4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

201

202

203

204

205

206

207

208

209

210

190

public-key rsa

Use public-key rsa to specify an RSA key pair for certificate request.

Use undo public-key to remove the configuration.

Syntax

public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name

signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] }

undo public-key

Default

No key pair is specified.

Views

PKI domain view

Predefined user roles

network-admin

Parameters

encryption: Specifies a key pair for encryption.

name encryption-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters,

which can include only letters, digits, and hyphen (-).

signature: Specifies a key pair for signing.

name signature-key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters,

which can include only letters, digits, and hyphen (-).

general: Specifies a key pair for both signing and encryption.

name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters, which can

include only letters, digits, and hyphen (-).

length key-length: Specifies the key length in bits. In non-FIPS mode, the key length is in the range of 512

to 2048 and defaults to 1024. In FIPS mode, the key length is fixed to 2048. A longer key means higher

security but more public key calculation time.

Usage guidelines

You can specify a nonexistent key pair in this command. You can get a key pair in any of the following

ways:

• Use the public-key local create command to generate a key pair.

• An application, like IKE using digital signature authentication, triggers to generate a key pair

• Use the pki import command to import a certificate containing a key pair.

A PKI domain can have key pairs using only one type of cryptographic algorithms (DSA or RSA). If DSA

is used, a PKI domain can have only one key pair. If RSA is used, a PKI domain can have two key pairs:

one is the signing key pair, and the other is the encryption one. In a PKI domain, key pairs for different

purposes (RSA signing and RSA encryption) do not overwrite each other. For DSA, the most recent

configuration takes effect.

If you specify a signing key pair and an encryption key pair separately, their key length can be different.