The pki export built-in-ca rsa-key-pair command exports the RSA key pair to the CF card or Hda1.
pki export built-in-ca rsa-key-pair key-name [ and-certificate certname ] { pem file-name [ 3des | aes | des ] | pkcs12 file-name } password password
Parameter |
Description |
Value |
|---|---|---|
key-name |
Specifies the RSA key pair name. |
The value must be an existing RSA key pair name. |
and-certificate certname |
Indicates that the SSL decryption certificate is exported together with the associated RSA key pair. |
The value must be an existing SSL decryption certificate name. |
pem file-name |
Indicates that the RSA key pair to be exported is in the PEM format and specifies the name of the file to be exported. |
The value is a string of 1 to 64 case-insensitive characters without spaces and question marks (?). |
pkcs12 file-name |
Indicates that the RSA key pair to be exported is in the PKCS12 format and specifies the file name to be exported. |
The value is a string of 1 to 64 case-insensitive characters without spaces and question marks (?). |
3des | aes | des |
Sets the encryption algorithm to AES, DES or 3DES if a file is exported in the PEM format. By default, AES is used. NOTE:
For security purposes, DES and 3DES algorithms are not recommended. |
- |
password password |
Specifies the password for the RSA key pair file. This password is used when you import an RSA key pair file. |
For security purposes, a password must meet the minimum strength requirements, that is, the password needs to contain at least three types of the following characters: uppercase letters, lowercase letters, numerals, and special characters, such as exclamation points (!), at signs (@), number signs (#), dollar signs ($), and percent signs (%). |
Usage Scenario
You can run this command to transfer or back up the RSA key pair. After the configuration is complete, you can generate a PEM or PKCS12 file containing the RSA key pair (or also the SSL decryption certificate) in the device.
Before using this command, run the display pki rsa built-in-ca public command to view information about the RSA key pair of the SSL decryption certificate.
Prerequisites
The RSA key pair has been created for the SSL decryption certificate using the pki rsa built-in-ca command with the exportable parameter specified, or the RSA key pair of the SSL decryption certificate has been imported to the memory using the pki import built-in-ca rsa-key-pair command with the exportable parameter specified.
Precautions
An RSA key pair is sensitive information. Delete or destroy the exported RSA key pair from your device or storage device immediately after you do not use it.
# Export the RSA key pair key2 to the file aaa.pem and set the encryption method to AES.
<sysname> system-view [sysname] pki rsa built-in-ca key2 create exportable Info: The name of the new key-pair will be: key2 The size of the public key ranges from 2048 to 4096. Input the bits in the modules:2048 Generating key-pairs... .......+++ .............................+++ [sysname] pki export built-in-ca rsa-key-pair key2 pem aaa.pem aes password Hello@123 Warning: Exporting the key pair impose security risks, are you sure you want to export it? [y/n]:y Info: Succeeded in exporting the RSA key pair in PEM format.