CN108667781A - A kind of digital certificate management method and equipment - Google Patents

A kind of digital certificate management method and equipment Download PDF

Info

Publication number
CN108667781A
CN108667781A CN201710211790.1A CN201710211790A CN108667781A CN 108667781 A CN108667781 A CN 108667781A CN 201710211790 A CN201710211790 A CN 201710211790A CN 108667781 A CN108667781 A CN 108667781A
Authority
CN
China
Prior art keywords
digital certificate
equipment
data
certificate
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710211790.1A
Other languages
Chinese (zh)
Inventor
王月辉
张变玲
铁满霞
赖晓龙
李琴
童伟刚
张国强
杜志强
颜湘
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Iwncomm Co Ltd
Original Assignee
China Iwncomm Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Iwncomm Co Ltd filed Critical China Iwncomm Co Ltd
Priority to CN201710211790.1A priority Critical patent/CN108667781A/en
Publication of CN108667781A publication Critical patent/CN108667781A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

A kind of digital certificate management method of present invention offer and equipment, the method includes:Applying digital certificate equipment issues equipment to digital certificate and sends digital certificate management request message, and the certificate request data that the digital certificate management request message carries are through data session key encryption;Wherein, the data session key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment;Digital certificate issues equipment and receives the digital certificate management request message, and digital certificate management response message is sent to applying digital certificate equipment;Applying digital certificate equipment receives and processes the digital certificate management response message, obtains handling result.The present invention can effectively improve the safety of digital certificate management.

