request security pki local-certificate enroll scep
Command introduced in Junos OS Release 9.1. Serial number (SN) option added to the subject string output field in Junos OS Release 12.1X45. scep keyword and ipv6-address option added in Junos OS Release 15.1X49-D40.
Starting in Junos OS Release 20.1R1 on vSRX 3.0, you can safeguard the private keys used by PKID and IKED using Microsoft Azure Key Vault hardware security module (HSM) service. You can establish a PKI based VPN tunnel using the keypairs generated at the HSM.
When you clear the local certificates using the run clear security pki local-certificate all and run clear security pki key-pair all commands you will receive a warning Key pair deleted successfully but still present at HSM. Please delete the keypair from HSM before re-using the name.
Starting in Junos OS Release 20.4R1 on vSRX 3.0, you can safeguard the private keys used by PKID and IKED using AWS Key Management Service (KMS). You can establish a PKI based VPN tunnel using the keypairs generated by the KMS.
Enroll and install a local digital certificate online by using Simple Certificate Enrollment Protocol (SCEP).
If you enter the request security pki local-certificate enroll command without specifying the scep or cmpv2 keyword, SCEP is the default method for enrolling a local certificate.
OU—Organizational unit name
SN—Serial number of the device
If you define SN in the subject field without the serial number, then the serial number is read directly from the device and added to the certificate signing request (CSR).
Required Privilege Level
maintenance and security
List of Sample OutputSample output for vSRX 3.0
When you enter this command, you are provided feedback on the status of your request.
user@host> request security pki local-certificate enroll scep certificate-id r3-entrust-scep ca-profile entrust domain-name router3.example.net subject "CN=router3,OU=Engineering,O=example,C=US" challenge-password 123
Certificate enrollment has started. To view the status of your enrollment, check the public key infrastructure log (pkid) log file at /var/log/pkid. Please save the challenge-password for revoking this certificate in future. Note that this password is not stored on the router.
Sample output for vSRX 3.0
user@host> request security pki generate-key-pair certificate-id example
Generated key pair example, key size 2048 bits
user@host> request security pki local-certificate enroll certificate-id ?
Possible completions: <certificate-id> Certificate identifier example