Introduction to digital certificate Certification Center

Source: Internet
Author: User

CA, also known as the digital certificate Certification Center, is a trusted third party in e-commerce transactions. It is dedicated to solving the legality of public keys in the public key system. The CA center issues a digital certificate to each user who uses the public key. The role of the digital certificate is to prove that the user name listed in the certificate corresponds to the public key listed in the certificate. The digital signature of the CA prevents the attacker from forging or tampering with the digital certificate. Of course, the CA center also needs a supporting RA (registry authority-Registration Authority) system. Next we will introduce the center and the Registration Center respectively:
1. Certification Center
The Certification Center (CA) can be organized according to a certain trust model, which is usually organized into a layered model. The existence of CA certification institutions at all levels forms a trust chain for the entire online information exchange. Each digital certificate is associated with a higher-level digital signature certificate, ultimately, the security chain traces back to a known and widely considered secure, authoritative, and trustworthy Organization-root certificate Center (Root CA ), that is, one ca can prove the legitimacy of another ca. For some cas, this is their only task. This authentication system layer certificates, and each certificate has the digital signature of the superior ca.
1. Composition of the Certification Center
(1) The signature and encryption server should have a digital signature from the certification authority for the digital certificate. For the revoked digital certificate, it should also have a digital signature from the certification authority. The signature and encryption server is used to receive requests from the certificate management server. According to the rules, the signature certificate and the CRL to be signed are digitally signed, and encryption/decryption operations on the Certificate Management Server are performed.
(2) Key Management Server the key management server connects to the signature and encryption server, generates keys, revokes keys, restores keys, and queries keys according to configuration.
(3) The certificate management server controls the generation and cancellation of certificates. Maintain the certificate library, void certificate library, Certificate Status library, and other related databases. The Certificate Management Server is the core of certificate generation and cancellation.
(4) certificate publishing and CRL server certificate publishing servers are used to publish certificate information at a certain interval, which can be implemented through web server and LDAP, server provides services such as certificate download and CRL download.
(5) Online Certificate Status query server certificate users always want to know the latest status of a certificate, which is completed by the service provided by the online certificate status query server to query the Certificate Status in real time.
(6) Web servers are used to publish certificates and publish data authentication system policies.
2. Implementation of certification center functions
(1) After the certificate is issued through the initial identity authentication of the Registration Center, the Registration Center submits the user application to the authentication center, the certification center inserts additional information and sets fields in the certificate according to the issuing rules defined in certificate operation management specifications, and uses different methods to return the certificate to the user (for example, by email)
(2) The certificate update includes two aspects: one is that the user certificate has expired or the certificate-related key has reached its valid end point, or some attributes of the certificate have been changed, this requires updating the user certificate. Second, the CA certificate also has the above problems, so the CA root certificate also needs to be updated.
(3) In certain circumstances, the validity of a certificate requires that the certificate be terminated before the end date of the certificate or that the certificate must be withdrawn when the certificate is separated from the private key. For example, if the signatory status changes, the certificate information may have been modified, and the user-related private key may be leaked in some way. In most cases, the Ca publishes the changed Certificate Status mechanism as a Certificate Revocation List (CRL ). CRL includes the serial number and withdrawal date of the certificate that has been revoked, and the status that indicates the reason for revocation.
(4) The certificate verification includes the following content. First, whether the certificate contains a valid Digital Signature proves that the certificate content has not been modified. The second is whether the issuer's public key can verify the digital signature on the certificate to confirm whether the data comes from the real data sender. Third, whether the current certificate is within the validity period of the certificate. The fourth is whether the certificate is used for the purpose of distributing it initially. 5. Check the Certificate Revocation List CRL to verify whether the certificate is revoked.

2. Registration Center
The Registration Center is a digital certificate registrar. The RA system is an extension of CA's certificate issuance and management. It is responsible for information entry and review of certificate applicants. At the same time, it completes corresponding management functions for issued certificates. Generally, the Registry controls the exchange of subjects, final entities, and PKI during registration, certificate transfer, and other key and certificate lifecycle management processes, however, Ra does not initiate a trusted statement about the subject in any environment.
1. RA Functions
(1) Individual authentication of the subject Registration Certificate
(2) confirm the validity of the information provided by the subject
(3) Rights to determine the subject for the requested certificate attributes
(4) Confirm that the subject does have the Registered Private Key
(5) report key disclosure or termination events when withdrawal is required
(6) assign a name for the purpose of Identity Recognition
(7) generate sharing secrets during registration initialization and certificate obtaining
(8) generate a public/private key pair
(9) The registration process starts on behalf of the final entity of the Certification Body
(10) Private Key Archiving
(11) Start key recovery
(12) Distribution of physical ring networks (such as smart cards) that contain private keys
2. Simple registration process based on Web browsers
(1) access a URL to get a Web page, which provides an input form for the applicant to specify Registration Information
(2) A program at a certain place on the page is used to generate a public/private key pair. An input field usually appears, asking the applicant to select the key length (3) after entering the information, submit the form, the system automatically constructs a prime number to enable the browser to generate a key pair.
(4) After the key pair is generated, the private key is stored in a local application key storage area. If the key storage area is constructed for the first time, the applicant is usually prompted to enter a password, use this password to construct a symmetric key for encryption or decryption of the key store
(5) when the key is generated, the Public Key is sent to the Web server interface of the Registry together with the information in the registration form. In some cases, the applicant must prove that the applicant has a private key at this time, which can be proved by a digital signature on the registration application. RA verifies the signature upon receiving the application.
(6) The Registry checks the application information and starts to verify the identity information provided by the user.
(7) When the Certificate Server receives a request from Ra, it inserts additional information in the certificate and sets fields according to the issuing rules defined in certificate operation management specifications.
(8) The generated certificate is returned to the user. The returned method varies depending on the specific implementation of Ca and the requirements of CPS.
(9) When a user clicks a URL, the certificate is downloaded to the browser.
(10) When the browser finds that the certificate is loaded, it stores the returned certificate and the previously generated private key in the key storage area.

References: PKI principles and technology, edited by Xie dongleng Jian, Tsinghua University Press

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.