Public key management

Introduction

The public key management feature is used to manage and advertise keys of asymmetric key algorithms.

Asymmetric key algorithm overview

Asymmetric key algorithms are used by security applications to secure communications between two parties, as shown in Figure-1. Asymmetric key algorithms use two separate keys (one public and one private) for encryption and decryption. Symmetric key algorithms use only one key.

Figure-1 Encryption and decryption

A key owner can distribute the public key in plain text on the network but must keep the private key in privacy. It is mathematically infeasible to calculate the private key even if an attacker knows the algorithm and the public key.

Asymmetric key algorithms include Revest-Shamir-Adleman Algorithm (RSA), Digital Signature Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), and SM2.

Security applications (such as SSH, SSL, and PKI) use the asymmetric key algorithms for encryption/decryption and digital signature.

Managing local asymmetric key pairs

Creating a local key pair

On the local device, you can create RSA, DSA, ECDSA, and SM2 key pairs. You can select an encryption device for a SM2 key pair.

Importing a local key pair

On the device, you must import a local key pair from a key pair file. If the key pair to be imported is encrypted, you need to enter the key pair password to successfully import the key pair.

Displaying or exporting a host public key

On the device, you can display or export the local host public keys.

• Display a host public key. After the key is displayed on the local device, record the key, for example, copy it to an unformatted file. On the peer device, you must literally enter the key.

• Export a host public key to a file in the specified format. Transfer the file to the peer device. On the peer device, import the key from the file.

• Export a host public key to the monitor screen in the specified format, and then save it to a file. Transfer the file to the peer device. On the peer device, import the key from the file.

Destroying a local key pair

To ensure security, destroy the local key pair and generate a new key pair in any of the following situations:

• The local key has leaked. An intrusion event might occur.

• The storage media of the device fails or is replaced, so the device does not have the corresponding private key for decryption/encryption and digital signature.

• The local certificate has expired.

Managing peer host public keys

To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the peer device's public key on the local device. On the local device, you can import, display, and delete the host public key of the peer device.

You can configure the peer host public key by using the following methods:

• Import the peer host public key from a public key file (recommended).

  You must first obtain the public key file from the peer device through FTP or TFTP. After you import the key, the local device automatically converts the imported public key to a string in the Public Key Cryptography Standards (PKCS) format.

• Manually enter (type or copy) the peer host public key.

  You must first display the public key on the peer device and record the key. On the local device, you manually type or copy the key.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Restrictions and guidelines

When you configure a peer host public key, follow these restrictions and guidelines:

• When you manually enter the peer host public key, make sure the entered key is in the correct format. To obtain the peer host public key in the correct format, display the public key on the peer device as described in "Displaying or exporting a host public key." The format of the public key displayed in any other way might be incorrect. If the key is not in the correct format, the system discards the key and displays an error message.

• Always import rather than enter the peer host public key if you are not sure whether the device supports the format of the recorded peer host public key.

Configure public key management

Configure a local key pair

Create a local key pair

On the local device, you can create RSA, DSA, ECDSA, and SM2 key pairs.

To create a local key pair, perform the following operations:

1. Click the Objects tab.

2. Select PublicKey Cert > Public Key Management > Local Key Pairs.

3. Click Create.

4. Create a local key pair.

   Figure-2 Local Key Pairs page

   

   Figure-3 Creating a local key pair

   

   Table-1 Configuration items for local key pair creation

   Item	Description
   Name	Specify a name for the local key pair to be generated.
   Algorithm	Specify an algorithm for the local key pair to be generated. Options include: RSA. DSA. ECDSA. SM2.
   Key length	Specify a key length for the local key pair to be generated. This field is available for only an RSA or DSA key pair. The longer the key length, the higher the security, and the longer the key generation time. When you create an SM2 key pair, you do not need to specify the key length. Only a 256-bit SM2 key pair can be created.
   Elliptic curve	Specify an elliptic curve for the local key pair to be generated. This field is available for only an ECDSA key pair. The elliptic curve determines the ECDSA key length. The longer the key length, the higher the security, and the longer the key generation time.
   Storage device	Select a storage device for the local key pair to be generated. This field is available when the algorithm is SM2.

5. Click Apply.

Import a local key pair

On the device, you can import a local key pair from a key pair file. If the key pair to be imported is encrypted, you must enter the key pair password to successfully import the key pair.

