Configuring an RSA Key Pair

Context

Local certificates are signed and issued by the CA. A local certificate is a bundle of public key and PKI entity. Therefore, before applying for a local certificate, you must configure the RSA key pair to generate public and private keys. The public key is sent by the PKI entity to CA, and the peer uses this key to encrypt plaintext. The private key is kept by the PKI entity itself, and the PKI entity uses it to digitally sign and decrypt the ciphertext from peer.

You can configure an RSA key pair using either of the following methods:

Create an RSA key pair.

You can directly create a key pair on the device, removing the need to import the key pair to the device memory.
Import an RSA key pair.

To use the key pair generated by another PKI entity, upload the key pair to the device through FTP or SFTP and then import it into the device memory. Otherwise, the key pair does not take effect on the device.

Procedure

Run system-view
The system view is displayed.
Run the following commands as required.
- Create an RSA key pair.
  
  Run pki rsa local-key-pair create key-name [ modulus modulus-size ] [ exportable ]
  
  An RSA key pair is created to apply for a local certificate.
- Import an RSA key pair.
  
  Run pki import rsa-key-pair key-name [ include-cert realm realm-name ] { pem | pkcs12 } file-name [ exportable ] [ password password ]
  
  Or run pki import rsa-key-pair key-name der file-name [ exportable ]
  
  The specified RSA key pair and certificate in the specified file are imported into the device memory.
  
  Only when the exportable parameter is specified in the command, the imported RSA key pair can be exported.
  
  Windows Server 2003 has a low processing performance. When the device is connected to a Windows Server 2003, the device cannot have too many entities configure or use the key pair with a large size. Otherwise, the device may fail to connect to the server.

Follow-up Procedure

To back up RSA key pairs or use RSA key pairs on other devices, run the pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password command to export the specified RSA key pair into the device memory. In addition to the RSA key pair, its associated certificate will also be exported. Subsequently, the RSA key pair can be obtained using FTP or SFTP.
When RSA key pairs are leaked, damaged, lost or not used, run the pki rsa local-key-pair destroy key-name command to destroy a specified RSA key pair.

After this command is executed, the specified RSA key pair is deleted from the active device, and it is also deleted from the standby device.
To check the RSA key pair corresponding to a certificate, run the pki match-rsa-key certificate-filename file-name command to configure a device to search for the RSA key pair associated with a specific certificate.