H3C MSR Series Command Reference Manual page 523
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
public-key ecdsa name key-name [ secp256r1 | secp384r1 ]
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters.
The key pair name can contain only letters, digits, and hyphens (-).
secp192r1: Uses the secp192r1 curve to generate the key pair. The secp192r1 curve is used by
default in non-FIPS mode.
secp256r1: Uses the secp256r1 curve to generate the key pair. The secp256r1 curve is used by
default in FIPS mode.
secp384r1: Uses the secp384r1 curve to generate the key pair.
Usage guidelines
You can specify a nonexistent key pair for a PKI domain.
A key pair can be obtained in any of the following ways:
•
Use the public-key local create command to generate a key pair.
•
An application, like IKE using digital signature authentication, triggers the device to generate a
key pair.
•
Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or
RSA).
•
If DSA or ECDSA is used, a PKI domain can have only one key pair. If you configure a DSA or
ECDSA key pair multiple times, the most recent configuration takes effect.
•
If RSA is used, a PKI domain can have two key pairs of different purposes: one is the signing
key pair, and the other is the encryption key pair. If you configure an RSA signing key pair or
RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA
signing key pair and encryption key pair do not overwrite each other.
The specified elliptic curve takes effect only if you specify a nonexistent key pair. The device will
automatically create the key pair by using the specified name and curve before submitting a
certificate request. The curve parameter is ignored if the specified key pair already exists or is
already contained in an imported certificate.
Examples
# Specify 384-bit ECDSA key pair abc for certificate request in PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key ecdsa name abc secp384r1
Related commands
pki import
public-key local create (see Security Command Reference)
500
Advertisement
Table of Contents
