CN108667781A - A kind of digital certificate management method and equipment - Google Patents
A kind of digital certificate management method and equipment Download PDFInfo
- Publication number
- CN108667781A CN108667781A CN201710211790.1A CN201710211790A CN108667781A CN 108667781 A CN108667781 A CN 108667781A CN 201710211790 A CN201710211790 A CN 201710211790A CN 108667781 A CN108667781 A CN 108667781A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- equipment
- data
- certificate
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
A kind of digital certificate management method of present invention offer and equipment, the method includes:Applying digital certificate equipment issues equipment to digital certificate and sends digital certificate management request message, and the certificate request data that the digital certificate management request message carries are through data session key encryption;Wherein, the data session key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment;Digital certificate issues equipment and receives the digital certificate management request message, and digital certificate management response message is sent to applying digital certificate equipment;Applying digital certificate equipment receives and processes the digital certificate management response message, obtains handling result.The present invention can effectively improve the safety of digital certificate management.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of digital certificate management method and equipment.
Background technology
With the development of network security technology, how to ensure that the confidentiality of network information transfer, integrality become a weight
The research topic wanted.Digital certificate be it is a kind of verification network communications entity identity mode, can utilize digital certificate technique into
Row data encryption, authentication etc..Digital certificate is usually to issue equipment from digital certificate to sign and issue to applying digital certificate equipment
, it can be used for identifying the identity of applying digital certificate equipment.
In the prior art, there are a kind of methods that digital certificate is applied automatically, are applied to digital certificate in WLAN
Application, update and issue.In this approach, applying digital certificate equipment can be issued by WLAN to digital certificate
It sends out equipment and sends message, the digital certificate production method for notifying it to support issues equipment so as to digital certificate and generates new number
Certificate.In this approach, the message transmitted between applying digital certificate equipment and digital certificate authority equipment is to pass in plain text
Defeated, the two only carries out the completeness check of message, to determine that message is not tampered with.This mode only can guarantee the complete of data
Property, authenticity, the confidentiality of data can not be effectively protected.Particularly, when applying digital certificate equipment and number are demonstrate,proved
If book issues equipment by other latticed form interaction datas, since message is plaintext transmission, there is safety in this mode
The not high defect of property.
Invention content
The present invention provides a kind of digital certificate management method and equipment, can be demonstrate,proved in applying digital certificate equipment and number
Book issues the data that equipment room transmits encrypted processing, effectively increases the safety of digital certificate management.
For this purpose, the present invention provides the following technical solutions:
In a first aspect, the present invention provides a kind of digital certificate management methods, including:Applying digital certificate equipment is to number
Certificate authority equipment sends digital certificate management request message, the certificate request number that the digital certificate management request message carries
According to through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and the number
Wildcard between word certificate authority equipment;Digital certificate issues equipment and receives the digital certificate management request message,
Digital certificate management response message is sent to applying digital certificate equipment;Applying digital certificate equipment receives and processes the number
Certificate management response message obtains handling result.
Second aspect, the present invention provides a kind of applying digital certificate equipment, including:Transmission unit, for being demonstrate,proved to number
Book issues equipment and sends digital certificate management request message, the certificate request data that the digital certificate management request message carries
Through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and the number
Wildcard between certificate authority equipment;Encryption unit, for utilizing digital certificate described in the data session key pair
The certificate request data that management message carries are encrypted;Receiving unit issues equipment for receiving the digital certificate
The digital certificate management response message of transmission;Processing unit is obtained for handling the digital certificate management response message
Take handling result.
The third aspect, the present invention provides a kind of equipment for applying digital certificate, include memory and one
Either more than one program one of them either more than one program be stored in memory and be configured by one or
More than one processor executes the instruction for being operated below that the one or more programs include:To number
Certificate authority equipment sends digital certificate management request message, the certificate request number that the digital certificate management request message carries
According to through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and the number
Wildcard between word certificate authority equipment;It receives digital certificate and issues the digital certificate management that equipment is sent and respond and disappear
Breath;The digital certificate management response message is handled, handling result is obtained.
Fourth aspect, the present invention provides a kind of digital certificates to issue equipment, and the equipment includes:Receiving unit is used for
The digital certificate management request message that applying digital certificate equipment is sent is received, what the digital certificate management request message carried
Certificate request data are through data session key encryption;Wherein, the data session key is that the applying digital certificate is set
The standby and described digital certificate issues the wildcard between equipment;Processing unit, for asking the digital certificate management
Message is handled, and generates digital certificate management response message;Transmission unit, for being sent out to the applying digital certificate equipment
Send digital certificate management response message.
5th aspect, the present invention provides a kind of equipment issued for digital certificate, include memory and one
Either more than one program one of them either more than one program be stored in memory and be configured by one or
More than one processor executes the instruction for being operated below that the one or more programs include:Receive number
The digital certificate management request message that word certificate request equipment is sent, the certificate that the digital certificate management request message carries are asked
Ask data through data session key encryption;Wherein, the data session key is the applying digital certificate equipment and institute
It states digital certificate and issues wildcard between equipment;The digital certificate management request message is handled, and is generated
Digital certificate management response message;Digital certificate management response message is sent to the applying digital certificate equipment.
In digital certificate management method provided by the invention and equipment, in applying digital certificate equipment and digital certificate authority
In message interaction process between equipment, interactive message can be encrypted, such as digital certificate management request disappears
The certificate request data carried in breath are through data session key encryption, since the certificate request data to transmission are added
Close processing, effectively increases the safety of data transmission, and can be adapted for the digital certificate under a variety of different type scenes certainly
It is dynamic apply, inquire, updating, revoking with revocation list acquisition etc..
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some recorded embodiments in invention, for those of ordinary skill in the art, in the premise not made the creative labor
Under, other drawings may also be obtained based on these drawings.
