No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an RSA Key Pair

Configuring an RSA Key Pair

Context

Local certificates are signed and issued by the CA. A local certificate is a bundle of public key and PKI entity. Therefore, before applying for a local certificate, you must configure the RSA key pair to generate public and private keys. The public key is sent by the PKI entity to CA, and the peer uses this key to encrypt plaintext. The private key is kept by the PKI entity itself, and the PKI entity uses it to digitally sign and decrypt the ciphertext from peer.

You can configure an RSA key pair using either of the following methods:

  • Create an RSA key pair.

    You can directly create a key pair on the device, removing the need to import the key pair to the device memory.

  • Import an RSA key pair.

    To use the key pair generated by another PKI entity, upload the key pair to the device through FTP or SFTP and then import it into the device memory. Otherwise, the key pair does not take effect on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run the following commands as required.
    • Create an RSA key pair.

      Run pki rsa local-key-pair create key-name [ modulus modulus-size ] [ exportable ]

      An RSA key pair is created to apply for a local certificate.

    • Import an RSA key pair.

      Run pki import rsa-key-pair key-name { pem | pkcs12 } file-name [ exportable ] [ password password ]

      Or run pki import rsa-key-pair key-name der file-name [ exportable ]

      The specified RSA key pair and certificate in the specified file are imported into the device memory.

      NOTE:

      Only when the exportable parameter is specified in the command, the imported RSA key pair can be exported.

      Windows Server 2003 has a low processing performance. When the device is connected to a Windows Server 2003, the device cannot have too many entities configure or use the key pair with a large size. Otherwise, the device may fail to connect to the server.

Follow-up Procedure

  • To back up RSA key pairs or use RSA key pairs on other devices, run the pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password command to export the specified RSA key pair into the device memory. In addition to the RSA key pair, its associated certificate will also be exported. Subsequently, the RSA key pair can be obtained using FTP or SFTP.

  • When RSA key pairs are leaked, damaged, lost or not used, run the pki rsa local-key-pair destroy key-name command to destroy a specified RSA key pair.

    After this command is executed, the specified RSA key pair is deleted from the active device, and it is also deleted from the standby device.

  • To check the RSA key pair corresponding to a certificate, run the pki match-rsa-key certificate-filename file-name command to configure a device to search for the RSA key pair associated with a specific certificate.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 145616

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next