431
Related commands
crl check
pki domain
public-key dsa
Use
public-key dsa
to specify a DSA key pair for certificate request.
Use
undo public-key
to restore the default.
Syntax
public-key dsa name key-name
[
length key-length
]
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
name key-name
: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters.
The key pair name can contain only letters, digits, and hyphens (-).
length key-length
: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to
2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher
security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. A key pair can be obtained in any of the
following ways:
•
Use the
public-key local create
command to generate a key pair.
•
An application triggers the device to generate a key pair.
•
Use the
pki import
command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, or
RSA).
If you configure a DSA key pair for a PKI domain multiple times, the most recent configuration takes
effect.
The
length key-length
option takes effect only if you specify a nonexistent key pair. The device will
automatically create the key pair by using the specified name and length before submitting a
certificate request. The
length key-length
option is ignored if the specified key pair already exists or
is already contained in an imported certificate.
Examples
# Specify 2048-bit DSA key pair
abc
for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key dsa name abc length 2048