Self-signed certificate enrollment

This certificate installation method may be used when a Certificate Authority is not available. A self-signed certificate provides the relying party no assurance of identity, so this is not as secure as using a CA-signed certificate. A self-signed certificate may be useful, but its use is not recommended.

A self-signed certificate many only be installed on the “default” TA-Profile, so the ta-profile-name parameter is not present in the command.

To enroll a local certificate in self-signed mode, the user must specify the subject information and key-size. The details specific to the certificate “subject” are obtained from id-profile if not specified here.


[no] crypto pki enroll-self-signed certificate-name CERT-NAME [subject [command-name CN-Value] [org Org-Value] [org-unit Org-unit-value] [locality Location-Value] [state state-Value] [countryCountry-Code] [valid-start date valid-end date] [usage <openflow | web | all>][key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>]


key-size [1024|2048]

The length of the key; default is 1024 bits.

usage [<openflow|web|all>]

Intended application for the certificate; the default is web. The openflow option is not supported for self-signed certificate enrollment.

Subject Fields

The following prompts appear if these required fields are not given as arguments.

Enter Common Name(CN) :
Enter Org Unit(OU) :
Enter Org Name(O) :
Enter Locality(L) : 
Enter State(ST) :
Enter Country(C) :