R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
323
Displaying or exporting the local RSA or DSA host public key
Display the local RSA or DSA host public key on the screen or export it to a specified file. Then, you can
configure the local RSA or DSA host public key on the peer device so that the peer device can use the host
public key to authenticate the local end through digital signature.
To display or export the local RSA or DSA host public key:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Display the local RSA host public key on
the screen in a specified format, or
export it to a specified file.
public-key local export rsa
{ openssh | ssh1 | ssh2 }
[ filename ]
Select a command
according to the type of
the key to be exported.
3. Display the local DSA host public key on
the screen in a specified format or
export it to a specified file.
public-key local export dsa
{ openssh | ssh2 } [ filename ]
Destroying an asymmetric key pair
You may need to destroy an asymmetric key pair and generate a new pair when an intrusion event has
occurred, the storage media of the device is replaced, the asymmetric key has been used for a long time,
or the certificate from the Certificate Authority (CA) expires. To check the certificate status, use the display
pki certificate command. For more information about the CA and certificate, see "Managing
Certificates."
To destroy an asymmetric key pair:
Ste
p
Command
1. Enter system view.
system-view
2. Destroy an asymmetric key pair. public-key local destroy { dsa | rsa }
Configuring a peer public key
To enable your local host to authenticate a peer device, configure the peer RSA or DSA public key on the
local host. The following methods are available:
• Import it from a public key file—Obtain a copy of the peer public key file through FTP or TFTP (in
binary mode) first, and then import the public key from the file. During the import process, the
system automatically converts the public key to a string in PKCS (Public Key Cryptography
Standards) format. HP recommends that you follow this method to configure the peer public key.
• Configure it manually—If the peer device is an HP device, you can use the display public-key local
public command to view and record its public key. On the local host, input or copy the key data in
public key code view. A public key displayed by other methods may not in the PKCS format, and the
system cannot save the format-incompliant key.
NOTE:
The firewall supports up to 20 peer pubic keys.