Fig. 1 is the adaptable illustrative application scene of the embodiment of the present invention;
Fig. 2 is the digital certificate management method flow chart that one embodiment of the invention provides;
Fig. 3 is the digital certificate management method flow chart that another embodiment of the present invention provides;
Fig. 4 is that schematic diagram is negotiated and established to safe data channel provided in an embodiment of the present invention;
Fig. 5 be the digital certificate that provides of one embodiment of the invention apply automatically, inquire, updating and awarding method in message
Content schematic diagram;
Fig. 6 is a kind of block diagram of applying digital certificate equipment shown according to an exemplary embodiment;
Fig. 7 is a kind of block diagram of the equipment for applying digital certificate shown according to another exemplary embodiment;
Fig. 8 is the block diagram that a kind of digital certificate shown according to an exemplary embodiment issues equipment;
Fig. 9 is a kind of block diagram of the equipment issued for number card shown according to another exemplary embodiment.
Specific implementation mode
The present invention provides a kind of digital certificate management method and equipment, can be demonstrate,proved in applying digital certificate equipment and number
Book issues the data that equipment room transmits encrypted processing, effectively increases the safety of digital certificate management.
In order to make those skilled in the art more fully understand the technical solution in the present invention, below in conjunction with of the invention real
The attached drawing in example is applied, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described implementation
Example is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, this field is common
The every other embodiment that technical staff is obtained without making creative work, should all belong to protection of the present invention
Range.
It is the exemplary application scene of the embodiment of the present invention referring to Fig. 1.Method and apparatus provided in an embodiment of the present invention can
With applied to scene as shown in Figure 1, wherein applying digital certificate equipment and digital certificate authority equipment can pass through network reality
It now connects, the connection can be any type of wiredly and/or wirelessly connection (for example, WLAN, LAN, honeycomb, coaxial cable
Deng).Illustrate by taking Fig. 1 as an example, applying digital certificate equipment includes but not limited to:It is existing, researching and developing or research and development in the future
Smart mobile phone, non-smart mobile phone, tablet computer, laptop PC, desktop personal computer, minicomputer, in
Type computer, mainframe computer etc..Applying digital certificate equipment can be issued by the latticed form of each self application to digital certificate
Hair equipment (such as awarding card center CA server) application download, more new authentication etc..It should be noted that the embodiment of the present invention can be with
It is applied to all conglomeraties such as wireless operator network, aviation, traffic, electric power, broadcasting and TV, finance, medical treatment, education, industry and commerce.Certainly, on
It states application scenarios to be merely for convenience of understanding the present invention and showing, embodiments of the present invention are unrestricted in this regard.
On the contrary, embodiments of the present invention can be applied to applicable any scene.
The digital certificate management method shown in exemplary embodiment of the present is carried out below in conjunction with attached drawing 2 to attached drawing 5
It introduces.
Referring to Fig. 2, the digital certificate management method flow chart provided for one embodiment of the invention.As shown in Fig. 2, can wrap
It includes:
S201, applying digital certificate equipment issues equipment to digital certificate and sends digital certificate management request message, described
The certificate request data that digital certificate management request message carries are through data session key encryption;Wherein, the data meeting
Words key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment.
In some embodiments, the certificate that data session key pair digital certificate management request message can be utilized to carry
Request data is encrypted.The present invention is not construed as limiting to data session key, and data session key can be several
Wildcard between word certificate request equipment and digital certificate authority equipment, it is alternatively possible to use applying digital certificate
Authorization code between equipment and digital certificate authority equipment is as wildcard.
When specific implementation, applying digital certificate person can ask awarding for downloading digital certificate to digital certificate issuer
Weighted code.Applying digital certificate person for example can be applying digital certificate equipment, and digital certificate issuer for example can be digital card
Book issues equipment.The present invention is to specific authorization code request method without limiting.For example, applying digital certificate person can pass through
The modes such as short message, mail, dedicated request ask authorization code to digital certificate issuer.Digital certificate issuer can be by certain
Mode by the authorization code person that is sent to applying digital certificate.For example, digital certificate issuer can be by short message, mail, special
The modes such as message send authorization code to applying digital certificate person.Usually, authorization code is that digital certificate issuer oneself generates,
Can be generated in real time when applying digital certificate person asks authorization code, can also be to be generated in advance ready for use, in form may be used
To be the combination of letter and/or number and or symbol etc., there is certain length requirement, authorization code also to have certain use
In the time limit, be more than service life, and authorization code can then fail.In use, digital certificate issuer distributes to different digital card
The authorization code of book applicant is different.
In other embodiments, equipment is issued to digital certificate send digital certificate pipe in applying digital certificate equipment
Before managing request message, the method further includes:The authorization code that applying digital certificate equipment utilization obtains is issued with digital certificate
Safe data channel is established in equipment negotiation, generates security key;Wherein, the security key includes data communication key.
During establishing safe data channel, applying digital certificate equipment can utilize authorization code to generate security key,
The security key may include one or more keys, and one or more of keys include data communication key.The number
Equipment is issued in safe data channel with the digital certificate for encrypting the applying digital certificate equipment according to communication key
The message of transmission.It should be noted that can generate safety in applying digital certificate equipment side and digital certificate authority equipment side
Key, the encryption convenient for message and decryption processing.
In the case where there is safe data channel, the corresponding Encryption Algorithm of encryption algorithm identification and number can be not only utilized
Certificate request data is encrypted according to session key, when transmitting message using safe data channel, can also be utilized
The digital certificate management request message of transmission is encrypted in data communication key.It is may be implemented in this way to certificate number of request
According to carrying out privacy protection twice.The data session key can be used for encrypted certificate request data and/or certificate response data.
The certificate request data are specially the data that digital certificate management request message carries.The certificate response data are specially to count
The data that word certificate management response message carries.
It should be noted that for security reasons, key that encryption twice uses (i.e. data communication key and
Data session key) it is different.Digital certificate ask equipment and digital certificate issue equipment can make an appointment encryption number,
Key type (i.e. data communication key and data session key) used in Encryption Algorithm and encryption.
