Public-Key Rsa - H3C MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
public-key rsa
Use public-key rsa to specify an RSA key pair for certificate request.
Use undo public-key to restore the default.
Syntax
public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name
signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] }
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
encryption: Specifies a key pair for encryption.
name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64
characters. The key pair name can contain only letters, digits, and hyphens (-).
signature: Specifies a key pair for signing.
name signature-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64
characters. The key pair name can contain only letters, digits, and hyphens (-).
general: Specifies a key pair for both signing and encryption.
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key
pair name can contain only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to
2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher
security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following
ways:
•
Use the public-key local create command to generate a key pair.
•
An application, like IKE using digital signature authentication, triggers the device to generate a
key pair.
•
Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or
RSA).
•
If DSA or ECDSA is used, a PKI domain can have only one key pair. If you configure a DSA or
ECDSA key pair multiple times, the most recent configuration takes effect.
•
If RSA is used, a PKI domain can have two key pairs of different purposes: one is the signing
key pair, and the other is the encryption key pair. If you configure an RSA signing key pair or
RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA
signing key pair and encryption key pair do not overwrite each other.
If you specify a signing key pair and an encryption key pair separately, their key length can be
different.
501
Advertisement
Table of Contents
