The key-usage command configures the purpose description for a certificate public key.
The undo key-usage command deletes the purpose description of a certificate public key.
By default, a certificate public key does not have a purpose description.
key-usage { ike | ssl-client | ssl-server } *
undo key-usage { ike | ssl-client | ssl-server } *
Parameter |
Description |
Value |
|---|---|---|
ike |
Specifies the usage of a key as ike. That is, the key is used to set up an IPSec tunnel. |
- |
ssl-client |
Specifies the usage of a key as ssl-client. That is, the key is used by the SSL client to set up an SSL session. |
- |
ssl-server |
Specifies the usage of a key as ssl-server. That is, the key is used by the SSL server to set up an SSL session. |
- |
To improve certificate security, you can add the usage information of a key to the certificate request packet sent from the device to the CA server.
After receiving the certificate request packet, the CA server verifies the packet. For each valid packet, the CA server generates a digital certificate carrying the usage information of the key.
For example, when setting up an SSL session, the SSL client adds a digital signature and encrypts the key by using the certificate. After you specify the usage of a key as ssl-client by using the key-usage ssl-client command, the certificate generated by the CA server carries the usage information, including a digital signature and encrypted key. If you use this key to encrypt data, the key will be invalid.