Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

auto-re-enrollment (Security)

Syntax

Hierarchy Level

Description

Configure the automatic reenrollment of a local end-entity (EE) certificate. Auto-reenrollment requests that the issuing CA replace a device certificate before its specified expiration date.

Options

certificate-id

Auto reenrollment configuration for certificate ID.
acme-key-id Specify the ACME account key identifier.
ca-profile-name

Specify the name of the certificate authority (CA) profile to be used for automatic reenrollment. The CA certificate must be present to initiate reenrollment.
challenge-password

Specify the password used by the certificate authority (CA) for enrollment and revocation. If the CA does not provide the challenge password, choose your own password.
re-enroll-trigger-time-percentage

Specify the certificate reenrollment trigger as a percentage of the end-entity (EE) certificate’s lifetime that remains before certificate reenrollment is initiated. For example, if the renewal request is to be sent when the certificate's remaining lifetime is 10 percent, then configure 10 for re-enroll-trigger-time-percentage value. The time at which the certificate reenrollment is initiated is based on the certificate expiry date.

  • Range: 1 through 99
re-enroll-time

This option allows you to trigger auto-re-enrollment ahead of the certificate expiration. You can configure the re-enrollment trigger time in days, or hours, or percentage.

  • days value—Specify when to trigger re-enrollment in days.
  • hours value—Specify when to trigger re-enrollment in hours.
  • percentage value—Specify when to trigger re-enrollment in percentage. Range: 1 to 99.

If you configure both re-enroll-trigger-time-percentage and re-enroll-time options, then re-enroll-time configuration take precedence.

Starting Junos OS Release 23.1R1, you must configure either re-enroll-trigger-time-percentage or re-enroll-time for the commit check to be successful.
re-generate-keypair

Specify new key pair generation for automatic certificate reenrollment. If this statement is not configured, the current key pair is used. If the key pair does not change, the CA does not issue new certificates. We recommend that a new key pair be generated during reenrollment as it provides better security.
scep-digest-algorithm

SCEP digest algorithm.

  • Values:

    • md5—Use MD5 as SCEP digest algorithm

    • sha1—Use SHA1 as SCEP digest algorithm
scep-encryption-algorithm

SCEP encryption algorithm.

  • Values:

    • des—Use DES as SCEP encryption algorithm

    • des3—Use DES3 as SCEP encryption algorithm
cmpv2

Configure automatic reenrollment of a local certificate using CMPv2.
scep

Configure automatic reenrollment of a local certificate using Simple Certificate Enrollment Protocol (SCEP).
acme

You can configure the ACME auto re-enrollment.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement modified in Junos OS Release 9.0. cmpv2 and scep options added in Junos OS Release 15.1X49-D40.

Support for re-enroll-time (days value| hours value| percentage value) option added in Junos OS Release 21.4R1.

The acme optioin added in Junos OS Release 22.4R1.

Related Documentation