Description

A kind of digital certificate management method and equipment
Technical field
The present invention relates to technical field of network security, and in particular to a kind of digital certificate management method and equipment.
Background technology
With the development of network security technology, how to ensure that the confidentiality of network information transfer, integrality become a weight The research topic wanted.Digital certificate be it is a kind of verification network communications entity identity mode, can utilize digital certificate technique into Row data encryption, authentication etc..Digital certificate is usually to issue equipment from digital certificate to sign and issue to applying digital certificate equipment , it can be used for identifying the identity of applying digital certificate equipment.
In the prior art, there are a kind of methods that digital certificate is applied automatically, are applied to digital certificate in WLAN Application, update and issue.In this approach, applying digital certificate equipment can be issued by WLAN to digital certificate It sends out equipment and sends message, the digital certificate production method for notifying it to support issues equipment so as to digital certificate and generates new number Certificate.In this approach, the message transmitted between applying digital certificate equipment and digital certificate authority equipment is to pass in plain text Defeated, the two only carries out the completeness check of message, to determine that message is not tampered with.This mode only can guarantee the complete of data Property, authenticity, the confidentiality of data can not be effectively protected.Particularly, when applying digital certificate equipment and number are demonstrate,proved If book issues equipment by other latticed form interaction datas, since message is plaintext transmission, there is safety in this mode The not high defect of property.
Invention content
The present invention provides a kind of digital certificate management method and equipment, can be demonstrate,proved in applying digital certificate equipment and number Book issues the data that equipment room transmits encrypted processing, effectively increases the safety of digital certificate management.
For this purpose, the present invention provides the following technical solutions:
In a first aspect, the present invention provides a kind of digital certificate management methods, including:Applying digital certificate equipment is to number Certificate authority equipment sends digital certificate management request message, the certificate request number that the digital certificate management request message carries According to through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and the number Wildcard between word certificate authority equipment;Digital certificate issues equipment and receives the digital certificate management request message, Digital certificate management response message is sent to applying digital certificate equipment;Applying digital certificate equipment receives and processes the number Certificate management response message obtains handling result.
Second aspect, the present invention provides a kind of applying digital certificate equipment, including:Transmission unit, for being demonstrate,proved to number Book issues equipment and sends digital certificate management request message, the certificate request data that the digital certificate management request message carries Through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and the number Wildcard between certificate authority equipment;Encryption unit, for utilizing digital certificate described in the data session key pair The certificate request data that management message carries are encrypted;Receiving unit issues equipment for receiving the digital certificate The digital certificate management response message of transmission;Processing unit is obtained for handling the digital certificate management response message Take handling result.
The third aspect, the present invention provides a kind of equipment for applying digital certificate, include memory and one Either more than one program one of them either more than one program be stored in memory and be configured by one or More than one processor executes the instruction for being operated below that the one or more programs include:To number Certificate authority equipment sends digital certificate management request message, the certificate request number that the digital certificate management request message carries According to through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and the number Wildcard between word certificate authority equipment;It receives digital certificate and issues the digital certificate management that equipment is sent and respond and disappear Breath;The digital certificate management response message is handled, handling result is obtained.
Fourth aspect, the present invention provides a kind of digital certificates to issue equipment, and the equipment includes:Receiving unit is used for The digital certificate management request message that applying digital certificate equipment is sent is received, what the digital certificate management request message carried Certificate request data are through data session key encryption;Wherein, the data session key is that the applying digital certificate is set The standby and described digital certificate issues the wildcard between equipment;Processing unit, for asking the digital certificate management Message is handled, and generates digital certificate management response message;Transmission unit, for being sent out to the applying digital certificate equipment Send digital certificate management response message.
5th aspect, the present invention provides a kind of equipment issued for digital certificate, include memory and one Either more than one program one of them either more than one program be stored in memory and be configured by one or More than one processor executes the instruction for being operated below that the one or more programs include:Receive number The digital certificate management request message that word certificate request equipment is sent, the certificate that the digital certificate management request message carries are asked Ask data through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and institute It states digital certificate and issues wildcard between equipment;The digital certificate management request message is handled, and is generated Digital certificate management response message;Digital certificate management response message is sent to the applying digital certificate equipment.
In digital certificate management method provided by the invention and equipment, in applying digital certificate equipment and digital certificate authority In message interaction process between equipment, interactive message can be encrypted, such as digital certificate management request disappears The certificate request data carried in breath are through data session key encryption, since the certificate request data to transmission are added Close processing, effectively increases the safety of data transmission, and can be adapted for the digital certificate under a variety of different type scenes certainly It is dynamic apply, inquire, updating, revoking with revocation list acquisition etc..
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some recorded embodiments in invention, for those of ordinary skill in the art, in the premise not made the creative labor Under, other drawings may also be obtained based on these drawings.
Fig. 1 is the adaptable illustrative application scene of the embodiment of the present invention;
Fig. 2 is the digital certificate management method flow chart that one embodiment of the invention provides;
Fig. 3 is the digital certificate management method flow chart that another embodiment of the present invention provides;
Fig. 4 is that schematic diagram is negotiated and established to safe data channel provided in an embodiment of the present invention;
Fig. 5 be the digital certificate that provides of one embodiment of the invention apply automatically, inquire, updating and awarding method in message Content schematic diagram;
Fig. 6 is a kind of block diagram of applying digital certificate equipment shown according to an exemplary embodiment;
Fig. 7 is a kind of block diagram of the equipment for applying digital certificate shown according to another exemplary embodiment;
Fig. 8 is the block diagram that a kind of digital certificate shown according to an exemplary embodiment issues equipment;
Fig. 9 is a kind of block diagram of the equipment issued for number card shown according to another exemplary embodiment.
Specific implementation mode
The present invention provides a kind of digital certificate management method and equipment, can be demonstrate,proved in applying digital certificate equipment and number Book issues the data that equipment room transmits encrypted processing, effectively increases the safety of digital certificate management.
In order to make those skilled in the art more fully understand the technical solution in the present invention, below in conjunction with of the invention real The attached drawing in example is applied, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described implementation Example is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field is common The every other embodiment that technical staff is obtained without making creative work, should all belong to protection of the present invention Range.
It is the exemplary application scene of the embodiment of the present invention referring to Fig. 1.Method and apparatus provided in an embodiment of the present invention can With applied to scene as shown in Figure 1, wherein applying digital certificate equipment and digital certificate authority equipment can pass through network reality It now connects, the connection can be any type of wiredly and/or wirelessly connection (for example, WLAN, LAN, honeycomb, coaxial cable Deng).Illustrate by taking Fig. 1 as an example, applying digital certificate equipment includes but not limited to:It is existing, researching and developing or research and development in the future Smart mobile phone, non-smart mobile phone, tablet computer, laptop PC, desktop personal computer, minicomputer, in Type computer, mainframe computer etc..Applying digital certificate equipment can be issued by the latticed form of each self application to digital certificate Hair equipment (such as awarding card center CA server) application download, more new authentication etc..It should be noted that the embodiment of the present invention can be with It is applied to all conglomeraties such as wireless operator network, aviation, traffic, electric power, broadcasting and TV, finance, medical treatment, education, industry and commerce.Certainly, on It states application scenarios to be merely for convenience of understanding the present invention and showing, embodiments of the present invention are unrestricted in this regard. On the contrary, embodiments of the present invention can be applied to applicable any scene.
The digital certificate management method shown in exemplary embodiment of the present is carried out below in conjunction with attached drawing 2 to attached drawing 5 It introduces.
Referring to Fig. 2, the digital certificate management method flow chart provided for one embodiment of the invention.As shown in Fig. 2, can wrap It includes:
S201, applying digital certificate equipment issues equipment to digital certificate and sends digital certificate management request message, described The certificate request data that digital certificate management request message carries are through data session key encryption;Wherein, the data meeting Words key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment.
In some embodiments, the certificate that data session key pair digital certificate management request message can be utilized to carry Request data is encrypted.The present invention is not construed as limiting to data session key, and data session key can be several Wildcard between word certificate request equipment and digital certificate authority equipment, it is alternatively possible to use applying digital certificate Authorization code between equipment and digital certificate authority equipment is as wildcard.
