Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


request security pki generate-key-pair (Security)



Generate a public key infrastructure (PKI) public/private key pair for a local digital certificate.


certificate-id certificate-id-name

Name of the local digital certificate and the public/private key pair.


Key pair size. The key pair size can be 256, 384, 521, 1024, 2048, or 4096 bits. Key pair sizes of 256, 384, and 521 bits are compatible with ECDSA. For Digital Signal Algorithm (DSA) and Rivest Shamir Adleman (RSA), algorithms the size must be 1024, 2048, or 4096. The default key pair size is 1024 for DSA and 2048 for RSA.

The following are supported when ECDSA-521 signatures are used:

  • Load a complete certificate, which is generated using an external tool like OpenSSL into PKI.

  • Manually generate a Certificate Signing Request (CSR) for a local certificate and sending the CSR to a (Certificate Authority) CA server to enroll.

  • Automatic enroll with CA server.


The algorithm to be used for encrypting the public/private key pair:

  • ecdsa—ECDSA encryption

  • dsa— DSA encryption

  • rsa—RSA encryption (default)

Required Privilege Level


Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

request security pki generate-key-pair

Release Information

Command introduced in Junos OS Release 11.1.

Options to support Elliptic Curve Digital Signature Algorithm (ECDSA) added in Junos OS Release 12.1X45-D10.

521 option to support ECDSA introduced in Junos OS Release 19.1R1 on SRX5000 line of devices with SRX5K-SPC3 card.