Root-Certificate Fingerprint - HP FlexNetwork MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (392 pages) ,
- Configuration manuals (159 pages)
Advertisement
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key
pair name can contain only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to
2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher
security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following
ways:
•
Use the public-key local create command to generate a key pair.
•
An application, like IKE using digital signature authentication, triggers the device to generate a
key pair.
•
Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or
RSA).
•
If DSA or ECDSA is used, a PKI domain can have only one key pair. If you configure a DSA or
ECDSA key pair multiple times, the most recent configuration takes effect.
•
If RSA is used, a PKI domain can have two key pairs of different purposes: one is the signing
key pair, and the other is the encryption key pair. If you configure an RSA signing key pair or
RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA
signing key pair and encryption key pair do not overwrite each other.
If you specify a signing key pair and an encryption key pair separately, their key length can be
different.
The length key-length option takes effect only if you specify a nonexistent key pair. The device will
automatically create the key pair by using the specified name and length before submitting a
certificate request. The length key-length option is ignored if the specified key pair already exists or
is already contained in an imported certificate.
Examples
# Specify 2048-bit general purpose RSA key pair abc for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa general name abc length 2048
# Specify the following 2048-bit RSA key pairs for certificate request:
•
RSA encryption key pair rsa1.
•
RSA signing key pair sig1.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048
[Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048
Related commands
pki import
public-key local create
root-certificate fingerprint
Use root-certificate fingerprint to set the fingerprint for verifying the root CA certificate.
Use undo root-certificate fingerprint to restore the default.
449
Advertisement
