clear security pki local-certificate (Device)
Syntax
clear security pki local-certificate (all | certificate-id certificate-id
| system-generated)
Description
Clear public key infrastructure (PKI) information for local digital certificates on the device.
Options
all
—Clear information for all the local digital certificates on the device.You cannot clear the automatically generated self-signed certificate using
clear security pki local-certificate all
command. To clear the self-signed certificate you need to usesystem-generated
as an option.certificate-id
certificate-id
—Clear the specified local digital certificate with this certificate ID.system-generated
—Clear the existing automatically generated self-signed certificate and generate a new self-signed certificate.
Required Privilege Level
clear and security
Output Fields
When you enter this command, you are provided feedback on the status of your request.
Sample Output
clear security pki local-certificate all
user@host> clear security pki local-certificate all
Sample Output
clear security pki local-certificate system-generated
user@host> clear security pki local-certificate system-generated
Release Information
Command modified in Junos OS Release 9.1.
Starting in Junos OS Release 20.1R1 on vSRX Virtual Firewall 3.0, you can safeguard the private
keys used by PKID and IKED using Microsoft Azure Key Vault hardware security module
(HSM) service. You can establish a PKI based VPN tunnel using the keypairs generated
at the HSM. The hub certificate-id
option under certificate-id is
not available for configuration after generating HSM key-pair.
Starting in Junos OS Release 20.4R1 on vSRX Virtual Firewall 3.0, you can safeguard the private
keys used by PKID and IKED using AWS Key Management Service (KMS). You can establish
a PKI based VPN tunnel using the keypairs generated by the KMS. The hub
certificate-id
option under certificate-id is not available for
configuration after generating PKI key-pair.
You cannot manually re-enroll the local
certificates when you re-generate key-pairs, if you are not generating
key-pairs during re-enrollment. A warning HSM does not support
auto re-enrollment with new keypair error: configuration check-out
failed is displayed in the output of the show security
pki auto-re-enrollment
command.
Also, when you clear the local certificates using the run clear
security pki local-certificate all
and run clear security
pki key-pair all
commands you will receive a warning Key
pair deleted successfully but still present at HSM. Please purge the
keypair from keyvault before re-using the name.