Self-signed certificate enrollment

This certificate installation method may be used when a Certificate Authority is not available. A self-signed certificate provides the relying party no assurance of identity, so this is not as secure as using a CA-signed certificate. A self-signed certificate may be useful, but its use is not recommended.

A self-signed certificate many only be installed on the “default” TA-Profile, so the ta-profile-name parameter is not present in the command.

To enroll a local certificate in self-signed mode, the user must specify the subject information and key-size. The details specific to the certificate “subject” are obtained from id-profile if not specified here.


[no] crypto pki enroll-self-signed certificate-name <CERT-NAME> subject [common-name <CN-Value>] [org <Org-Value>][org-unit <Org-unit-value>] [locality <Location-Value>] [state <state-Value>][country <Country-Code>][valid-start <date>][valid-end <date>] [usage <openflow | web | all>] [key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>]


key-size [1024|2048]

The length of the key; default is 1024 bits.

usage [<openflow|web|all>]

Intended application for the certificate; the default is web. The openflow option is not supported for self-signed certificate enrollment.

Subject Fields

The following prompts appear if these required fields are not given as arguments.

Enter Common Name(CN) :
Enter Org Unit(OU) :
Enter Org Name(O) :
Enter Locality(L) : 
Enter State(ST) :
Enter Country(C) :