public-key rsa
Use public-key rsa to specify an RSA key pair for certificate request.
Use undo public-key to restore the default.
Syntax
public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] }
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
encryption: Specifies a key pair for encryption.
name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
signature: Specifies a key pair for signing.
name signature-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
general: Specifies a key pair for both signing and encryption.
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways:
Use the public-key local create command to generate a key pair.
An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or RSA).
A PKI domain can have two RSA key pairs of different purposes: one is the signing key pair, and the other is the encryption key pair. If you configure an RSA signing key pair or RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA signing key pair and encryption key pair do not overwrite each other.
If you specify a signing key pair and an encryption key pair separately, their key length can be different.
The length key-length option takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and length before submitting a certificate request. The length key-length option is ignored if the specified key pair already exists or is already contained in an imported certificate.
Examples
# Specify 2048-bit general purpose RSA key pair abc for certificate request.
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] public-key rsa general name abc length 2048
# Specify the following RSA key pairs for certificate request:
2048-bit RSA encryption key pair rsa1.
2048-bit RSA signing key pair sig1.
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048 [Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048
Related commands
pki import
public-key local create