Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


auto-re-enrollment (Security)


Hierarchy Level


Configure the automatic reenrollment of a local end-entity (EE) certificate. Auto-reenrollment requests that the issuing CA replace a device certificate before its specified expiration date.



Auto reenrollment configuration for certificate ID.

acme-key-id Specify the ACME account key identifier.

Specify the name of the certificate authority (CA) profile to be used for automatic reenrollment. The CA certificate must be present to initiate reenrollment.


Specify the password used by the certificate authority (CA) for enrollment and revocation. If the CA does not provide the challenge password, choose your own password.


Specify the certificate reenrollment trigger as a percentage of the end-entity (EE) certificate’s lifetime that remains before certificate reenrollment is initiated. For example, if the renewal request is to be sent when the certificate's remaining lifetime is 10 percent, then configure 10 for re-enroll-trigger-time-percentage value. The time at which the certificate reenrollment is initiated is based on the certificate expiry date.

  • Range: 1 through 99


This option allows you to trigger auto-re-enrollment ahead of the certificate expiration. You can configure the re-enrollment trigger time in days, or hours, or percentage.

  • days value—Specify when to trigger re-enrollment in days.
  • hours value—Specify when to trigger re-enrollment in hours.
  • percentage value—Specify when to trigger re-enrollment in percentage. Range: 1 to 99.

If you configure both re-enroll-trigger-time-percentage and re-enroll-time options, then re-enroll-time configuration take precedence.

Starting Junos OS Release 23.1R1, you must configure either re-enroll-trigger-time-percentage or re-enroll-time for the commit check to be successful.


Specify new key pair generation for automatic certificate reenrollment. If this statement is not configured, the current key pair is used. If the key pair does not change, the CA does not issue new certificates. We recommend that a new key pair be generated during reenrollment as it provides better security.


SCEP digest algorithm.

  • Values:

    • md5—Use MD5 as SCEP digest algorithm

    • sha1—Use SHA1 as SCEP digest algorithm


SCEP encryption algorithm.

  • Values:

    • des—Use DES as SCEP encryption algorithm

    • des3—Use DES3 as SCEP encryption algorithm


Configure automatic reenrollment of a local certificate using CMPv2.


Configure automatic reenrollment of a local certificate using Simple Certificate Enrollment Protocol (SCEP).


You can configure the ACME auto re-enrollment.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 9.0. cmpv2 and scep options added in Junos OS Release 15.1X49-D40.

Support for re-enroll-time (days value| hours value| percentage value) option added in Junos OS Release 21.4R1.

The acme optioin added in Junos OS Release 22.4R1.