Creating a local key pair
Restrictions and guidelines
When you create a local key pair, follow these guidelines:
The key algorithm must be the same as required by the security application.
When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, and the longer the key generation time.
When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length. The longer the key length, the higher the security, and the longer the key generation time.
See Table 26 for more information about key modulus lengths and key lengths.
If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default. The key pair name must be unique among all manually named key pairs that use the same key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.
The key pairs are automatically saved and can survive system reboots.
Table 26: A comparison of different types of asymmetric key algorithms
Type | Generated key pairs | Modulus/key length | |
|---|---|---|---|
RSA | NOTE: |
Only SSH 1.5 uses the RSA server key pair. |
|
DSA | One host key pair. |
| |
ECDSA | One host key pair. |
|
Procedure
Enter system view.
system-view
Create a local key pair.
In non-FIPS mode:
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]
In FIPS mode:
public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 | secp521r1 ] | rsa } [ name key-name ]