In some embodiments, the certificate request data that the digital certificate management request message carries include that certificate is asked
Ask information, signature algorithm identifier and signature value.
Wherein, certificate request information may include:Certificate version information, certificate holder's information and certificate holder couple
The public key information answered and extension.These information elements are terse, can meet the basic demand of certificate.Signature value is digital card
After book application equipment locally generates public private key pair, using the corresponding signature algorithm of signature algorithm identifier, using private key to the card
The value that book solicited message obtains after being calculated.Digital certificate is issued equipment and is believed according to holder's public key in certificate request information
Breath verifies signature judges whether public and private key is belonging to applying digital certificate equipment later.Pass through signature algorithm identifier and label
Name value can verify whether public and private key returns belonging to the entity.
In other embodiments, the certificate request information in the certificate request data can also include more
Complete information:Sequence number, issuer title and the term of validity.These information can expand certificate authority function, such as digital certificate
Applicant requires some specific informations etc. of limitation certificate.In this case, the certificate request data can be encrypted
Processing, specifically, the certificate request data be applying digital certificate equipment using data session cipher key pair certificate solicited message,
The data obtained after signature algorithm identifier and signature value encryption.Further, if applying digital certificate equipment and/or
Digital certificate issues equipment and supports that two or more Encryption Algorithm, the certificate request data should also include encryption algorithm identification,
Correspondingly, the certificate request data specifically include encryption algorithm identification, and add using the encryption algorithm identification is corresponding
Close algorithm, using being obtained after the data session cipher key pair certificate solicited message, signature algorithm identifier and signature value encryption
Data.This certificate request data structure element is more perfect, and purposes is wider, right while the public and private key of verification affiliated entity
Certificate request data have carried out privacy protection.Meanwhile this certificate request data are used in the case where there is safe data channel
Structure can be realized carries out privacy protection twice to certificate request data, further promotes the safety of data transmission.
S202, digital certificate issues equipment and receives the digital certificate management request message, to applying digital certificate equipment
Send digital certificate management response message.
Correspondingly, digital certificate issues equipment after receiving the digital certificate management request message, is demonstrate,proved according to number
The data that book management request message carries are handled, and digital certificate management response message is sent to applying digital certificate equipment.
Specifically, since the certificate request data of data certificate management request message carrying are through data session key encryption, number
Certificate authority equipment is after receiving the digital certificate management request message, first with corresponding data session key pair institute
Digital certificate management request message is stated to be decrypted, and according to digital certificate management request message carry data at
Reason sends digital certificate management response message to applying digital certificate equipment.
It should be noted that the certificate response data that the digital certificate management response message carries can be plaintext number
According to can also be through data session key encryption.
Further, equipment is issued with digital certificate when the authorization code that applying digital certificate equipment utilization obtains to negotiate to establish
Safe data channel, after generating security key, digital certificate, which issues equipment, to utilize the safe data channel to described
Applying digital certificate equipment sends digital certificate management response message, and the digital certificate response message communicates close through the data
Key encryption.
When specific implementation, according to whether certificate request data and/or certificate response data are encrypted, it can wrap
Include following several realization methods:
(1) for certificate request data through data session key encryption, certificate response data are clear data.In this reality
In existing mode, only certificate request data are handled through one-time pad encryption, and certificate response data are plaintext transmission.
(2) certificate request data also add through data session key through data session key encryption, certificate response data
Close processing.Wherein, the data session key and cipher mode that certificate request data and certificate response data use are consistent.
In this implementation, certificate request data are handled using data session key through one-time pad encryption with certificate response data.
(3) certificate request data carry out first time encryption, the digital certificate management request through data session key
Message carries out second of encryption using the data communication key of safe data channel.Certificate response data are clear data,
The digital certificate management response message carries out one-time pad encryption processing using the data communication key of safe data channel.This
In realization method, digital certificate management request message is handled through encryption twice, certificate management response message through one-time pad encryption.
(4) certificate request data and certificate response data carry out first time encryption through data session key, described
Digital certificate management request message and digital certificate management response message utilize the data communication key of safe data channel into
Second of encryption of row.In this implementation, digital certificate management request message is through encryption twice, certificate management
Response message is also through encryption twice.
To specifically encrypting realization method without limiting, digital certificate request equipment is issued with digital certificate to be set the present invention
Key type (i.e. data communication key and data used in the standby encryption number that can make an appointment, Encryption Algorithm and encryption
Session key).
When specific implementation, message that the present invention uses applying digital certificate equipment and digital certificate authority equipment interaction and
Interactive mode is not construed as limiting, as long as can realize that above- mentioned information interaction realizes that the automatic of digital certificate applies, inquires, updates and issue
Hair, all belongs to the scope of protection of the present invention.In some embodiments, the digital certificate management request message may include number
Word certificate request information, digital certificate obtain information, digital certificate revokes the types such as information, digital certificate revocation list information.
The digital certificate management response message includes digital certificate response message.
S203, applying digital certificate equipment receive and process the digital certificate management response message, obtain handling result.
When specific implementation, applying digital certificate equipment carries out checking treatment to digital certificate management response message, and acquisition disappears
Content is ceased, and determines the digital certificate used according to demand, carries out the processing such as installation, the update of digital certificate.When the number
When the encrypted processing of certificate management response message, applying digital certificate equipment needs to demonstrate,prove the number using data communication key
Book managing response message is decrypted.When the certificate response data that the digital certificate management response message carries are encrypted
When processing, applying digital certificate equipment also needs to that place is decrypted using certificate response data described in the data session key pair
Reason.
The method further includes:
S204, applying digital certificate equipment generates digital certificate management confirmation message, and issues equipment hair to digital certificate
Send digital certificate management confirmation message.
When specific implementation, equipment negotiation is issued with digital certificate when the authorization code that applying digital certificate equipment utilization obtains and built
Vertical safe data channel, after generating security key, applying digital certificate equipment can also utilize the safe data channel to institute
It states digital certificate method equipment and sends digital certificate management confirmation message, the digital certificate response message is communicated through the data
Key encryption.
