Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

request security pki local-certificate enroll scep

Syntax

Release Information

Command introduced in Junos OS Release 9.1. Serial number (SN) option added to the subject string output field in Junos OS Release 12.1X45. scep keyword and ipv6-address option added in Junos OS Release 15.1X49-D40.

Starting in Junos OS Release 20.1R1 on vSRX Virtual Firewall 3.0, you can safeguard the private keys used by PKID and IKED using Microsoft Azure Key Vault hardware security module (HSM) service. You can establish a PKI based VPN tunnel using the keypairs generated at the HSM. The hub certificate-id option under certificate-id is not available for configuration after generating HSM key-pair.

Starting in Junos OS Release 20.4R1 on vSRX Virtual Firewall 3.0, you can safeguard the private keys used by PKID and IKED using AWS Key Management Service (KMS). You can establish a PKI based VPN tunnel using the keypairs generated by the KMS. The hub certificate-id option under certificate-id is not available for configuration after generating PKI key-pair.

Starting in Junos OS Release 22.4R2, logical-system is introduced in the statement for PKI SCEP certificate enrollment.

Description

Enroll and install a local digital certificate online by using Simple Certificate Enrollment Protocol (SCEP).

If you enter the request security pki local-certificate enroll command without specifying the scep or cmpv2 keyword, SCEP is the default method for enrolling a local certificate.

Options

ca-profile ca-profile-name

CA profile name.
certificate-id certificate-id-name

Name of the local digital certificate and the public/private key pair.
challenge-password password

Password set by the administrator and normally obtained from the SCEP enrollment webpage of the CA. The password is maximum 256 characters in length. You can enforce the limit to the required characters.
digest (sha-1 | sha-256)

Hash algorithm used for signing RSA certificates, either SHA-1 or SHA-256. SHA-1 is the default.
domain-name domain-name

Fully qualified domain name (FQDN). The FQDN provides the identity of the certificate owner for Internet Key Exchange (IKE) negotiations and provides an alternative to the subject name.
email email-address

E-mail address of the certificate holder.
ip-address ip-address

IP address of the router.
ipv6-address ipv6-address

IPv6 address of the router for the alternate subject.
logical-system (logical-system-name | all)

Name of the logical system or all. This is optional.
scep-digest-algorithm (md5 | sha-1)

Hash algorithm digest, either MD5 or SHA-1; SHA-1 is the default.
scep-encryption-algorithm (des | des3)

Encryption algorithm, either DES or DES3; DES3 is the default.
subject subject-distinguished-name

Distinguished Name (DN) format that contains the domain component, common name, department, serial number, company name, state, and country in the following format: DC, CN, OU, O, SN, L, ST, C.

  • DC—Domain component

  • CN—Common name

  • OU—Organizational unit name

  • O—Organization name

  • SN—Serial number of the device

    If you define SN in the subject field without the serial number, then the serial number is read directly from the device and added to the certificate signing request (CSR).

  • ST—State

  • C—Country

Required Privilege Level

maintenance and security

Output Fields

When you enter this command, you are provided feedback on the status of your request.

Sample Output

command-name

Sample Output

Sample output for vSRX Virtual Firewall 3.0

Related Documentation