Example: Generating a Local Certificate Request Manually (CLI)

When you create a local certificate request, the device generates a CA certificate in PKCS #10 format from a key pair you previously generated using the same certificate ID.

Before you begin:

1. Generate a public and private key. See Example: Generating a Public-Private Key Pair (CLI).
2. Create a CA profile. See Understanding Certificate Authority Profiles.

A subject name is associated with the local certificate request in the form of a common name (CN), organizational unit (OU), organization (O), locality (L), state (ST), country (C), and domain component (DC). Additionally, a subject alternative name is associated in the following form:

• IP address
• E-mail address
• Fully qualified domain name (FQDN)

  Note: Some CAs do not support an e-mail address as the domain name in a certificate. If you do not include an e-mail address in the local certificate request, you cannot use an e-mail address as the local IKE ID when configuring the device as a dynamic peer. Instead, you can use a fully qualified domain name (if it is in the local certificate), or you can leave the local ID field empty. If you do not specify a local ID for a dynamic peer, enter the hostname.domain-name of that peer on the device at the other end of the IPsec tunnel in the peer ID field.

To generate a certificate request using the certificate ID (ca-ipsec) of a public-private key pair you previously generated and specifying the domain name juniper.net and the associated common name abc:

1. Enter the following command:
   user@host> request security pki generate-certificate-request certificate-id ca-ipsec domain-name juniper.net subject CN=abc

   The following certificate request is displayed in PEM format.

   Generated certificate request
   -----BEGIN CERTIFICATE REQUEST-----
   MIHxMIGcAgEAMA4xDDAKBgNVBAMTA2htMTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
   QQCbhaiWzmctH0ZDldCn+mSNM62kyiSgc4cmN68U/j9El09/DgGoMNy2y+RYA1xU
   sr4B0NedGrZZJx5L1sIYjHr/AgMBAAGgKTAnBgkqhkiG9w0BCQ4xGjAYMBYGA1Ud
   EQQPMA2CC2p1bmlwZXIubmV0MA0GCSqGSIb3DQEBBQUAA0EAleLR6Hp2ity8Dugs
   MW4HI6SxfwMc2eYM5Nj2UhwpEEpsce77dUBZriKdehAgli7vwNsHGIuhHjEaFzfO
   hpM3tA==
   -----END CERTIFICATE REQUEST-----
   Fingerprint:
   9e:d5:7d:44:e8:e7:b6:d7:4b:58:d4:4e:2b:fb:c6:b2:4b:b7:8b:82 (sha1)
   b0:8d:c7:6d:41:d5:58:61:dc:a0:3e:4e:d6:39:02:d7 (md5)
   

2. Copy the generated certificate request and paste it into the appropriate field at the CA website to obtain a local certificate. Refer to the CA server documentation to determine where to paste the certificate request.

   When PKCS #10 content is displayed, the MD5 hash and SHA-1 hash of the PKCS #10 file is also displayed. For more information on the certificate, such as the bit length of the key pair, use the command show security pki certificate-request described in the Junos OS CLI Reference.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Digital Certificates Configuration Overview
• Example: Loading CA and Local Certificates Manually (CLI)
• Example: Reenrolling Local Certificates Automatically (CLI)
• Example: Verifying Certificate Validity (CLI)
• Example: Checking Certificate Validity Using CRLs (CLI)