To import a local key pair, perform the following operations:

1. Click the Objects tab.

2. Select PublicKey Cert > Public Key Management > Local Key Pairs.

3. Click Import.

4. Import a local key pair.

   Figure-4 Local Key Pairs page

   

   Figure-5 Importing a local key pair

   

   Table-2 Configuration items for local key pair import

   Item	Description
   Name	Specify a name for the local key pair to be imported.
   Algorithm	Specify an algorithm for the local key pair to be imported. Options include: RSA. ECDSA. SM2.
   Import file	Select the key pair file storing the local key pair to be imported.
   Overwrite existing key pair	Specify whether to overwrite the existing key pair if the name of the key pair to be imported is the same as that of an existing key pair using the same key algorithm. The name of a key pair must be unique among all manually named key pairs that use the same key algorithm.
   Key pair password	If the key pair to be imported is encrypted, enter the key pair password to successfully import the key pair.

5. Click Apply.

Display or export a host public key

On the device, you can display or export the local host public keys.

• Display a host public key. After the key is displayed on the local device, record the key, for example, copy it to an unformatted file. On the peer device, you must literally enter the key.

• Export a host public key to a file in the specified format. Transfer the file to the peer device. On the peer device, import the key from the file.

• Export a host public key to the monitor screen in the specified format, and then save it to a file. Transfer the file to the peer device. On the peer device, import the key from the file.

To export a local key pair, perform the following operations:

1. Click the Objects tab.

2. Select PublicKey Cert > Public Key Management > Local Key Pairs.

3. Select the local key pair to be exported.

   Figure-6 Selecting the local key pair to be exported

   

4. Click Export.

5. Configure related parameters.

   Figure-7 Configuring related parameters for local key pair export

   

   Table-3 Configuration items for local key pair export

   Item	Description
   Name	Name of the local key pair to be exported.
   Algorithm	Algorithm of the local key pair to be exported. Options include: RSA. DSA. ECDSA. SM2.
   Export format	Select the export format for the local key pair. Options include OpenSSH, SSH1, and SSH2.
   Export to	Select the export destination for the local key pair. Options include File and Monitor screen.
   File name	Specify a name for the file storing the local key pair to be exported.
   Overwrite existing file	Specify whether to overwrite the existing file if the file name is the same as an existing one.

6. Click Apply.

Destroy a local key pair

To ensure security, destroy a local key pair and generate a new key pair in any of the following situations:

• The local key has leaked. An intrusion event might occur.

• The storage media of the device fails or is replaced, so the device does not have the corresponding private key for decryption/encryption and digital signature.

• The local certificate has expired.

To destroy a local key pair, perform the following operations:

1. Click the Objects tab.

2. Select Public Key Management > Local Key Pairs.

3. Click the Objects tab.

4. Select PublicKey Cert > Public Key Management > Local Key Pairs.

5. Select the local key pair to be deleted.

6. Click Delete.

7. Click Yes.

Configure a peer host public key

To encrypt information sent to a peer device or authenticate the digital signature of the peer device, you must configure the peer device's public key on the local device. On the local device, you can import, display, and delete the host public key of the peer device.

You can configure the peer host public key by using the following methods:

• Import the peer host public key from a public key file (recommended).

  You must first obtain the public key file from the peer device through FTP or TFTP. After you import the key, the local device automatically converts the imported public key to a string in the Public Key Cryptography Standards (PKCS) format.

• Manually enter (type or copy) the peer host public key.

  You must first display the public key on the peer device and record the key. On the local device, you manually type or copy the key.

Procedure

1. Click the Objects tab.

2. Select PublicKey Cert > Public Key Management > Peer Key Pairs.

3. Click Import.

4. Import a peer host public key.

   Figure-8 Peer Key Pairs page

   

   Figure-9 Importing a peer host public key

   

   Table-4 Configuration items for peer host public key import

   Item	Description
   Public key name	Specify a name for the peer host public key to be imported.
   Import method	Select the import method for the peer host public key. Options include Import peer public key from file and Type or copy peer public key.
   Import file	If you specify the import method as Import peer public key from file, you must select the file storing the peer host public key to be imported.
   Public key data	If you specify the import method as Type or copy peer public key, you must type the public key in this field or copy the public key to this field.

5. Click Apply.