When specific implementation, applying digital certificate person can ask awarding for downloading digital certificate to digital certificate issuer Weighted code.Applying digital certificate person for example can be applying digital certificate equipment, and digital certificate issuer for example can be digital card Book issues equipment.The present invention is to specific authorization code request method without limiting.For example, applying digital certificate person can pass through The modes such as short message, mail, dedicated request ask authorization code to digital certificate issuer.Digital certificate issuer can be by certain Mode by the authorization code person that is sent to applying digital certificate.For example, digital certificate issuer can be by short message, mail, special The modes such as message send authorization code to applying digital certificate person.Usually, authorization code is that digital certificate issuer oneself generates, Can be generated in real time when applying digital certificate person asks authorization code, can also be to be generated in advance ready for use, in form may be used To be the combination of letter and/or number and or symbol etc., there is certain length requirement, authorization code also to have certain use In the time limit, be more than service life, and authorization code can then fail.In use, digital certificate issuer distributes to different digital card The authorization code of book applicant is different.
In other embodiments, equipment is issued to digital certificate send digital certificate pipe in applying digital certificate equipment Before managing request message, the method further includes:The authorization code that applying digital certificate equipment utilization obtains is issued with digital certificate Safe data channel is established in equipment negotiation, generates security key;Wherein, the security key includes data communication key.
During establishing safe data channel, applying digital certificate equipment can utilize authorization code to generate security key, The security key may include one or more keys, and one or more of keys include data communication key.The number Equipment is issued in safe data channel with the digital certificate for encrypting the applying digital certificate equipment according to communication key The message of transmission.It should be noted that can generate safety in applying digital certificate equipment side and digital certificate authority equipment side Key, the encryption convenient for message and decryption processing.
In the case where there is safe data channel, the corresponding Encryption Algorithm of encryption algorithm identification and number can be not only utilized Certificate request data is encrypted according to session key, when transmitting message using safe data channel, can also be utilized The digital certificate management request message of transmission is encrypted in data communication key.It is may be implemented in this way to certificate number of request According to carrying out privacy protection twice.The data session key can be used for encrypted certificate request data and/or certificate response data. The certificate request data are specially the data that digital certificate management request message carries.The certificate response data are specially to count The data that word certificate management response message carries.
It should be noted that for security reasons, key that encryption twice uses (i.e. data communication key and Data session key) it is different.Digital certificate ask equipment and digital certificate issue equipment can make an appointment encryption number, Key type (i.e. data communication key and data session key) used in Encryption Algorithm and encryption.
In some embodiments, the certificate request data that the digital certificate management request message carries include that certificate is asked Ask information, signature algorithm identifier and signature value.
Wherein, certificate request information may include:Certificate version information, certificate holder's information and certificate holder couple The public key information answered and extension.These information elements are terse, can meet the basic demand of certificate.Signature value is digital card After book application equipment locally generates public private key pair, using the corresponding signature algorithm of signature algorithm identifier, using private key to the card The value that book solicited message obtains after being calculated.Digital certificate is issued equipment and is believed according to holder's public key in certificate request information Breath verifies signature judges whether public and private key is belonging to applying digital certificate equipment later.Pass through signature algorithm identifier and label Name value can verify whether public and private key returns belonging to the entity.
In other embodiments, the certificate request information in the certificate request data can also include more Complete information:Sequence number, issuer title and the term of validity.These information can expand certificate authority function, such as digital certificate Applicant requires some specific informations etc. of limitation certificate.In this case, the certificate request data can be encrypted Processing, specifically, the certificate request data be applying digital certificate equipment using data session cipher key pair certificate solicited message, The data obtained after signature algorithm identifier and signature value encryption.Further, if applying digital certificate equipment and/or Digital certificate issues equipment and supports that two or more Encryption Algorithm, the certificate request data should also include encryption algorithm identification, Correspondingly, the certificate request data specifically include encryption algorithm identification, and add using the encryption algorithm identification is corresponding Close algorithm, using being obtained after the data session cipher key pair certificate solicited message, signature algorithm identifier and signature value encryption Data.This certificate request data structure element is more perfect, and purposes is wider, right while the public and private key of verification affiliated entity Certificate request data have carried out privacy protection.Meanwhile this certificate request data are used in the case where there is safe data channel Structure can be realized carries out privacy protection twice to certificate request data, further promotes the safety of data transmission.
S202, digital certificate issues equipment and receives the digital certificate management request message, to applying digital certificate equipment Send digital certificate management response message.
Correspondingly, digital certificate issues equipment after receiving the digital certificate management request message, is demonstrate,proved according to number The data that book management request message carries are handled, and digital certificate management response message is sent to applying digital certificate equipment. Specifically, since the certificate request data of data certificate management request message carrying are through data session key encryption, number Certificate authority equipment is after receiving the digital certificate management request message, first with corresponding data session key pair institute Digital certificate management request message is stated to be decrypted, and according to digital certificate management request message carry data at Reason sends digital certificate management response message to applying digital certificate equipment.
It should be noted that the certificate response data that the digital certificate management response message carries can be plaintext number According to can also be through data session key encryption.
Further, equipment is issued with digital certificate when the authorization code that applying digital certificate equipment utilization obtains to negotiate to establish Safe data channel, after generating security key, digital certificate, which issues equipment, to utilize the safe data channel to described Applying digital certificate equipment sends digital certificate management response message, and the digital certificate response message communicates close through the data Key encryption.
When specific implementation, according to whether certificate request data and/or certificate response data are encrypted, it can wrap Include following several realization methods:
(1) for certificate request data through data session key encryption, certificate response data are clear data.In this reality In existing mode, only certificate request data are handled through one-time pad encryption, and certificate response data are plaintext transmission.
(2) certificate request data also add through data session key through data session key encryption, certificate response data Close processing.Wherein, the data session key and cipher mode that certificate request data and certificate response data use are consistent. In this implementation, certificate request data are handled using data session key through one-time pad encryption with certificate response data.
(3) certificate request data carry out first time encryption, the digital certificate management request through data session key Message carries out second of encryption using the data communication key of safe data channel.Certificate response data are clear data, The digital certificate management response message carries out one-time pad encryption processing using the data communication key of safe data channel.This In realization method, digital certificate management request message is handled through encryption twice, certificate management response message through one-time pad encryption.
(4) certificate request data and certificate response data carry out first time encryption through data session key, described Digital certificate management request message and digital certificate management response message utilize the data communication key of safe data channel into Second of encryption of row.In this implementation, digital certificate management request message is through encryption twice, certificate management Response message is also through encryption twice.
To specifically encrypting realization method without limiting, digital certificate request equipment is issued with digital certificate to be set the present invention Key type (i.e. data communication key and data used in the standby encryption number that can make an appointment, Encryption Algorithm and encryption Session key).
When specific implementation, message that the present invention uses applying digital certificate equipment and digital certificate authority equipment interaction and Interactive mode is not construed as limiting, as long as can realize that above- mentioned information interaction realizes that the automatic of digital certificate applies, inquires, updates and issue Hair, all belongs to the scope of protection of the present invention.In some embodiments, the digital certificate management request message may include number Word certificate request information, digital certificate obtain information, digital certificate revokes the types such as information, digital certificate revocation list information. The digital certificate management response message includes digital certificate response message.
S203, applying digital certificate equipment receive and process the digital certificate management response message, obtain handling result.
