Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


request security pki node-local generate-key-pair



Generate a public key infrastructure (PKI) public/private key pair for a local digital certificate on the local node in a Multinode High Availability setup.


certificate-id certificate-id-name

Name of the local digital certificate and the public/private key pair.


Key pair size. The key pair size can be 256, 384, 521, 1024, 2048, or 4096 bits.

Key size compatibility

  • ECDSA-256, 384, and 521

  • DSA and RSA - 1024, 2048, or 4096. The default key pair size is 1024 for DSA and 2048 for RSA.

When you use ECDSA-521 signatures, you can:

  • Load a complete certificate, which is generated using an external tool like OpenSSL into PKI.

  • Manually generate a Certificate Signing Request (CSR) for a local certificate and sending the CSR to a (Certificate Authority) CA server to enroll.

  • Automatic enroll with CA server.


The algorithm to be used for encrypting the public/private key pair:

  • ecdsa—ECDSA encryption

  • dsa— DSA encryption

  • rsa—RSA encryption (default)

Required Privilege Level


Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

request security pki generate-key-pair

Release Information

Command introduced in Junos OS Release 22.3R1.