S205, digital certificate issue equipment and receive and process the digital certificate management confirmation message.
In this embodiment of the invention, in applying digital certificate equipment and digital certificate authority equipment message interactive process
In, place is encrypted in the certificate request data carried using the data session key pair digital certificate management request message of generation
Reason, effectively increases the safety of data transmission, and can be adapted for the automatic Shen of digital certificate under a variety of different type scenes
Please, inquire, update, revoke with revocation list obtain etc..
Be more clearly understood that embodiment of the present invention under concrete scene for the ease of those skilled in the art, below with
Embodiment of the present invention is introduced in one specific example.It should be noted that the specific example is only so that this field skill
Art personnel more clearly understand the present invention, but embodiments of the present invention are not limited to the specific example.It should be noted that following
Embodiment is illustrated so that digital certificate management request message is through encryption twice as an example, and those skilled in the art can be herein
Other realization methods of the present invention are obtained on the basis of embodiment.
Referring to Fig. 3, the digital certificate management method flow chart provided for another embodiment of the present invention.As shown in figure 3, can be with
Include the following steps:
S301, applying digital certificate equipment obtain authorization code.
When specific implementation, applying digital certificate equipment issues the mandate of device request downloading digital certificate to digital certificate
Code, and obtain the authorization code that the digital certificate issues equipment transmission.
S302, the authorization code that applying digital certificate equipment utilization obtains issue equipment negotiation with digital certificate and establish safe number
According to channel, security key is generated;Wherein, the data session key is the applying digital certificate equipment and the digital certificate
Issue the wildcard between equipment.
When specific implementation, to ensure the safety of information transmission during digital certificate is issued, in applying digital certificate equipment
It can negotiate to establish a safe data channel between digital certificate authority equipment.Optionally, applying digital certificate equipment can
Safe data channel is established to issue equipment negotiation using the authorization code of acquisition and digital certificate, generates security key.
The present invention is not limited the mode of establishing of safe data channel, as long as authorization code can be utilized to generate for counting
According to the shared security key of transmission.When specific implementation, under type such as may be used and establish safe data channel:
S302A, applying digital certificate equipment issue equipment with digital certificate and carry out safe data channel negotiation.
S302B, applying digital certificate equipment and digital certificate issue equipment using being obtained in authorization code and negotiations process
Random number, identity information generate safe data channel security key.
Wherein, the security key includes data communication key, and the data communication key is used for the digital certificate Shen
Please equipment and digital certificate authority equipment transmission is encrypted to message in safe data channel interaction message.
S302C, it is true to escape way by completeness check code that applying digital certificate equipment with digital certificate issues equipment
Recognize message to be verified.
Specific implementation is referred to safe data channel shown in Fig. 4 and negotiates and establish schematic diagram.Specifically, the number
Certificate request equipment issues equipment progress safe data channel negotiation with digital certificate:Applying digital certificate equipment is to number
Certificate authority equipment sends the first random number, the first identity information, and, receive the digital certificate issues equipment transmission the
Two random numbers, the second identity information.Wherein, first random number is that applying digital certificate equipment generates at random, described the
One identity information is specifically as follows the identity of applying digital certificate equipment, such as IP address, MAC Address, Email
Location, universe name character string or international mobile subscriber identity (IMSI) etc..Second random number is issued for digital certificate and is set
Standby to generate at random, second identity information is specifically as follows the identity that digital certificate issues equipment, such as IP address,
MAC Address, e-mail address, universe name character string or international mobile subscriber identity (IMSI) etc..Applying digital certificate
Equipment issues that equipment interacts random number, the process of identity information can be that applying digital certificate equipment is first initiated with digital certificate
, can also be that digital certificate is issued equipment and first initiated, the present invention is to specific interactive mode without limiting.
In some embodiments, the applying digital certificate equipment and digital certificate issue equipment using authorization code and
The security key that the random number that is obtained in negotiations process, identity information generate safe data channel includes:The digital certificate Shen
Please equipment and digital certificate issue equipment utilization authorization code, first random number, first identity information, described second with
Machine number and second identity information generate security key.It should be noted that being demonstrate,proved in applying digital certificate equipment and number
The security key that book issues the generation of equipment side is identical.The security key may include one group or multigroup key.Such as
Security key may include the data communication key for data transmission, can also include the integrality school for carrying out completeness check
Test key.
In some embodiments, the security key further includes integrity check key, and the applying digital certificate is set
It is standby issue equipment with digital certificate and carry out the key confirmation of safe data channel by completeness check code include:The number card
Book application equipment issues equipment utilization random number with digital certificate, the integrity check key generates completeness check code, profit
Escape way confirmation message is verified with the completeness check code.
S303, safe data channel described in applying digital certificate equipment utilization issue equipment to the digital certificate and send number
Word certificate management request message;Wherein, the digital certificate management request message is through data communication key encryption.
When specific implementation, the applying digital certificate equipment is asked first with data session key pair digital certificate management
The certificate request data that message carries are encrypted.The certificate request data include certificate request information, signature algorithm identifier
And signature value.The certificate request information may include version, holder names, holder's public key information, extension, sequence
Number, issuer title and the term of validity.Equipment, which is issued, when the applying digital certificate equipment and/or the digital certificate supports two kinds
When the above Encryption Algorithm, the certificate request data that the digital certificate management request message carries further include Encryption Algorithm mark
Know, the certificate request data specifically include encryption algorithm identification, and are calculated using the corresponding encryption of the encryption algorithm identification
Method utilizes the data obtained after data session cipher key pair certificate solicited message, signature algorithm identifier and signature value encryption.
In transmission, applying digital certificate equipment is issued equipment to digital certificate after maintaining secrecy by safe data channel and is sent
Certificate management request message.At this moment, digital certificate management request message has carried out second of encryption through data communication key.