When specific implementation, applying digital certificate equipment carries out checking treatment to digital certificate management response message, and acquisition disappears Content is ceased, and determines the digital certificate used according to demand, carries out the processing such as installation, the update of digital certificate.When the number When the encrypted processing of certificate management response message, applying digital certificate equipment needs to demonstrate,prove the number using data communication key Book managing response message is decrypted.When the certificate response data that the digital certificate management response message carries are encrypted When processing, applying digital certificate equipment also needs to that place is decrypted using certificate response data described in the data session key pair Reason.
The method further includes:
S204, applying digital certificate equipment generates digital certificate management confirmation message, and issues equipment hair to digital certificate Send digital certificate management confirmation message.
When specific implementation, equipment negotiation is issued with digital certificate when the authorization code that applying digital certificate equipment utilization obtains and built Vertical safe data channel, after generating security key, applying digital certificate equipment can also utilize the safe data channel to institute It states digital certificate method equipment and sends digital certificate management confirmation message, the digital certificate response message is communicated through the data Key encryption.
S205, digital certificate issue equipment and receive and process the digital certificate management confirmation message.
In this embodiment of the invention, in applying digital certificate equipment and digital certificate authority equipment message interactive process In, place is encrypted in the certificate request data carried using the data session key pair digital certificate management request message of generation Reason, effectively increases the safety of data transmission, and can be adapted for the automatic Shen of digital certificate under a variety of different type scenes Please, inquire, update, revoke with revocation list obtain etc..
Be more clearly understood that embodiment of the present invention under concrete scene for the ease of those skilled in the art, below with Embodiment of the present invention is introduced in one specific example.It should be noted that the specific example is only so that this field skill Art personnel more clearly understand the present invention, but embodiments of the present invention are not limited to the specific example.It should be noted that following Embodiment is illustrated so that digital certificate management request message is through encryption twice as an example, and those skilled in the art can be herein Other realization methods of the present invention are obtained on the basis of embodiment.
Referring to Fig. 3, the digital certificate management method flow chart provided for another embodiment of the present invention.As shown in figure 3, can be with Include the following steps:
S301, applying digital certificate equipment obtain authorization code.
When specific implementation, applying digital certificate equipment issues the mandate of device request downloading digital certificate to digital certificate Code, and obtain the authorization code that the digital certificate issues equipment transmission.
S302, the authorization code that applying digital certificate equipment utilization obtains issue equipment negotiation with digital certificate and establish safe number According to channel, security key is generated;Wherein, the data session key is the applying digital certificate equipment and the digital certificate Issue the wildcard between equipment.
When specific implementation, to ensure the safety of information transmission during digital certificate is issued, in applying digital certificate equipment It can negotiate to establish a safe data channel between digital certificate authority equipment.Optionally, applying digital certificate equipment can Safe data channel is established to issue equipment negotiation using the authorization code of acquisition and digital certificate, generates security key.
The present invention is not limited the mode of establishing of safe data channel, as long as authorization code can be utilized to generate for counting According to the shared security key of transmission.When specific implementation, under type such as may be used and establish safe data channel:
S302A, applying digital certificate equipment issue equipment with digital certificate and carry out safe data channel negotiation.
S302B, applying digital certificate equipment and digital certificate issue equipment using being obtained in authorization code and negotiations process Random number, identity information generate safe data channel security key.
Wherein, the security key includes data communication key, and the data communication key is used for the digital certificate Shen Please equipment and digital certificate authority equipment transmission is encrypted to message in safe data channel interaction message.
S302C, it is true to escape way by completeness check code that applying digital certificate equipment with digital certificate issues equipment Recognize message to be verified.
Specific implementation is referred to safe data channel shown in Fig. 4 and negotiates and establish schematic diagram.Specifically, the number Certificate request equipment issues equipment progress safe data channel negotiation with digital certificate:Applying digital certificate equipment is to number Certificate authority equipment sends the first random number, the first identity information, and, receive the digital certificate issues equipment transmission the Two random numbers, the second identity information.Wherein, first random number is that applying digital certificate equipment generates at random, described the One identity information is specifically as follows the identity of applying digital certificate equipment, such as IP address, MAC Address, Email Location, universe name character string or international mobile subscriber identity (IMSI) etc..Second random number is issued for digital certificate and is set Standby to generate at random, second identity information is specifically as follows the identity that digital certificate issues equipment, such as IP address, MAC Address, e-mail address, universe name character string or international mobile subscriber identity (IMSI) etc..Applying digital certificate Equipment issues that equipment interacts random number, the process of identity information can be that applying digital certificate equipment is first initiated with digital certificate , can also be that digital certificate is issued equipment and first initiated, the present invention is to specific interactive mode without limiting.
In some embodiments, the applying digital certificate equipment and digital certificate issue equipment using authorization code and The security key that the random number that is obtained in negotiations process, identity information generate safe data channel includes:The digital certificate Shen Please equipment and digital certificate issue equipment utilization authorization code, first random number, first identity information, described second with Machine number and second identity information generate security key.It should be noted that being demonstrate,proved in applying digital certificate equipment and number The security key that book issues the generation of equipment side is identical.The security key may include one group or multigroup key.Such as Security key may include the data communication key for data transmission, can also include the integrality school for carrying out completeness check Test key.
In some embodiments, the security key further includes integrity check key, and the applying digital certificate is set It is standby issue equipment with digital certificate and carry out the key confirmation of safe data channel by completeness check code include:The number card Book application equipment issues equipment utilization random number with digital certificate, the integrity check key generates completeness check code, profit Escape way confirmation message is verified with the completeness check code.
S303, safe data channel described in applying digital certificate equipment utilization issue equipment to the digital certificate and send number Word certificate management request message;Wherein, the digital certificate management request message is through data communication key encryption.
When specific implementation, the applying digital certificate equipment is asked first with data session key pair digital certificate management The certificate request data that message carries are encrypted.The certificate request data include certificate request information, signature algorithm identifier And signature value.The certificate request information may include version, holder names, holder's public key information, extension, sequence Number, issuer title and the term of validity.Equipment, which is issued, when the applying digital certificate equipment and/or the digital certificate supports two kinds When the above Encryption Algorithm, the certificate request data that the digital certificate management request message carries further include Encryption Algorithm mark Know, the certificate request data specifically include encryption algorithm identification, and are calculated using the corresponding encryption of the encryption algorithm identification Method utilizes the data obtained after data session cipher key pair certificate solicited message, signature algorithm identifier and signature value encryption.
In transmission, applying digital certificate equipment is issued equipment to digital certificate after maintaining secrecy by safe data channel and is sent Certificate management request message.At this moment, digital certificate management request message has carried out second of encryption through data communication key.
If applying digital certificate equipment does not have digital certificate to issue the digital certificate that equipment is issued, certificate management is asked Seek the certificate information for being carried in message and needing to include in the new digital certificate of application.If applying digital certificate equipment has contained Digital certificate issues the digital certificate that equipment is issued, then the digital certificate management request message that applying digital certificate equipment is sent The middle information for carrying existing digital certificate issues the inquiry and update that equipment carries out certificate for digital certificate.
In some embodiments, the digital certificate management request message may include applying digital certificate information, number Word certificate acquisition information, digital certificate revoke the types such as information, digital certificate revocation list information.When specific implementation, number card Book application information, digital certificate revoke information, digital certificate obtains information or digital certificate revocation list information may be used But it is not limited to form shown in table 1.
The information type of 1 digital certificate management request message of table
For example, when the types value of digital certificate management request message is 2, the message is specially certificate request letter Breath, for applying for new digital certificate.When the types value of digital certificate management request message is 4, the message is specially that certificate obtains It wins the confidence breath, for inquiring or updating existing digit certificate.It is described to disappear when the types value of digital certificate management request message is 5 Breath is specially certificate revocation information, for revoking existing digit certificate.When the types value of digital certificate management request message is 6, The message is specially certificate revocation list information, for asking certificate revocation list.
When specific implementation, the field format of certificate request information may be used but be not limited to form shown in table 2.
2 certificate request information of table
Certificates constructing mode Certificate request data
When specific implementation, the field format of certificate acquisition information may be used but be not limited to form shown in table 3.
