Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

clear security pki local-certificate (Device)

Syntax

Description

Clear public key infrastructure (PKI) information for local digital certificates on the device.

Options

  • all—Clear information for all the local digital certificates on the device.

    You cannot clear the automatically generated self-signed certificate using clear security pki local-certificate all command. To clear the self-signed certificate you need to use system-generated as an option.

  • certificate-id certificate-id —Clear the specified local digital certificate with this certificate ID.

  • system-generated—Clear the existing automatically generated self-signed certificate and generate a new self-signed certificate.

Required Privilege Level

clear and security

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

clear security pki local-certificate all

Sample Output

clear security pki local-certificate system-generated

Release Information

Command modified in Junos OS Release 9.1.

Starting in Junos OS Release 20.1R1 on vSRX Virtual Firewall 3.0, you can safeguard the private keys used by PKID and IKED using Microsoft Azure Key Vault hardware security module (HSM) service. You can establish a PKI based VPN tunnel using the keypairs generated at the HSM. The hub certificate-id option under certificate-id is not available for configuration after generating HSM key-pair.

Starting in Junos OS Release 20.4R1 on vSRX Virtual Firewall 3.0, you can safeguard the private keys used by PKID and IKED using AWS Key Management Service (KMS). You can establish a PKI based VPN tunnel using the keypairs generated by the KMS. The hub certificate-id option under certificate-id is not available for configuration after generating PKI key-pair.

Note:

You cannot manually re-enroll the local certificates when you re-generate key-pairs, if you are not generating key-pairs during re-enrollment. A warning HSM does not support auto re-enrollment with new keypair error: configuration check-out failed is displayed in the output of the show security pki auto-re-enrollment command.

Also, when you clear the local certificates using the run clear security pki local-certificate all and run clear security pki key-pair all commands you will receive a warning Key pair deleted successfully but still present at HSM. Please purge the keypair from keyvault before re-using the name.