirk is not mentioned anywhere in manual.  I found 1 link that still worked in a kb article about "Using certificates as authentication method for box to box VPN connection" that included "Note 1: NETGEAR does not support ST relative distinguished (state/province) name so please edit the openssl.cnf file (in the original location and in your new CA folder) to avoid using this parameter."

I have the last firmware available, v4.3.5-3.  I've created a few different certificate authorities using openssl on a Linux box.  I've created root CA pairs, intermediate pairs, private keys, certificate signing requests ad nauseum.  Did that with modern methods (SHA2 +) and then with the older SHA1 / 2048 method.  I am using .pem files and not sure if it requires another format???  There is no mention in the manual, it just has vague directions like "Download a digital certificate file from a trusted CA and store it on your computer."  None of the root certificate files will upload.  I tried some chained files that I found described in (good) instructions for other platforms: root + intermediate certificates, private key + root certificate, private key + root certificate,  + intermediate certificate, etc but nothing worked.

When I select a certificate file in the interface and click "Upload" the interface crashes and goes to a corrupted login screen.  It shows 2 of the normal login screen.  The top one says "While loading the page critical error encountered."  in between there is text of "Set-Cookie: TeamF1Login=cW5kUWpmeFM3TTBOMFNRYWFGMzUwQT09Ojo6OmJvYmE%3D; expires=Wednesday, 31-Dec-1969 23:59:59 GMT".  The bottom shows the regular login screen graphics and i can login.

There was a previous Trusted Certificate, request, and certificate on it but no idea from where they came.  And I had to delete those to try to upload the new ones so no help there.

I first created a certificate authority using openssl, config file and create commands are below.  I'm using SHA1 and have commented out the "stateOrProvinceName" lines so they don't get put into the certificate.  Does anyone see anything that looks wrong?

5308.cnf

# OpenSSL root CA configuration file.
# Copy to `/root/5308ca/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /root/5308ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/5308ca.key.pem
certificate       = $dir/certs/5308ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/5308ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated but 5308 requires it.
default_md        = sha1

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 7500
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
# stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
# stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated but 5308 requires it.
default_md          = sha1

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
# stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = US
# stateOrProvinceName_default     = XX
localityName_default            = X
0.organizationName_default      = Abc
organizationalUnitName_default  = IT
emailAddress_default            = x@gmail.com

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

And I used this command to create the root cert after I created the root key:

openssl req -config openssl.cnf -key private/5308ca.key.pem -new -x509 -days 7500 -sha1 -extensions v3_ca -out certs/5308ca.cert.pem

Questions:

1. Can I load the .pem file onto this device or is there some other format that is required?

2. Do I have to chain anything together or just use the root key?

3. Can I create a server certificate off directly off the root certificate or is an intermediate certificate required?  This is the only place this root certificate will be used and it isn't security critical (it is only SHA 1 anyway).

I am hoping there are a few of you out there who used these and might remember the tricks.  Thanks.