3 certificate acquisition information of table
Issue device name Sequence number
When specific implementation, the field format of certificate revocation information may be used but be not limited to form shown in table 4.
4 certificate revocation information of table
Issue device name Sequence number Revoke reason
When specific implementation, the field format of certificate revocation list information may be used but be not limited to form shown in table 5.
5 certificate revocation list information of table
Issue device name
S304, safe data channel described in applying digital certificate equipment utilization receive the digital certificate and issue equipment transmission Digital certificate management response message.
When specific implementation, the certificate response data that the digital certificate management response message carries can be clear data, Can also be the data after data session key encryption.If through data session key encryption, the certificate response The data session key and cipher mode that data and certificate request data use are consistent.
Further, digital certificate is issued and is sent to applying digital certificate equipment after equipment is maintained secrecy by safe data channel Digital certificate management response message.That is, data communication of the digital certificate management response message through safe data channel is close Key is encrypted.
If for example, the digital certificate management request message is before transmission, data session key logarithm has been utilized The certificate request data carried in word certificate management request message carried out encryption, again sharp when safe data channel transmits Second of encryption has been carried out with data communication key.The digital certificate management response message before transmission, can also be first One-time pad encryption processing is carried out using the certificate response data that the data session key pair digital certificate management response message carries, The data communication key is recycled to carry out second of encryption to digital certificate management response message.Further, if Applying digital certificate equipment and/or digital certificate issue equipment and support two or more Encryption Algorithm, the certificate response data Should also include encryption algorithm identification, correspondingly, the certificate response data specifically include encryption algorithm identification, and described in utilization The corresponding Encryption Algorithm of encryption algorithm identification is obtained after being handled using certificate response data encryption described in the data session key pair The data arrived.
When digital certificate issues equipment and determines that applying digital certificate equipment need to apply for new digital certificate, digital certificate management is rung It includes that digital certificate issues the new number that equipment is generated according to the certificate request data that applying digital certificate information includes to answer message Certificate.When digital certificate issues equipment and determines that applying digital certificate equipment need to inquire or update existing digital certificate, number card Book managing response message carries inquiry or newer digital certificate.
When specific implementation, digital certificate issue equipment according to the information type judgement in digital certificate management request message at Reason.If receiving applying digital certificate information, judges that the certificate information of application protection exists, then issued according to certificate request data New digital certificate;If existing digit certificate information that certificate acquisition information includes exists, according to issue device name and Sequence number inquires existing digital certificate;If what certificate revocation information included issues device name and sequence number presence, root According to issue device name and sequence number inquiry revoke existing digital certificate;If certificate revocation list exists, basis is issued Device name inquires certificate revocation list.Digital certificate issues equipment and carries above-mentioned certificate in certificate management response message. Certificate management response message may be used but be not limited to form shown in table 6.
Information type in 6 digital certificate management response message of table
Message Types value Meaning (information type)
Digital certificate management response message 3 Certificate response
Certificate response field format may be used but be not limited to form shown in table 7.
7 certificate response field format of table
Certificates constructing type Certificate response data
Wherein certificates constructing type can be as shown in table 8, lists the corresponding certificate type of different certificate holders.
8 certificate type of table
Types value Meaning
1 Client certificate
2 AS certificates
3 CA certificate
4 Certificate revocation list
Wherein, AS certificates are certificate server certificate, and CA certificate is rights issuer certificate.
S305, applying digital certificate equipment handle the certificate management response message, obtain handling result.
When specific implementation, applying digital certificate equipment is as needed decrypted digital certificate management response message And checking treatment, message content is obtained, and determine the digital certificate that uses according to demand, carries out the installation, more of digital certificate It is new to wait processing.
The method further includes:
S306, applying digital certificate equipment generates digital certificate management confirmation message, and issues equipment hair to digital certificate Send certificate management confirmation message.
When specific implementation, equipment negotiation is issued with digital certificate when the authorization code that applying digital certificate equipment utilization obtains and built Vertical safe data channel, after generating security key, applying digital certificate equipment can utilize the safe data channel to described Digital certificate issues equipment and sends digital certificate management confirmation message, and the digital certificate response message communicates close through the data Key encryption.
In embodiments of the present invention, safe and reliable data transmission channel is established by above-mentioned S301, S302 message, led to It crosses tri- message of above-mentioned S303, S304, S305 and interacts automatic application, inquiry and the update for realizing digital certificate so that number Word certificate management is more effective, safe and reliable.As shown in figure 5, applying automatically, inquiring, updating and awarding method for digital certificate In message content schematic diagram.As shown in figure 5, digital certificate management request message CertReq can be specifically to include number card Book application information, digital certificate obtain information, digital certificate revokes information and digital certificate revocation list information etc..The number Word certificate management response message CertRes may include digital certificate response message etc..Digital certificate management confirmation message CertConfirm can be used for releasing the connection between applying digital certificate equipment and digital certificate authority equipment.
Digital certificate management method provided by the invention is described from applying digital certificate equipment side above.Ability Field technique personnel are therein it is understood that method provided by the invention can also issue equipment side applied to digital certificate Processing corresponding with example shown in Fig. 2 to Fig. 5 can carry out.For example, the above method is applied to certificate authority equipment side also May include:Digital certificate issues equipment and receives the digital certificate management request message that applying digital certificate equipment is sent, described The certificate request data that digital certificate management request message carries are through data session key encryption;Digital certificate issues equipment The digital certificate management request message is handled, and generates digital certificate management response message;Digital certificate, which is issued, to be set It is standby to send digital certificate management response message to the applying digital certificate equipment.
In some embodiments, the method further includes:Digital certificate issues equipment and receives and processes the number card The digital certificate management confirmation message that book application equipment is sent.
In some embodiments, the digital certificate is issued equipment utilization authorization code and is negotiated with applying digital certificate equipment Safe data channel is established, security key is generated.
Concrete implementation is referred to Fig. 2 and is realized to Fig. 5 the methods.
Referring to Fig. 6, the applying digital certificate equipment schematic diagram provided for one embodiment of the invention.
A kind of applying digital certificate equipment 600, including:
Transmission unit 601 sends digital certificate management request message, the number card for issuing equipment to digital certificate Book manages the certificate request data of request message carrying through data session key encryption;Wherein, the data session key The wildcard between equipment is issued for the applying digital certificate equipment and the digital certificate.
Encryption unit 602, the certificate for being carried using digital certificate management message described in the data session key pair Request data is encrypted.
Receiving unit 603 issues the digital certificate management response message of equipment transmission for receiving the digital certificate.
Processing unit 604 obtains handling result for handling the digital certificate management response message.
In some embodiments, the processing unit 604 is additionally operable to generate digital certificate management confirmation message;The hair Unit 601 is sent to be additionally operable to issue equipment transmission digital certificate management confirmation message to digital certificate.
In some embodiments, the transmission unit 601 is specifically used for issuing equipment transmission carrying card to digital certificate The digital certificate management request message of book request data, the certificate request data include certificate request information, signature algorithm mark Knowledge and signature value.In some embodiments, the certificate request information may include version, holder names, holder Public key information, extension, sequence number, issuer title and the term of validity, when the applying digital certificate equipment and/or the number card When book issues equipment and supports two or more Encryption Algorithm, the transmission unit 601 issues the number that equipment is sent to digital certificate The certificate request data that word certificate management request message carries further include encryption algorithm identification, and the certificate request data are specifically wrapped Encryption algorithm identification is included, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilize data session cipher key pair certificate The data obtained after solicited message, signature algorithm identifier and signature value encryption;Correspondingly, the encryption unit 602 is specific For being calculated using the corresponding Encryption Algorithm of the encryption algorithm identification, using data session cipher key pair certificate solicited message, signature Method identifies and signature value is encrypted.
In some embodiments, the equipment further includes:
Safe data channel establishes unit, issues equipment with digital certificate for the authorization code using acquisition and negotiates to establish peace Full data channel generates security key;Wherein, the security key includes data communication key;
