Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


request security certificate enroll (Signed)



(Encryption interface on M Series and T Series routers and EX Series switches only) Obtain a signed certificate from a certificate authority (CA). The signed certificate validates the CA and the owner of the certificate. The results are saved in a specified file to the /var/etc/ikecert directory.


For FIPS mode, the digital security certificates must be compliant with the National Institute of Standards and Technology (NIST) SP 800-131A standard. The request security key-pair command is deprecated and not available with Junos in FIPS mode because it generates RSA and DSA keys with sizes of 512 and 1024 bits that are not compliant with the NIST SP 800-131A standard.


filename filename

File that stores the certificate.

subject subject

Distinguished name (dn), which consists of a set of components—for example, an organization (o), an organization unit (ou), a country (c), and a locality (l).

alternative-subject alternative-subject

Tunnel source address.

certification-authority certification-authority

Name of the certificate authority profile in the configuration.

encoding (binary | pem)

File format used for the certificate. The format can be a binary file or privacy-enhanced mail (PEM), an ASCII base64-encoded format. The default format is binary.

key-file key-file

File containing a local private key.

domain-name domain-name

Fully qualified domain name.

Required Privilege Level


Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

request security certificate enroll filename subject alternative-subject certification-authority key-file domain-name (Signed)

Release Information

Command introduced before Junos OS Release 7.4.