Example: Generating a Local Certificate Request Manually (CLI)
When you create a local certificate request, the device generates a CA certificate in PKCS #10 format from a key pair you previously generated using the same certificate ID.
Before you begin:
- Generate a public and private key. See Example: Generating a Public-Private Key Pair (CLI).
- Create a CA profile. See Understanding Certificate Authority Profiles.
A subject name is associated with the local certificate request in the form of a common name (CN), organizational unit (OU), organization (O), locality (L), state (ST), country (C), and domain component (DC). Additionally, a subject alternative name is associated in the following form:
- IP address
- E-mail address
- Fully qualified domain name (FQDN)

Note: Some CAs do not support an e-mail address as the domain name in a certificate. If you do not include an e-mail address in the local certificate request, you cannot use an e-mail address as the local IKE ID when configuring the device as a dynamic peer. Instead, you can use a fully qualified domain name (if it is in the local certificate), or you can leave the local ID field empty. If you do not specify a local ID for a dynamic peer, enter the hostname.domain-name of that peer on the device at the other end of the IPsec tunnel in the peer ID field.
To generate a certificate request using the certificate ID (ca-ipsec) of a public-private key pair you previously generated and specifying the domain name juniper.net and the associated common name abc:
- Enter the following command:user@host> request security pki generate-certificate-request certificate-id ca-ipsec domain-name juniper.net subject CN=abc
The following certificate request is displayed in PEM format.
Generated certificate request -----BEGIN CERTIFICATE REQUEST----- MIHxMIGcAgEAMA4xDDAKBgNVBAMTA2htMTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC QQCbhaiWzmctH0ZDldCn+mSNM62kyiSgc4cmN68U/j9El09/DgGoMNy2y+RYA1xU sr4B0NedGrZZJx5L1sIYjHr/AgMBAAGgKTAnBgkqhkiG9w0BCQ4xGjAYMBYGA1Ud EQQPMA2CC2p1bmlwZXIubmV0MA0GCSqGSIb3DQEBBQUAA0EAleLR6Hp2ity8Dugs MW4HI6SxfwMc2eYM5Nj2UhwpEEpsce77dUBZriKdehAgli7vwNsHGIuhHjEaFzfO hpM3tA== -----END CERTIFICATE REQUEST----- Fingerprint: 9e:d5:7d:44:e8:e7:b6:d7:4b:58:d4:4e:2b:fb:c6:b2:4b:b7:8b:82 (sha1) b0:8d:c7:6d:41:d5:58:61:dc:a0:3e:4e:d6:39:02:d7 (md5)
- Copy the generated certificate request and
paste it into the appropriate field at the CA website to obtain a
local certificate. Refer to the CA server documentation to determine
where to paste the certificate request.
When PKCS #10 content is displayed, the MD5 hash and SHA-1 hash of the PKCS #10 file is also displayed. For more information on the certificate, such as the bit length of the key pair, use the command show security pki certificate-request described in the Junos OS CLI Reference.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Digital Certificates Configuration Overview
- Example: Loading CA and Local Certificates Manually (CLI)
- Example: Reenrolling Local Certificates Automatically (CLI)
- Example: Verifying Certificate Validity (CLI)
- Example: Checking Certificate Validity Using CRLs (CLI)
Hide Navigation Pane
Show Navigation Pane
Download
SHA1