name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters,
which can include only letters, digits, and hyphen (-).
signature: Specifies a key pair for signing.
name signature-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters,
which can include only letters, digits, and hyphen (-).
general: Specifies a key pair for both signing and encryption.
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters, which can
include only letters, digits, and hyphen (-).
length key-length: Specifies the key length in bits. In non-FIPS mode, the key length is in the range of 512
to 2048 and defaults to 1024. In FIPS mode, the key length is fixed to 2048. A longer key means higher
security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following
ways:
• Use the public-key local create command to generate a key pair.
• An application triggers to generate a key pair
• Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithms (DSA, ECDSA, or RSA).
If DSA or ECDSA is used, a PKI domain can have only one key pair. If RSA is used, a PKI domain can
have two key pairs: one is the signing key pair, and the other is the encryption one. In a PKI domain, key
pairs for different purposes (RSA signing and RSA encryption) do not overwrite each other. For DSA or
ECDSA, the most recent configuration takes effect.
If you specify a signing key pair and an encryption key pair separately, their key length can be different.
The specified length is effective on only a key pair to be generated. If the device already has a key pair
or a key pair is contained in an imported certificate, using this command to specify the key length for the
key pair does not take effect.
Examples
# Specify the RSA key pair abc with the purpose general and key length 1024 bits for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa general name abc length 1024
# Specify the RSA encryption key pair rsa1 with the key length 512 bits, and the RSA signing key pair
sig1 with the key length 512 bits for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 512
[Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 512
221
To Next Page
Loading...