If applying digital certificate equipment does not have digital certificate to issue the digital certificate that equipment is issued, certificate management is asked
Seek the certificate information for being carried in message and needing to include in the new digital certificate of application.If applying digital certificate equipment has contained
Digital certificate issues the digital certificate that equipment is issued, then the digital certificate management request message that applying digital certificate equipment is sent
The middle information for carrying existing digital certificate issues the inquiry and update that equipment carries out certificate for digital certificate.
In some embodiments, the digital certificate management request message may include applying digital certificate information, number
Word certificate acquisition information, digital certificate revoke the types such as information, digital certificate revocation list information.When specific implementation, number card
Book application information, digital certificate revoke information, digital certificate obtains information or digital certificate revocation list information may be used
But it is not limited to form shown in table 1.
The information type of 1 digital certificate management request message of table
For example, when the types value of digital certificate management request message is 2, the message is specially certificate request letter
Breath, for applying for new digital certificate.When the types value of digital certificate management request message is 4, the message is specially that certificate obtains
It wins the confidence breath, for inquiring or updating existing digit certificate.It is described to disappear when the types value of digital certificate management request message is 5
Breath is specially certificate revocation information, for revoking existing digit certificate.When the types value of digital certificate management request message is 6,
The message is specially certificate revocation list information, for asking certificate revocation list.
When specific implementation, the field format of certificate request information may be used but be not limited to form shown in table 2.
2 certificate request information of table
Certificates constructing mode | Certificate request data |
When specific implementation, the field format of certificate acquisition information may be used but be not limited to form shown in table 3.
3 certificate acquisition information of table
Issue device name | Sequence number |
When specific implementation, the field format of certificate revocation information may be used but be not limited to form shown in table 4.
4 certificate revocation information of table
Issue device name | Sequence number | Revoke reason |
When specific implementation, the field format of certificate revocation list information may be used but be not limited to form shown in table 5.
5 certificate revocation list information of table
Issue device name |
S304, safe data channel described in applying digital certificate equipment utilization receive the digital certificate and issue equipment transmission
Digital certificate management response message.
When specific implementation, the certificate response data that the digital certificate management response message carries can be clear data,
Can also be the data after data session key encryption.If through data session key encryption, the certificate response
The data session key and cipher mode that data and certificate request data use are consistent.
Further, digital certificate is issued and is sent to applying digital certificate equipment after equipment is maintained secrecy by safe data channel
Digital certificate management response message.That is, data communication of the digital certificate management response message through safe data channel is close
Key is encrypted.
If for example, the digital certificate management request message is before transmission, data session key logarithm has been utilized
The certificate request data carried in word certificate management request message carried out encryption, again sharp when safe data channel transmits
Second of encryption has been carried out with data communication key.The digital certificate management response message before transmission, can also be first
One-time pad encryption processing is carried out using the certificate response data that the data session key pair digital certificate management response message carries,
The data communication key is recycled to carry out second of encryption to digital certificate management response message.Further, if
Applying digital certificate equipment and/or digital certificate issue equipment and support two or more Encryption Algorithm, the certificate response data
Should also include encryption algorithm identification, correspondingly, the certificate response data specifically include encryption algorithm identification, and described in utilization
The corresponding Encryption Algorithm of encryption algorithm identification is obtained after being handled using certificate response data encryption described in the data session key pair
The data arrived.
When digital certificate issues equipment and determines that applying digital certificate equipment need to apply for new digital certificate, digital certificate management is rung
It includes that digital certificate issues the new number that equipment is generated according to the certificate request data that applying digital certificate information includes to answer message
Certificate.When digital certificate issues equipment and determines that applying digital certificate equipment need to inquire or update existing digital certificate, number card
Book managing response message carries inquiry or newer digital certificate.
When specific implementation, digital certificate issue equipment according to the information type judgement in digital certificate management request message at
Reason.If receiving applying digital certificate information, judges that the certificate information of application protection exists, then issued according to certificate request data
New digital certificate;If existing digit certificate information that certificate acquisition information includes exists, according to issue device name and
Sequence number inquires existing digital certificate;If what certificate revocation information included issues device name and sequence number presence, root
According to issue device name and sequence number inquiry revoke existing digital certificate;If certificate revocation list exists, basis is issued
Device name inquires certificate revocation list.Digital certificate issues equipment and carries above-mentioned certificate in certificate management response message.
Certificate management response message may be used but be not limited to form shown in table 6.
Information type in 6 digital certificate management response message of table
Message | Types value | Meaning (information type) |
Digital certificate management response message | 3 | Certificate response |
Certificate response field format may be used but be not limited to form shown in table 7.
7 certificate response field format of table
Certificates constructing type | Certificate response data |
Wherein certificates constructing type can be as shown in table 8, lists the corresponding certificate type of different certificate holders.
8 certificate type of table
Types value | Meaning |
1 | Client certificate |
2 | AS certificates |
3 | CA certificate |
4 | Certificate revocation list |
Wherein, AS certificates are certificate server certificate, and CA certificate is rights issuer certificate.
S305, applying digital certificate equipment handle the certificate management response message, obtain handling result.
When specific implementation, applying digital certificate equipment is as needed decrypted digital certificate management response message
And checking treatment, message content is obtained, and determine the digital certificate that uses according to demand, carries out the installation, more of digital certificate
It is new to wait processing.
The method further includes:
S306, applying digital certificate equipment generates digital certificate management confirmation message, and issues equipment hair to digital certificate
Send certificate management confirmation message.
When specific implementation, equipment negotiation is issued with digital certificate when the authorization code that applying digital certificate equipment utilization obtains and built
Vertical safe data channel, after generating security key, applying digital certificate equipment can utilize the safe data channel to described
Digital certificate issues equipment and sends digital certificate management confirmation message, and the digital certificate response message communicates close through the data
Key encryption.
