Creating a local asymmetric key pair

When you create an asymmetric key pair on the local device, follow these guidelines:

Table 15: A comparison of different types of asymmetric key algorithms

Type

Number of key pairs

Modulus length

RSA

  • In non-FIPS mode: the system creates one server key pair and one host key par.

  • In FIPS mode: the system creates a host key pair.

  • In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits.

  • In FIPS mode: 2048 bits.

Hewlett Packard Enterprise recommendation: a minimum of 768 bits.

DSA

The system creates a host key pair.

  • In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits.

  • In FIPS mode: 1024 to 2048 bits and defaults to 1024 bits.

Hewlett Packard Enterprise recommendation: a minimum of 768 bits.

ECDSA

The system creates a host key pair.

  • 192 bits, when the secp192r1 curve is used to create the key pair. (Available in non-FIPS mode only.)

  • 256 bits, when the secp256r1 curve is used to create the key pair.


[NOTE: ]

NOTE:

Only SSH 1.5 uses the RSA server key pair.


To create a local asymmetric key pair:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create a local key pair.

  • In non-FIPS mode:public-key local create { dsa | ecdsa { secp192r1 | secp256r1 } | rsa }

  • In FIPS mode:public-key local create { dsa | ecdsa secp256r1 | rsa }

By default, no local asymmetric key pairs exist.

Key pairs created with the public-key local create command are saved automatically and can survive system reboots.