The transmission unit 601 is specifically used for:Equipment is issued using the safe data channel to the digital certificate to send out Digital certificate management request message is sent, the digital certificate management request message is through the data communication key encryption.
The encryption unit 602 is additionally operable to using the data communication key to the digital certificate management request message It is encrypted.
In some embodiments, the transmission unit 601 is specifically used for:Using the safe data channel to the number Word certificate authority equipment sends digital certificate management confirmation message, and the digital certificate management confirmation message is communicated through the data Key encryption.
The encryption unit 602 is additionally operable to using the data communication key to the digital certificate management confirmation message It is encrypted.
Wherein, the setting of present device each unit or module is referred to method shown in Fig. 2 to Fig. 5 and realizes, This is not repeated.It should be noted that digital certificate management equipment can be independent equipment, it can also issue and set with digital certificate It is standby to integrate, or issue a part for equipment as digital certificate and exist, herein without limiting.
It is the block diagram for the equipment for applying digital certificate that another embodiment of the present invention provides referring to Fig. 7.Including:Extremely A few processor 701 (such as CPU), memory 702 and at least one communication bus 703, for realizing between these equipment Connection communication.Processor 701 is for executing the executable module stored in memory 702, such as computer program.Memory 702 may include high-speed random access memory (RAM:Random Access Memory), it is also possible to further include non-unstable Memory (non-volatile memory), a for example, at least magnetic disk storage.One or the storage of more than one program In memory, and be configured by one or more than one processor 701 execute the one or more programs packet The instruction for being operated below contained:Equipment, which is issued, to digital certificate sends digital certificate management request message, the number The certificate request data that word certificate management request message carries are through data session key encryption;Wherein, the data session Key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment;Receive digital certificate Issue the digital certificate management response message of equipment transmission;The digital certificate management response message is handled, handling result is obtained.
In some embodiments, processor 701 is additionally operable to execute the one or more programs to include to be used for Carry out the following instruction operated:Digital certificate management confirmation message is generated, and issues equipment to digital certificate and sends digital certificate Manage confirmation message.
In some embodiments, processor 701 is specifically used for executing the one or more programs including to use In the instruction for carrying out following operation:Equipment negotiation is issued with digital certificate establish safe data channel using the authorization code of acquisition, Generate security key;Wherein, the security key includes data communication key.
In some embodiments, processor 701 is specifically used for executing the one or more programs including to use In the instruction for carrying out following operation:Equipment is issued to the digital certificate send digital certificate pipe using the safe data channel Request message is managed, the digital certificate management request message is through the data communication key encryption.
Referring to Fig. 8, equipment schematic diagram is issued for the digital certificate that one embodiment of the invention provides.
A kind of digital certificate issues equipment 800, including:
Receiving unit 801, the digital certificate management request message for receiving the transmission of applying digital certificate equipment, the number The certificate request data that word certificate management request message carries are through data session key encryption;Wherein, the data session Key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment.
Processing unit 802 for handling the digital certificate management request message, and generates digital certificate management Response message.
Transmission unit 803, for sending digital certificate management response message to the applying digital certificate equipment.
In some embodiments, the receiving unit 801 is additionally operable to receive the number that the number application equipment is sent Certificate management confirmation message;The processing unit 802 is additionally operable to handle the digital certificate management confirmation message.
In some embodiments, what the digital certificate management response message that the transmission unit 803 is sent carried Certificate response data are through the data session key encryption;
The equipment further includes encryption unit 804, is specifically used for:Utilize digital certificate described in the data session key pair The certificate response data that managing response message carries are encrypted.
Wherein, the certificate request data that the digital certificate management request message that the receiving unit 801 receives carries Through data session key encryption, the certificate request data include certificate request information, signature algorithm identifier and signature Value, the certificate request information includes version, holder names, holder's public key information, extension, sequence number, issuer title And the term of validity.
In some embodiments, described when the digital certificate, which issues equipment, supports two or more Encryption Algorithm The certificate response data that transmission unit 803 is sent still further comprise encryption algorithm identification, specifically include Encryption Algorithm mark Know, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilizes certificate response described in the data session key pair The data obtained after data encryption processing;Correspondingly, the encryption unit 804 also particularly useful for:
Using the corresponding Encryption Algorithm of the encryption algorithm identification, utilize certificate response described in the data session key pair Data are encrypted.
In some embodiments, the equipment further includes:
Safe data channel establishes unit, and peace is established for negotiating with applying digital certificate equipment using the authorization code obtained Full data channel generates security key;Wherein, the security key includes data communication key;
The transmission unit is specifically used for:Using the safe data channel number is sent to the applying digital certificate equipment Word certificate management response message, the digital certificate management response message is through the data communication key encryption;
The encryption unit 804 is additionally operable to:Using the data communication key to the digital certificate management response message It is encrypted.
It is the block diagram for the equipment issued for digital certificate that another embodiment of the present invention provides referring to Fig. 9.Including:Extremely A few processor 901 (such as CPU), memory 902 and at least one communication bus 903, for realizing between these equipment Connection communication.Processor 901 is for executing the executable module stored in memory 902, such as computer program.Memory 902 may include high-speed random access memory (RAM:Random Access Memory), it is also possible to further include non-unstable Memory (non-volatile memory), a for example, at least magnetic disk storage.One or the storage of more than one program In memory, and be configured by one or more than one processor 901 execute the one or more programs packet The instruction for being operated below contained:Receive the digital certificate management request message that applying digital certificate equipment is sent, institute The certificate request data of digital certificate management request message carrying are stated through data session key encryption;Wherein, the data Session key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment;To the number Word certificate management request message is handled, and generates digital certificate management response message;To the applying digital certificate equipment Send digital certificate management response message.
In some embodiments, processor 901 is additionally operable to execute the one or more programs to include to be used for Carry out the following instruction operated:Receive and process the digital certificate management confirmation message of applying digital certificate equipment transmission.
In some embodiments, processor 901 is specifically used for executing the one or more programs including to use In the instruction for carrying out following operation:Safe data channel is established using the authorization code and the negotiation of applying digital certificate equipment of acquisition, Generate security key;Wherein, the security key includes data communication key.
In some embodiments, processor 901 is specifically used for executing the one or more programs including to use In the instruction for carrying out following operation:Using the safe data channel digital certificate pipe is sent to the applying digital certificate equipment Response message is managed, the digital certificate management response message is through the data communication key encryption.
Those skilled in the art are it is understood that preceding method and equipment are corresponding relationships.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the present invention Its embodiment.The present invention is directed to cover the present invention any variations, uses, or adaptations, these modifications, purposes or Person's adaptive change follows the general principle of the present invention and includes the undocumented common knowledge in the art of the disclosure Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following Claim is pointed out.
It should be understood that the invention is not limited in the precision architectures for being described above and being shown in the accompanying drawings, and And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all the present invention spirit and Within principle, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.The present invention can be by calculating Described in the general context for the computer executable instructions that machine executes, such as program module.Usually, program module includes holding The routine of row particular task or realization particular abstract data type, program, object, component, data structure etc..It can also divide The present invention is put into practice in cloth computing environment, in these distributed computing environments, by connected long-range by communication network Processing equipment executes task.In a distributed computing environment, program module can be located at the local including storage device In remote computer storage medium.
Each embodiment in this specification is described in a progressive manner, identical similar portion between each embodiment Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for equipment reality For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method Part explanation.Apparatus embodiments described above are merely indicative, wherein described be used as separating component explanation Unit may or may not be physically separated, the component shown as unit may or may not be Physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to the actual needs Some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying In the case of creative work, you can to understand and implement.The above is only the specific implementation mode of the present invention, should be referred to Go out, for those skilled in the art, without departing from the principle of the present invention, can also make several Improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.