In embodiments of the present invention, safe and reliable data transmission channel is established by above-mentioned S301, S302 message, led to
It crosses tri- message of above-mentioned S303, S304, S305 and interacts automatic application, inquiry and the update for realizing digital certificate so that number
Word certificate management is more effective, safe and reliable.As shown in figure 5, applying automatically, inquiring, updating and awarding method for digital certificate
In message content schematic diagram.As shown in figure 5, digital certificate management request message CertReq can be specifically to include number card
Book application information, digital certificate obtain information, digital certificate revokes information and digital certificate revocation list information etc..The number
Word certificate management response message CertRes may include digital certificate response message etc..Digital certificate management confirmation message
CertConfirm can be used for releasing the connection between applying digital certificate equipment and digital certificate authority equipment.
Digital certificate management method provided by the invention is described from applying digital certificate equipment side above.Ability
Field technique personnel are therein it is understood that method provided by the invention can also issue equipment side applied to digital certificate
Processing corresponding with example shown in Fig. 2 to Fig. 5 can carry out.For example, the above method is applied to certificate authority equipment side also
May include:Digital certificate issues equipment and receives the digital certificate management request message that applying digital certificate equipment is sent, described
The certificate request data that digital certificate management request message carries are through data session key encryption;Digital certificate issues equipment
The digital certificate management request message is handled, and generates digital certificate management response message;Digital certificate, which is issued, to be set
It is standby to send digital certificate management response message to the applying digital certificate equipment.
In some embodiments, the method further includes:Digital certificate issues equipment and receives and processes the number card
The digital certificate management confirmation message that book application equipment is sent.
In some embodiments, the digital certificate is issued equipment utilization authorization code and is negotiated with applying digital certificate equipment
Safe data channel is established, security key is generated.
Concrete implementation is referred to Fig. 2 and is realized to Fig. 5 the methods.
Referring to Fig. 6, the applying digital certificate equipment schematic diagram provided for one embodiment of the invention.
A kind of applying digital certificate equipment 600, including:
Transmission unit 601 sends digital certificate management request message, the number card for issuing equipment to digital certificate
Book manages the certificate request data of request message carrying through data session key encryption;Wherein, the data session key
The wildcard between equipment is issued for the applying digital certificate equipment and the digital certificate.
Encryption unit 602, the certificate for being carried using digital certificate management message described in the data session key pair
Request data is encrypted.
Receiving unit 603 issues the digital certificate management response message of equipment transmission for receiving the digital certificate.
Processing unit 604 obtains handling result for handling the digital certificate management response message.
In some embodiments, the processing unit 604 is additionally operable to generate digital certificate management confirmation message;The hair
Unit 601 is sent to be additionally operable to issue equipment transmission digital certificate management confirmation message to digital certificate.
In some embodiments, the transmission unit 601 is specifically used for issuing equipment transmission carrying card to digital certificate
The digital certificate management request message of book request data, the certificate request data include certificate request information, signature algorithm mark
Knowledge and signature value.In some embodiments, the certificate request information may include version, holder names, holder
Public key information, extension, sequence number, issuer title and the term of validity, when the applying digital certificate equipment and/or the number card
When book issues equipment and supports two or more Encryption Algorithm, the transmission unit 601 issues the number that equipment is sent to digital certificate
The certificate request data that word certificate management request message carries further include encryption algorithm identification, and the certificate request data are specifically wrapped
Encryption algorithm identification is included, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilize data session cipher key pair certificate
The data obtained after solicited message, signature algorithm identifier and signature value encryption;Correspondingly, the encryption unit 602 is specific
For being calculated using the corresponding Encryption Algorithm of the encryption algorithm identification, using data session cipher key pair certificate solicited message, signature
Method identifies and signature value is encrypted.
In some embodiments, the equipment further includes:
Safe data channel establishes unit, issues equipment with digital certificate for the authorization code using acquisition and negotiates to establish peace
Full data channel generates security key;Wherein, the security key includes data communication key;
The transmission unit 601 is specifically used for:Equipment is issued using the safe data channel to the digital certificate to send out
Digital certificate management request message is sent, the digital certificate management request message is through the data communication key encryption.
The encryption unit 602 is additionally operable to using the data communication key to the digital certificate management request message
It is encrypted.
In some embodiments, the transmission unit 601 is specifically used for:Using the safe data channel to the number
Word certificate authority equipment sends digital certificate management confirmation message, and the digital certificate management confirmation message is communicated through the data
Key encryption.
The encryption unit 602 is additionally operable to using the data communication key to the digital certificate management confirmation message
It is encrypted.
Wherein, the setting of present device each unit or module is referred to method shown in Fig. 2 to Fig. 5 and realizes,
This is not repeated.It should be noted that digital certificate management equipment can be independent equipment, it can also issue and set with digital certificate
It is standby to integrate, or issue a part for equipment as digital certificate and exist, herein without limiting.
It is the block diagram for the equipment for applying digital certificate that another embodiment of the present invention provides referring to Fig. 7.Including:Extremely
A few processor 701 (such as CPU), memory 702 and at least one communication bus 703, for realizing between these equipment
Connection communication.Processor 701 is for executing the executable module stored in memory 702, such as computer program.Memory
702 may include high-speed random access memory (RAM:Random Access Memory), it is also possible to further include non-unstable
Memory (non-volatile memory), a for example, at least magnetic disk storage.One or the storage of more than one program
In memory, and be configured by one or more than one processor 701 execute the one or more programs packet
The instruction for being operated below contained:Equipment, which is issued, to digital certificate sends digital certificate management request message, the number
The certificate request data that word certificate management request message carries are through data session key encryption;Wherein, the data session
Key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment;Receive digital certificate
Issue the digital certificate management response message of equipment transmission;The digital certificate management response message is handled, handling result is obtained.
In some embodiments, processor 701 is additionally operable to execute the one or more programs to include to be used for
Carry out the following instruction operated:Digital certificate management confirmation message is generated, and issues equipment to digital certificate and sends digital certificate
Manage confirmation message.
