public-key local create
Use public-key local create to create local key pairs.
Syntax
In non-FIPS mode:
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]
In FIPS mode:
public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]
Default
No local key pairs exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
dsa: Specifies the DSA key pair type.
ecdsa: Specifies the ECDSA key pair type.
secp192r1: Uses the secp192r1 curve to create a 192-bit ECDSA key pair. The secp192r1 curve is used by default in non-FIPS mode.
secp256r1: Uses the secp256r1 curve to create a 256-bit ECDSA key pair. The secp256r1 curve is used by default in FIPS mode.
secp384r1: Uses the secp384r1 curve to create a 384-bit ECDSA key pair.
secp521r1: Uses the secp521r1 curve to create a 521-bit ECDSA key pair.
rsa: Specifies the RSA key pair type.
name key-name: Assigns a name to the key pair. The key-name argument is a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not assign a name to the key pair, the key pair takes the default name.
Table 19: Default local key pair names
Type | Default name |
|---|---|
RSA |
|
DSA | dsakey |
ECDSA | ecdsakey |
Usage guidelines
The key algorithm must be the same as required by the security application.
When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, and the longer the key generation time.
When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length. The longer the key length, the higher the security, and the longer the key generation time.
See Table 20 for more information about key modulus lengths and key lengths.
If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default. The name of a key pair must be unique among all manually named key pairs that use the same key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.
The key pairs are automatically saved and can survive system reboots.
Table 20: A comparison of different types of asymmetric key algorithms
Type | Generated key pairs | Modulus/key length |
|---|---|---|
RSA |
NOTE: Only SSH 1.5 uses the RSA server key pair. |
|
DSA | One host key pair. |
|
ECDSA | One host key pair. |
|
Examples
# Create local RSA key pairs with default names.
<Sysname> system-view [Sysname] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ...++++++ .++++++ ..++++++++ ....++++++++ Create the key pair successfully.
# Create a local DSA key pair with the default name.
<Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+..........+..............+.............+...+.....+...............+..+... ...+.................+..........+...+....+.......+.....+............+.........+. ........................+........+..........+..............+.....+...+.......... ..............+.........+..........+...........+........+....+.................. .....+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully.
# Create a local ECDSA key pair with the default name.
<Sysname> system-view [Sysname] public-key local create ecdsa Generating Keys... Create the key pair successfully.
# Create a local RSA key pair with the name rsa1.
<Sysname> system-view [Sysname] public-key local create rsa name rsa1 The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ...++++++ ...............................++++++ Create the key pair successfully.
# Create a local DSA key pair with the name dsa1.
<Sysname> system-view [Sysname] public-key local create dsa name dsa1 The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+..........+..............+.............+...+.....+...............+..+... ...+.................+..........+...+....+.......+.....+............+.........+. ........................+........+..........+..............+.....+...+.......... ..............+.........+..........+...........+........+....+.................. .....+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully.
# Create a local ECDSA key pair with the name ecdsa1.
<Sysname> system-view [Sysname] public-key local create ecdsa name ecdsa1 Generating Keys... Create the key pair successfully.
# In FIPS mode, create a local RSA key pair with the default name.
<Sysname> system-view [Sysname] public-key local create rsa The range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2028]: Generating Keys... ...++++++ .++++++ ..++++++++ ....++++++++ Create the key pair successfully.
# In FIPS mode, create a local DSA key pair with the default name.
<Sysname> system-view [Sysname] public-key local create dsa The range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2028]: .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+..+................ .......+..........+..............+.............+...+.....+...............+..+... ...+.................+..........+...+....+.......+.....+............+.........+. ........................+........+..........+..............+.....+...+.......... ..............+.........+..........+...........+........+....+.................. .....+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully.
Related commands
display public-key local public
public-key local destroy