public-key dsa

Use public-key dsa to specify a DSA key pair for certificate request.

Use undo public-key to restore the default.

Syntax

public-key dsa name key-name [ length key-length ]

undo public-key

Default

No key pair is specified for certificate request.

Views

PKI domain view

Predefined user roles

network-admin

mdc-admin

Parameters

name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).

length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time.

Usage guidelines

You can specify a nonexistent key pair in this command. A key pair can be obtained in any of the following ways:

• Use the public-key local create command to generate a key pair.

• An application, like IKE using digital signature authentication, triggers the device to generate a key pair.

• Use the pki import command to import a certificate containing a key pair.

A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or RSA).

If you configure a DSA key pair for a PKI domain multiple times, the most recent configuration takes effect.

The length key-length option takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and length before submitting a certificate request. The length key-length option is ignored if the specified key pair already exists or is already contained in an imported certificate.

Examples

# Specify 2048-bit DSA key pair abc for certificate request.

<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key dsa name abc length 2048

Related commands

pki import

public-key local create