In some embodiments, processor 701 is specifically used for executing the one or more programs including to use
In the instruction for carrying out following operation:Equipment negotiation is issued with digital certificate establish safe data channel using the authorization code of acquisition,
Generate security key;Wherein, the security key includes data communication key.
In some embodiments, processor 701 is specifically used for executing the one or more programs including to use
In the instruction for carrying out following operation:Equipment is issued to the digital certificate send digital certificate pipe using the safe data channel
Request message is managed, the digital certificate management request message is through the data communication key encryption.
Referring to Fig. 8, equipment schematic diagram is issued for the digital certificate that one embodiment of the invention provides.
A kind of digital certificate issues equipment 800, including:
Receiving unit 801, the digital certificate management request message for receiving the transmission of applying digital certificate equipment, the number
The certificate request data that word certificate management request message carries are through data session key encryption;Wherein, the data session
Key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment.
Processing unit 802 for handling the digital certificate management request message, and generates digital certificate management
Response message.
Transmission unit 803, for sending digital certificate management response message to the applying digital certificate equipment.
In some embodiments, the receiving unit 801 is additionally operable to receive the number that the number application equipment is sent
Certificate management confirmation message;The processing unit 802 is additionally operable to handle the digital certificate management confirmation message.
In some embodiments, what the digital certificate management response message that the transmission unit 803 is sent carried
Certificate response data are through the data session key encryption;
The equipment further includes encryption unit 804, is specifically used for:Utilize digital certificate described in the data session key pair
The certificate response data that managing response message carries are encrypted.
Wherein, the certificate request data that the digital certificate management request message that the receiving unit 801 receives carries
Through data session key encryption, the certificate request data include certificate request information, signature algorithm identifier and signature
Value, the certificate request information includes version, holder names, holder's public key information, extension, sequence number, issuer title
And the term of validity.
In some embodiments, described when the digital certificate, which issues equipment, supports two or more Encryption Algorithm
The certificate response data that transmission unit 803 is sent still further comprise encryption algorithm identification, specifically include Encryption Algorithm mark
Know, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilizes certificate response described in the data session key pair
The data obtained after data encryption processing;Correspondingly, the encryption unit 804 also particularly useful for:
Using the corresponding Encryption Algorithm of the encryption algorithm identification, utilize certificate response described in the data session key pair
Data are encrypted.
In some embodiments, the equipment further includes:
Safe data channel establishes unit, and peace is established for negotiating with applying digital certificate equipment using the authorization code obtained
Full data channel generates security key;Wherein, the security key includes data communication key;
The transmission unit is specifically used for:Using the safe data channel number is sent to the applying digital certificate equipment
Word certificate management response message, the digital certificate management response message is through the data communication key encryption;
The encryption unit 804 is additionally operable to:Using the data communication key to the digital certificate management response message
It is encrypted.
It is the block diagram for the equipment issued for digital certificate that another embodiment of the present invention provides referring to Fig. 9.Including:Extremely
A few processor 901 (such as CPU), memory 902 and at least one communication bus 903, for realizing between these equipment
Connection communication.Processor 901 is for executing the executable module stored in memory 902, such as computer program.Memory
902 may include high-speed random access memory (RAM:Random Access Memory), it is also possible to further include non-unstable
Memory (non-volatile memory), a for example, at least magnetic disk storage.One or the storage of more than one program
In memory, and be configured by one or more than one processor 901 execute the one or more programs packet
The instruction for being operated below contained:Receive the digital certificate management request message that applying digital certificate equipment is sent, institute
The certificate request data of digital certificate management request message carrying are stated through data session key encryption;Wherein, the data
Session key is that the applying digital certificate equipment and the digital certificate issue the wildcard between equipment;To the number
Word certificate management request message is handled, and generates digital certificate management response message;To the applying digital certificate equipment
Send digital certificate management response message.
In some embodiments, processor 901 is additionally operable to execute the one or more programs to include to be used for
Carry out the following instruction operated:Receive and process the digital certificate management confirmation message of applying digital certificate equipment transmission.
In some embodiments, processor 901 is specifically used for executing the one or more programs including to use
In the instruction for carrying out following operation:Safe data channel is established using the authorization code and the negotiation of applying digital certificate equipment of acquisition,
Generate security key;Wherein, the security key includes data communication key.
In some embodiments, processor 901 is specifically used for executing the one or more programs including to use
In the instruction for carrying out following operation:Using the safe data channel digital certificate pipe is sent to the applying digital certificate equipment
Response message is managed, the digital certificate management response message is through the data communication key encryption.
Those skilled in the art are it is understood that preceding method and equipment are corresponding relationships.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the present invention
Its embodiment.The present invention is directed to cover the present invention any variations, uses, or adaptations, these modifications, purposes or
Person's adaptive change follows the general principle of the present invention and includes the undocumented common knowledge in the art of the disclosure
Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be understood that the invention is not limited in the precision architectures for being described above and being shown in the accompanying drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.
The foregoing is merely presently preferred embodiments of the present invention, is not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.The present invention can be by calculating
Described in the general context for the computer executable instructions that machine executes, such as program module.Usually, program module includes holding
The routine of row particular task or realization particular abstract data type, program, object, component, data structure etc..It can also divide
The present invention is put into practice in cloth computing environment, in these distributed computing environments, by connected long-range by communication network
Processing equipment executes task.In a distributed computing environment, program module can be located at the local including storage device
In remote computer storage medium.
Each embodiment in this specification is described in a progressive manner, identical similar portion between each embodiment
Point just to refer each other, and each embodiment focuses on the differences from other embodiments.Especially for equipment reality
For applying example, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to embodiment of the method
Part explanation.Apparatus embodiments described above are merely indicative, wherein described be used as separating component explanation
Unit may or may not be physically separated, the component shown as unit may or may not be
Physical unit, you can be located at a place, or may be distributed over multiple network units.It can be according to the actual needs
Some or all of module therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying
In the case of creative work, you can to understand and implement.The above is only the specific implementation mode of the present invention, should be referred to
Go out, for those skilled in the art, without departing from the principle of the present invention, can also make several
Improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.
