Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


ca-profile (Security PKI)


Hierarchy Level


Configure certificate authority (CA) profile. The CA profile contains the name and URL of the CA or RA, as well as retry-timer settings.



Name of a trusted CA.

administrator email-address

Specify an administrator e-mail address to which the certificate request is sent. By default, there is no preset e-mail address.


Specify the certificate authority (CA) identity to use in requesting digital certificates. This name is typically the domain name of the CA.


Specify the enrollment parameters for a certificate authority (CA).

retry number

Number of automated attempts for online enrollment to be retried in case enrollment response is pending.

  • Range: 0 through 1080

  • Default: 10

retry-interval seconds

Time interval between the enrollment retries.

  • Range: 0 through 3600

  • Default: 900 seconds

url url-name

Enrollment URL where the Simple Certificate Enrollment Protocol (SCEP) or CMPv2 request is sent to the certification authority (CA) as configured in this profile. With SCEP, you enroll CA certificates with the request security pki ca-certificate enroll command and specify the CA profile. There is no separate command to enroll CA certificates with CMPv2. The IP address in the enrollment URL can be an IPv4 or an IPv6 address.


Use specified proxy server. If proxy profile is configured in CA profile, the device connects to the proxy host instead of the CA server while certificate enrollment, verification or revocation. The proxy host communicates with the CA server with the requests from the device, and then relay the response to the device.

Public key infrastructure (PKI) uses proxy profile configured at the system-level. The proxy profile being used in the CA profile must be configured at the [edit services proxy] hierarchy. There can be more than one proxy profile configured under [edit services proxy] hierarchy. Each CA profile is referred to the most one such proxy profile. You can configure host and port of the proxy profile at the [edit system services proxy] hierarchy.


Specify the method the device uses to verify the revocation status of digital certificates.


Specify the routing-instance to be used.


Specifies a source IPv4 or IPv6 address to be used instead of the IP address of the egress interface for communications with external servers. External servers are used for certificate enrollment and reenrollment using Simple Certificate Enrollment Protocol (SCEP) or Certificate Management Protocol version 2 (CMPv2), downloading certificate revocation lists (CRLs) using HTTP or LDAP, or checking certificate revocation status with Online Certificate Status Protocol (OCSP). If this option is not specified then the IP address of the egress interface is used as the source address.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 8.5. Support for ca-identity option is added in Junos OS Release 11.1. Support for ocsp and use-ocsp options added in Junos OS Release 12.1X46-D20.

Support for proxy-profile option is added in Junos OS Release 18.2R1.

Support for source-address is introduced in Junos OS Release 15.1X49-D60.