Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


request security pki local-certificate generate-self-signed (Security)



Manually generate a self-signed certificate for the given distinguished name.


certificate-id certificate-id-name—Name of the certificate and the public/private key pair.

domain-name domain-name—Fully qualified domain name (FQDN) provides the identity of the certificate owner for Internet Key Exchange (IKE) negotiations and provides an alternative to the subject name.

subject subject-distinguished-name—Distinguished name format contains the following information:

  • DC—Domain component

  • CN—Common name

  • OU—Organizational unit name

  • O—Organization name

  • L—Locality

  • ST—State

  • C—Country

add-ca-constraint—(Optional) Specifies that the certificate can be used to sign other certificates.

digest—(Optional) Hash algorithm used to sign the certificate.

  • sha1—SHA-1 digest (default)

  • sha256—SHA-256 digest

Starting in Junos OS Release 18.1R3, the default encryption algorithm that is used for validating automatically and manually generated self-signed PKI certificates is Secure Hash Algorithm 256 (SHA-256). Prior to Junos OS Release 18.1R3, SHA-1 is used as default encryption algorithm.

email email-address—(Optional) E-mail address of the certificate holder.

ip-address ipv4-address—(Optional) Static IPv4 address of the device.

ipv6-address ipv6-address—(Optional) Static IPv6 address of the device.

Required Privilege Level

maintenance and security

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

request security pki local-certificate generate-self-signed certificate-id self-cert subject cn=abc domain-name email

Release Information

Command introduced in Junos OS Release 9.1.

Support for digest option added in Junos OS Release 12.1X45-D10.

Support for ipv6-address option added in Junos OS Release 22.1R1.