Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


request security pki local-certificate re-enroll scep



Release Information

Command introduced in Junos OS Release 15.1X49-D60.


Manually reenroll an end-entity (EE) certificate with Simple Certificate Enrollment Protocol (SCEP). This command allows the administrator to initiate renewal of the EE certificate using SCEP and can be used in conjunction with the set security pki auto-re-enrollment scep automatic enrollment configuration.

Starting in Junos OS Release 20.1R1 on vSRX 3.0, you can safeguard the private keys used by PKID and IKED to establish a PKI based VPN tunnel using the keypairs generated at the Microsoft Azure Key Vault hardware security module (HSM) service and starting in Junos OS Release 20.4R1 on vSRX 3.0, the same feature is supported through AWS Key Management Service (KMS).

You cannot manually re-enroll the local certificates with the “re-generate key-pair” option. An error message is displayed.

Warning message upon re-enrollment - sample output:


certificate-id certificate-id-nameName of the local digital certificate.
ca-profile-name ca-profile-name(Optional) CA profile name.
challenge-password passwordPassword set by the administrator and normally obtained from the SCEP enrollment webpage of the CA. The password is 16 characters in length.
re-generate-keypair(Optional) Generate a PKI public/private key pair for the EE certificate.

Key generation might take a few seconds.

scep-digest-algorithm (Optional) Hash algorithm digest, either MD5 or SHA-1; SHA-1 is the default.
scep-encryption-algorithm (Optional) Encryption algorithm, either DES or DES3; DES3 is the default.

Required Privilege Level

maintenance and security

Output Fields

This command produces no output.