Claims (16)

1. a kind of digital certificate management method, which is characterized in that including:
Applying digital certificate equipment issues equipment to digital certificate and sends digital certificate management request message, the digital certificate pipe The certificate request data of request message carrying are managed through data session key encryption;Wherein, the data session key is institute It states applying digital certificate equipment and the digital certificate issues wildcard between equipment;
Digital certificate issues equipment and receives the digital certificate management request message, and number card is sent to applying digital certificate equipment Book managing response message;
Applying digital certificate equipment receives and processes the digital certificate management response message, obtains handling result.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
Applying digital certificate equipment generates digital certificate management confirmation message, and issues equipment to digital certificate and send digital certificate Manage confirmation message;
Digital certificate issues equipment and receives and processes the digital certificate management confirmation message.
3. according to the method described in claim 2, it is characterized in that, the certificate request data include certificate request information, label Name algorithm mark and signature value, the certificate request information include version, holder names, holder's public key information, extension, Sequence number, issuer title and the term of validity;
When the applying digital certificate equipment and/or the digital certificate, which issue equipment, supports two or more Encryption Algorithm, The certificate request data that the digital certificate management request message carries further include encryption algorithm identification, the certificate request data Encryption algorithm identification is specifically included, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilize the data session The data obtained after certificate request information, the signature algorithm identifier and the signature value encryption described in key pair.
4. according to the method described in claim 3, it is characterized in that, the certificate that the digital certificate management response message carries is rung Answer data through the data session key encryption;
When the applying digital certificate equipment and/or the digital certificate, which issue equipment, supports two or more Encryption Algorithm, The certificate response data that the digital certificate management response message carries further include encryption algorithm identification, the certificate response data Encryption algorithm identification is specifically included, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilize the data session The data obtained after certificate response data encryption processing described in key pair.
5. according to the method described in claim 2-4, which is characterized in that issue and set to digital certificate in applying digital certificate equipment Before preparation send digital certificate management request message, the method further includes:
The authorization code that the applying digital certificate equipment utilization obtains issues equipment negotiation with the digital certificate and establishes safe number According to channel, security key is generated;Wherein, the security key includes data communication key;
The applying digital certificate equipment issues equipment transmission digital certificate management request message to digital certificate:
Safe data channel described in the applying digital certificate equipment utilization issues equipment to the digital certificate and sends number card Book manages request message, and the digital certificate management request message is through the data communication key encryption;
The digital certificate issues equipment:
The digital certificate issues safe data channel described in equipment utilization and sends number card to the applying digital certificate equipment Book managing response message, the digital certificate management response message is through the data communication key encryption.
6. according to the method described in claim 5, it is characterized in that, the applying digital certificate equipment is issued to digital certificate and is set Preparation send the digital certificate management confirmation message to include:
Safe data channel described in the applying digital certificate equipment utilization issues equipment to the digital certificate and sends number card Book manages confirmation message, and the digital certificate management confirmation message is through the data communication key encryption.
7. a kind of applying digital certificate equipment, which is characterized in that the equipment includes:
Transmission unit sends digital certificate management request message, the digital certificate management for issuing equipment to digital certificate The certificate request data that request message carries are through data session key encryption;Wherein, the data session key is described Applying digital certificate equipment and the digital certificate issue the wildcard between equipment;
Encryption unit, the certificate request data for being carried using digital certificate management message described in the data session key pair It is encrypted;
Receiving unit issues the digital certificate management response message of equipment transmission for receiving the digital certificate;
Processing unit obtains handling result for handling the digital certificate management response message.
8. equipment according to claim 7, which is characterized in that it is true that the processing unit is additionally operable to generation digital certificate management Recognize message;The transmission unit is additionally operable to issue equipment transmission digital certificate management confirmation message to the digital certificate.
9. equipment according to claim 8, which is characterized in that the transmission unit is specifically used for issuing to digital certificate setting It includes certificate request letter that preparation, which send the digital certificate management request message for carrying certificate request data, the certificate request data, Breath, signature algorithm identifier and signature value, the certificate request information include version, holder names, holder's public key information, Extension, sequence number, issuer title and the term of validity;
When the applying digital certificate equipment and/or the digital certificate, which issue equipment, supports two or more Encryption Algorithm, The transmission unit issues the certificate request data for the digital certificate management request message carrying that equipment is sent also to digital certificate Including encryption algorithm identification, the certificate request data specifically include encryption algorithm identification, and utilize the Encryption Algorithm mark Know corresponding Encryption Algorithm, utilize certificate request information, the signature algorithm identifier and the label described in data session key pair The data obtained after name value encryption;
The encryption unit is specifically used for:Using the corresponding Encryption Algorithm of the encryption algorithm identification, utilize data session key The certificate request information, the signature algorithm identifier and the signature value are encrypted.
10. equipment according to claim 8 or claim 9, which is characterized in that the equipment further includes:
Safe data channel establishes unit, issues equipment negotiation with digital certificate for the authorization code using acquisition and establishes safe number According to channel, security key is generated;Wherein, the security key includes data communication key;
The transmission unit is specifically used for:Equipment is issued to the digital certificate send number card using the safe data channel Book manages request message, and the digital certificate management request message is through the data communication key encryption;
The encryption unit is additionally operable to that the digital certificate management request message is encrypted using the data communication key Processing;
The transmission unit also particularly useful for:Equipment is issued to the digital certificate send number using the safe data channel Certificate management confirmation message, the digital certificate management confirmation message is through the data communication key encryption;
The encryption unit is additionally operable to that the digital certificate management confirmation message is encrypted using the data communication key Processing.
11. a kind of equipment for applying digital certificate, which is characterized in that include memory and one or one with On program, one of them either more than one program be stored in memory and be configured by one or more than one Reason device executes the instruction for being operated below that the one or more programs include:
Equipment, which is issued, to digital certificate sends digital certificate management request message, what the digital certificate management request message carried Certificate request data are through data session key encryption;Wherein, the data session key is that the applying digital certificate is set The standby and described digital certificate issues the wildcard between equipment;Receive the digital certificate pipe that digital certificate issues equipment transmission Manage response message;
The digital certificate management response message is handled, handling result is obtained.
12. a kind of digital certificate issues equipment, which is characterized in that the equipment includes:
Receiving unit, the digital certificate management request message for receiving the transmission of applying digital certificate equipment, the digital certificate The certificate request data of request message carrying are managed through data session key encryption;Wherein, the data session key is The applying digital certificate equipment and the digital certificate issue the wildcard between equipment;
Processing unit for handling the digital certificate management request message, and generates digital certificate management response and disappears Breath;
Transmission unit, for sending digital certificate management response message to the applying digital certificate equipment.
13. equipment according to claim 12, which is characterized in that the receiving unit is additionally operable to receive the number application The digital certificate management confirmation message that equipment is sent;
The processing unit is additionally operable to handle the digital certificate management confirmation message.
14. equipment according to claim 13, which is characterized in that the digital certificate management that the transmission unit is sent The certificate response data that response message carries are through the data session key encryption;
The equipment further includes encryption unit, is specifically used for:It is rung using digital certificate management described in the data session key pair The certificate response data that message carries are answered to be encrypted;
Wherein, the certificate request data that the digital certificate management request message that the receiving unit receives carries are through data meeting Key encryption is talked about, the certificate request data include certificate request information, signature algorithm identifier and signature value, the card Book solicited message includes version, holder names, holder's public key information, extension, sequence number, issuer title and the term of validity;
When the digital certificate, which issues equipment, supports two or more Encryption Algorithm, the certificate of the transmission unit transmission Response data still further comprises encryption algorithm identification, specifically includes encryption algorithm identification, and utilize the Encryption Algorithm mark Know corresponding Encryption Algorithm, utilize the data obtained after certificate response data encryption processing described in the data session key pair; Correspondingly, the encryption unit also particularly useful for:
Using the corresponding Encryption Algorithm of the encryption algorithm identification, utilize certificate response data described in the data session key pair It is encrypted.
15. the equipment according to claim 13 or 14, which is characterized in that the equipment further includes:
Safe data channel establishes unit, and safe number is established with the negotiation of applying digital certificate equipment for the authorization code using acquisition According to channel, security key is generated;Wherein, the security key includes data communication key;
The transmission unit is specifically used for:Using the safe data channel number card is sent to the applying digital certificate equipment Book managing response message, the digital certificate management response message is through the data communication key encryption;
The encryption unit is additionally operable to:The digital certificate management response message is encrypted using the data communication key Processing.
16. a kind of equipment issued for digital certificate, which is characterized in that include memory and one or one with On program, one of them either more than one program be stored in memory and be configured by one or more than one Reason device executes the instruction for being operated below that the one or more programs include:
The digital certificate management request message that applying digital certificate equipment is sent is received, the digital certificate management request message is taken The certificate request data of band are through data session key encryption;Wherein, the data session key is the digital certificate Shen Please equipment and the digital certificate issue the wildcard between equipment;
The digital certificate management request message is handled, and generates digital certificate management response message;
Digital certificate management response message is sent to the applying digital certificate equipment.
CN201710211790.1A 2017-04-01 2017-04-01 A kind of digital certificate management method and equipment Pending CN108667781A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710211790.1A CN108667781A (en) 2017-04-01 2017-04-01 A kind of digital certificate management method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710211790.1A CN108667781A (en) 2017-04-01 2017-04-01 A kind of digital certificate management method and equipment

