Creating an RSA Key Pair
Before applying for certificates, create RSA key pairs.
Usage Scenario
Generating a key pair is important for applying a certificate. The key pair consists of a private key and a public key. The private key is reserved by a user, and the public key and other information are delivered to the CA. Then, the CA generates a certificate and signs it with the public key. If the private key is disclosed, the user must delete the old key pair, create a new key pair, and reapply for a certificate.
The private key on the device is encrypted before being stored.
An RSA key pair is the abbreviation of the three names: Ron Rivest, Adi Shamirh, and LenAdleman and is a public key encryption algorithm. RSA key pairs are categorized into host key pairs and server key pairs. Each key pair is composed of a private key and a public key. These two key pairs are used by SSH. The server key pair is periodically changed by the local server, while the host key pair remains unchanged. The host key pair is used when you apply for a certificate.
- If an unnamed RSA key pair exists on a device, a newly created key pair overwrites the old one. If multiple RSA key pairs exist or a named RSA key exists on a device, delete the existing RSA key pairs before creating and renaming RSA key pairs.
- After the key pair is deleted or replaced, the existing certificate becomes invalid. You need to apply for a new certificate, which ensures the RSA key pair and certificate match.
Procedure
- Run system-view
The system view is displayed.
- Run rsa pki local-key-pair [ key-name ] create
The local key pair is created.
If the RSA key pair already exists on the device, you can also run the pki import rsa-key-pair keypair-name { der key-filename | pem key-filename password password-val } command to import the RSA key pair to the device memory for the configuration to take effect. In this case, you do not need to create an RSA key pair.
- Run commit
The configuration is committed.