Configuring an RSA/SM2 Key Pair

Context

Local certificates are signed and issued by the CA. A local certificate is a bundle of public key and PKI entity. Therefore, before applying for a local certificate, you must configure the RSA/SM2 key pair to generate public and private keys. The public key is sent by the PKI entity to CA, and the peer uses this key to encrypt plaintext. The private key is kept by the PKI entity itself, and the PKI entity uses it to digitally sign and decrypt the ciphertext from peer.

You can configure an RSA/SM2 key pair using either of the following methods:

Create an RSA/SM2 key pair.

You can directly create a key pair on the device, removing the need to import the key pair to the device memory.
Import an RSA/SM2 key pair.

To use the key pair generated by another PKI entity, upload the key pair to the device through FTP or SFTP and then import it into the device memory. Otherwise, the key pair does not take effect on the device.

Procedure

Run system-view
The system view is displayed.
Run the following commands as required.
- Create an RSA/SM2 key pair.
  - Run pki rsa local-key-pair create key-name [ modulus modulus-size ] [ exportable ]
    
    An RSA key pair is created to apply for a local certificate.
  - Run pki sm2 local-key-pair create key-name [ exportable ]
    
    An SM2 key pair is created to apply for a local certificate.
- Import an RSA/SM2 key pair.
  - Run pki import rsa-key-pair key-name [ exclude-cert ] { pem | pkcs12 } file-name [ exportable ] [ password password ]
    
    The specified RSA key pair and certificate in the specified file are imported into the device memory.
  - Run pki import sm2-key-pair key-name { der file-name [ exportable ] | pem file-name [ exportable ] [ password password ] }
    
    Or run pki import sm2-key-pair key-name pem file-name [ exportable ] signkey key-name [ certificate certificate-name ]
    
    The specified SM2 key pair is imported into the device memory.
  Only when the exportable parameter is specified in the command, the imported RSA/SM2 key pair can be exported.
  
  If the exclude-cert parameter is specified in the command, the certificate in the file will not be imported into the device memory.
  
  Windows Server 2003 has a low processing performance. When the device is connected to a Windows Server 2003, the device cannot have too many entities configure or use the key pair with a large size. Otherwise, the device may fail to connect to the server.
(Optional) Back up RSA key pairs in a batch.
In dual-system hot standby scenarios, RSA key pairs on the active and standby devices must be consistent to ensure that certificate services are running normally during an active/standby switchover. In this situation, RSA key pairs must be backed up in a batch.
1. Run pki rsa local-key-pair match-slave [ all-sys ]
  The system checks whether RSA key pairs on the active and standby devices are consistent during dual-system hot standby.
  
  After this command is executed, the active device obtains all RSA key pairs on the standby device and compares them with local RSA key pairs. If they are different, perform the following step.
2. Run pki rsa local-key-pair backup [ all-sys ]
  All RSA key pairs on the active device are backed up to the standby device in a batch.
  
  After this command is executed, all RSA key pairs on the active device are backed up to the standby device in a batch, and all RSA key pairs on the standby device will be destroyed.
  
  After a dual-node hot standby system is set up, the standby device synchronizes the RSA key pairs and certificates from the active device. The RSA key pairs and certificates created or modified on the standby device will be cleared. Therefore, it is not recommended to create or modify RSA key pairs and certificates on the standby device.

Follow-up Procedure

To back up RSA key pairs or use RSA key pairs on other devices, run the pki export rsa-key-pair key-name [ and-certificate certificate-name ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password command to export the specified RSA key pair into the device memory. In addition to the RSA key pair, its associated certificate and certificate chain will also be exported. Subsequently, the RSA key pair can be obtained using FTP or SFTP.
To back up SM2 key pairs or use SM2 key pairs on other devices, run the pki export sm2-key-pair key-name { der file-name | pem file-name [ password password ] } command to export the specified SM2 key pair into the device memory. Subsequently, the SM2 key pair can be obtained using FTP or SFTP.
When RSA key pairs are leaked, damaged, lost or not used, run the pki rsa local-key-pair destroy key-name command to destroy a specified RSA key pair.

After this command is executed, the specified RSA key pair is deleted from the active device, and it is also deleted from the standby device.
When SM2 key pairs are leaked, damaged, lost or not used, run the pki sm2 local-key-pair destroy key-name command to destroy a specified SM2 key pair.

After this command is executed, the specified SM2 key pair is deleted from the active device, and it is also deleted from the standby device.
To check the RSA key pair corresponding to a certificate, run the pki match-rsa-key certificate-filename file-name command to configure a device to search for the RSA key pair associated with a specific certificate.
To check the SM2 key pair corresponding to a certificate, run the pki match-sm2-key certificate-filename file-name command to configure a device to search for the SM2 key pair associated with a specific certificate.