291
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters, which can
include only letters, digits, and hyphen (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and
the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more
public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following
ways:
• Use the public-key local create command to generate a key pair.
• An application, like IKE using digital signature authentication, triggers to generate a key pair
• Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA or RSA).
• If DSA is used, a PKI domain can have only one key pair.
• If RSA is used, a PKI domain can have two key pairs: one is the signing key pair, and the other is
the encryption one.
• In a PKI domain, key pairs for different purposes (RSA signing and RSA encryption) do not overwrite
each other.
• For DSA, the most recent configuration takes effect.
If you specify a signing key pair and an encryption key pair separately, their key length can be different.
The specified length is effective on only a key pair to be generated. If the device already has a key pair
or a key pair is contained in an imported certificate, using this command to specify the key length for the
key pair does not take effect.
Examples
# Specify the RSA key pair abc with the purpose general and key length 2048 bits for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa general name abc length 2048
# Specify the RSA encryption key pair rsa1 with the key length 2048 bits, and the RSA signing key pair
sig1 with the key length 2048 bits for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048
[Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048
Related commands
• pki import
• public-key local create (see Security Command Reference)
root-certificate fingerprint
Use root-certificate fingerprint to set the fingerprint for verifying the validity of the CA root certificate.
Use undo root-certificate fingerprint to remove the configuration.
To Next Page
Loading...