Publications (1)

Publication Number Publication Date
CN108667781A true CN108667781A (en) 2018-10-16

Family

ID=63784142

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710211790.1A Pending CN108667781A (en) 2017-04-01 2017-04-01 A kind of digital certificate management method and equipment

Country Status (1)

Country Link
CN (1) CN108667781A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110768795A (en) * 2019-10-30 2020-02-07 迈普通信技术股份有限公司 Session establishment method and device
CN111490879A (en) * 2020-04-13 2020-08-04 山东确信信息产业股份有限公司 Digital certificate generation method and system based on biological characteristics
CN113301523A (en) * 2021-04-14 2021-08-24 江铃汽车股份有限公司 Application and update method and system for V2X vehicle-mounted terminal digital certificate
CN113810411A (en) * 2021-09-17 2021-12-17 公安部交通管理科学研究所 Traffic control facility digital certificate management method and system
CN114553427A (en) * 2020-11-24 2022-05-27 安讯士有限公司 System and method for managing certificates associated with components located at remote locations
CN114884963A (en) * 2022-06-20 2022-08-09 中国工商银行股份有限公司 Management method and management device of digital certificate
US11516020B2 (en) * 2018-06-06 2022-11-29 Tencent Technology (Shenzhen) Company Limited Key management method, apparatus, and system, storage medium, and computer device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801029A (en) * 2004-12-31 2006-07-12 联想(北京)有限公司 Method for generating digital certificate and applying the generated digital certificate
WO2007073623A1 (en) * 2005-12-29 2007-07-05 Zte Corporation A method of downloading digital certification and key
CN104160656A (en) * 2012-03-01 2014-11-19 塞尔蒂卡姆公司 System and method for connecting client devices to a network
CN105812136A (en) * 2014-12-30 2016-07-27 北京握奇智能科技有限公司 Update method, update system and security authentication device
CN106533692A (en) * 2016-11-01 2017-03-22 济南浪潮高新科技投资发展有限公司 Digital certificate application method based on TPM
CN108667609A (en) * 2017-04-01 2018-10-16 西安西电捷通无线网络通信股份有限公司 A kind of digital certificate management method and equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801029A (en) * 2004-12-31 2006-07-12 联想(北京)有限公司 Method for generating digital certificate and applying the generated digital certificate
WO2007073623A1 (en) * 2005-12-29 2007-07-05 Zte Corporation A method of downloading digital certification and key
CN101305542A (en) * 2005-12-29 2008-11-12 中兴通讯股份有限公司 Method for downloading digital certificate and cryptographic key
CN104160656A (en) * 2012-03-01 2014-11-19 塞尔蒂卡姆公司 System and method for connecting client devices to a network
CN105812136A (en) * 2014-12-30 2016-07-27 北京握奇智能科技有限公司 Update method, update system and security authentication device
CN106533692A (en) * 2016-11-01 2017-03-22 济南浪潮高新科技投资发展有限公司 Digital certificate application method based on TPM
CN108667609A (en) * 2017-04-01 2018-10-16 西安西电捷通无线网络通信股份有限公司 A kind of digital certificate management method and equipment

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11516020B2 (en) * 2018-06-06 2022-11-29 Tencent Technology (Shenzhen) Company Limited Key management method, apparatus, and system, storage medium, and computer device
CN110768795A (en) * 2019-10-30 2020-02-07 迈普通信技术股份有限公司 Session establishment method and device
CN111490879A (en) * 2020-04-13 2020-08-04 山东确信信息产业股份有限公司 Digital certificate generation method and system based on biological characteristics
CN114553427A (en) * 2020-11-24 2022-05-27 安讯士有限公司 System and method for managing certificates associated with components located at remote locations
CN114553427B (en) * 2020-11-24 2023-09-08 安讯士有限公司 System and method for managing certificates associated with components located at remote locations
CN113301523A (en) * 2021-04-14 2021-08-24 江铃汽车股份有限公司 Application and update method and system for V2X vehicle-mounted terminal digital certificate
CN113810411A (en) * 2021-09-17 2021-12-17 公安部交通管理科学研究所 Traffic control facility digital certificate management method and system
CN113810411B (en) * 2021-09-17 2023-02-14 公安部交通管理科学研究所 Traffic control facility digital certificate management method and system
CN114884963A (en) * 2022-06-20 2022-08-09 中国工商银行股份有限公司 Management method and management device of digital certificate
CN114884963B (en) * 2022-06-20 2023-11-03 中国工商银行股份有限公司 Digital certificate management method and management device

Similar Documents

Publication Publication Date Title
CN108667609A (en) A kind of digital certificate management method and equipment
CN108667781A (en) A kind of digital certificate management method and equipment
EP3661120B1 (en) Method and apparatus for security authentication
CN107040922B (en) Wireless network connecting method, apparatus and system
CN105554747B (en) Wireless network connecting method, apparatus and system
CN109474432A (en) Digital certificate management method and equipment
KR101508360B1 (en) Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer
TW478269B (en) Method and apparatus for initializing mobile wireless devices
TW498669B (en) Method and apparatus for exclusively pairing wireless devices
CN103427992B (en) The method and system of secure communication is set up between node in a network
CN108390851A (en) A kind of secure remote control system and method for industrial equipment
CN101720071B (en) Short message two-stage encryption transmission and secure storage method based on safety SIM card
CN108667791B (en) Identity authentication method
CN110445747A (en) System and method for the exchange of encrypted transport data service
CN104378379B (en) A kind of digital content encrypted transmission method, equipment and system
CN104202170B (en) A kind of identity authorization system and method based on mark
CN101090316A (en) Identify authorization method between storage card and terminal equipment at off-line state
CN101159624B (en) Account use monitoring method
CN106571915A (en) Terminal master key setting method and apparatus
CN109936509A (en) A kind of equipment group authentication method and system based on diverse identities
JP5495194B2 (en) Account issuing system, account server, service server, and account issuing method
CN109978479A (en) A kind of electronic invoice method of charging out, device, data sharing server and system
CN108683506A (en) A kind of applying digital certificate method, system, mist node and certificate authority
KR101568940B1 (en) Authentication method for device to device communication in mobile open iptv system and device to device communication method in mobile open iptv system
CN113163399A (en) Communication method and device of terminal and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20181016

WD01 Invention patent application deemed withdrawn after publication