Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

request security pki local-certificate enroll scep

 

Syntax

Release Information

Command introduced in Junos OS Release 9.1. Serial number (SN) option added to the subject string output field in Junos OS Release 12.1X45. scep keyword and ipv6-address option added in Junos OS Release 15.1X49-D40.

Starting in Junos OS Release 20.1R1 on vSRX 3.0, you can safeguard the private keys used by PKID and IKED using Microsoft Azure Key Vault hardware security module (HSM) service. You can establish a PKI based VPN tunnel using the keypairs generated at the HSM.

Note

When you clear the local certificates using the run clear security pki local-certificate all and run clear security pki key-pair all commands you will receive a warning Key pair deleted successfully but still present at HSM. Please delete the keypair from HSM before re-using the name.

Starting in Junos OS Release 20.4R1 on vSRX 3.0, you can safeguard the private keys used by PKID and IKED using AWS Key Management Service (KMS). You can establish a PKI based VPN tunnel using the keypairs generated by the KMS.

Description

Enroll and install a local digital certificate online by using Simple Certificate Enrollment Protocol (SCEP).

If you enter the request security pki local-certificate enroll command without specifying the scep or cmpv2 keyword, SCEP is the default method for enrolling a local certificate.

Options

ca-profile ca-profile-nameCA profile name.
certificate-id certificate-id-nameName of the local digital certificate and the public/private key pair.
challenge-password passwordPassword set by the administrator and normally obtained from the SCEP enrollment webpage of the CA. The password is maximum 256 characters in length. You can enforce the limit to the required characters.
digest (sha-1 | sha-256)Hash algorithm used for signing RSA certificates, either SHA-1 or SHA-256. SHA-1 is the default.
domain-name domain-nameFully qualified domain name (FQDN). The FQDN provides the identity of the certificate owner for Internet Key Exchange (IKE) negotiations and provides an alternative to the subject name.
email email-addressE-mail address of the certificate holder.
ip-address ip-addressIP address of the router.
ipv6-address ipv6-addressIPv6 address of the router for the alternate subject.
scep-digest-algorithm (md5 | sha-1)Hash algorithm digest, either MD5 or SHA-1; SHA-1 is the default.
scep-encryption-algorithm (des | des3)Encryption algorithm, either DES or DES3; DES3 is the default.
subject subject-distinguished-nameDistinguished Name (DN) format that contains the domain component, common name, department, serial number, company name, state, and country in the following format: DC, CN, OU, O, SN, L, ST, C.

  • DC—Domain component

  • CN—Common name

  • OU—Organizational unit name

  • O—Organization name

  • SN—Serial number of the device

    If you define SN in the subject field without the serial number, then the serial number is read directly from the device and added to the certificate signing request (CSR).

  • ST—State

  • C—Country

Required Privilege Level

maintenance and security

Related Documentation

List of Sample Output

Sample output for vSRX 3.0

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

user@host> request security pki local-certificate enroll scep certificate-id r3-entrust-scep ca-profile entrust domain-name router3.example.net subject "CN=router3,OU=Engineering,O=example,C=US" challenge-password 123

Sample Output

Sample output for vSRX 3.0

user@host> request security pki generate-key-pair certificate-id example
user@host> request security pki local-certificate enroll certificate-id ?