Claims (16)
1. a kind of digital certificate management method, which is characterized in that including:
Applying digital certificate equipment issues equipment to digital certificate and sends digital certificate management request message, the digital certificate pipe
The certificate request data of request message carrying are managed through data session key encryption;Wherein, the data session key is institute
It states applying digital certificate equipment and the digital certificate issues wildcard between equipment;
Digital certificate issues equipment and receives the digital certificate management request message, and number card is sent to applying digital certificate equipment
Book managing response message;
Applying digital certificate equipment receives and processes the digital certificate management response message, obtains handling result.
2. according to the method described in claim 1, it is characterized in that, the method further includes:
Applying digital certificate equipment generates digital certificate management confirmation message, and issues equipment to digital certificate and send digital certificate
Manage confirmation message;
Digital certificate issues equipment and receives and processes the digital certificate management confirmation message.
3. according to the method described in claim 2, it is characterized in that, the certificate request data include certificate request information, label
Name algorithm mark and signature value, the certificate request information include version, holder names, holder's public key information, extension,
Sequence number, issuer title and the term of validity;
When the applying digital certificate equipment and/or the digital certificate, which issue equipment, supports two or more Encryption Algorithm,
The certificate request data that the digital certificate management request message carries further include encryption algorithm identification, the certificate request data
Encryption algorithm identification is specifically included, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilize the data session
The data obtained after certificate request information, the signature algorithm identifier and the signature value encryption described in key pair.
4. according to the method described in claim 3, it is characterized in that, the certificate that the digital certificate management response message carries is rung
Answer data through the data session key encryption;
When the applying digital certificate equipment and/or the digital certificate, which issue equipment, supports two or more Encryption Algorithm,
The certificate response data that the digital certificate management response message carries further include encryption algorithm identification, the certificate response data
Encryption algorithm identification is specifically included, and utilizes the corresponding Encryption Algorithm of the encryption algorithm identification, utilize the data session
The data obtained after certificate response data encryption processing described in key pair.
5. according to the method described in claim 2-4, which is characterized in that issue and set to digital certificate in applying digital certificate equipment
Before preparation send digital certificate management request message, the method further includes:
The authorization code that the applying digital certificate equipment utilization obtains issues equipment negotiation with the digital certificate and establishes safe number
According to channel, security key is generated;Wherein, the security key includes data communication key;
The applying digital certificate equipment issues equipment transmission digital certificate management request message to digital certificate:
Safe data channel described in the applying digital certificate equipment utilization issues equipment to the digital certificate and sends number card
Book manages request message, and the digital certificate management request message is through the data communication key encryption;
The digital certificate issues equipment:
The digital certificate issues safe data channel described in equipment utilization and sends number card to the applying digital certificate equipment
Book managing response message, the digital certificate management response message is through the data communication key encryption.
6. according to the method described in claim 5, it is characterized in that, the applying digital certificate equipment is issued to digital certificate and is set
Preparation send the digital certificate management confirmation message to include:
Safe data channel described in the applying digital certificate equipment utilization issues equipment to the digital certificate and sends number card
Book manages confirmation message, and the digital certificate management confirmation message is through the data communication key encryption.
7. a kind of applying digital certificate equipment, which is characterized in that the equipment includes:
Transmission unit sends digital certificate management request message, the digital certificate management for issuing equipment to digital certificate
The certificate request data that request message carries are through data session key encryption;Wherein, the data session key is described
Applying digital certificate equipment and the digital certificate issue the wildcard between equipment;
Encryption unit, the certificate request data for being carried using digital certificate management message described in the data session key pair
It is encrypted;
Receiving unit issues the digital certificate management response message of equipment transmission for receiving the digital certificate;
Processing unit obtains handling result for handling the digital certificate management response message.
8. equipment according to claim 7, which is characterized in that it is true that the processing unit is additionally operable to generation digital certificate management
Recognize message;The transmission unit is additionally operable to issue equipment transmission digital certificate management confirmation message to the digital certificate.
9. equipment according to claim 8, which is characterized in that the transmission unit is specifically used for issuing to digital certificate setting
It includes certificate request letter that preparation, which send the digital certificate management request message for carrying certificate request data, the certificate request data,
Breath, signature algorithm identifier and signature value, the certificate request information include version, holder names, holder's public key information,
Extension, sequence number, issuer title and the term of validity;
When the applying digital certificate equipment and/or the digital certificate, which issue equipment, supports two or more Encryption Algorithm,
The transmission unit issues the certificate request data for the digital certificate management request message carrying that equipment is sent also to digital certificate
Including encryption algorithm identification, the certificate request data specifically include encryption algorithm identification, and utilize the Encryption Algorithm mark
Know corresponding Encryption Algorithm, utilize certificate request information, the signature algorithm identifier and the label described in data session key pair
The data obtained after name value encryption;
The encryption unit is specifically used for:Using the corresponding Encryption Algorithm of the encryption algorithm identification, utilize data session key
The certificate request information, the signature algorithm identifier and the signature value are encrypted.
10. equipment according to claim 8 or claim 9, which is characterized in that the equipment further includes:
Safe data channel establishes unit, issues equipment negotiation with digital certificate for the authorization code using acquisition and establishes safe number
According to channel, security key is generated;Wherein, the security key includes data communication key;
The transmission unit is specifically used for:Equipment is issued to the digital certificate send number card using the safe data channel
Book manages request message, and the digital certificate management request message is through the data communication key encryption;
The encryption unit is additionally operable to that the digital certificate management request message is encrypted using the data communication key
Processing;
The transmission unit also particularly useful for:Equipment is issued to the digital certificate send number using the safe data channel
Certificate management confirmation message, the digital certificate management confirmation message is through the data communication key encryption;
The encryption unit is additionally operable to that the digital certificate management confirmation message is encrypted using the data communication key
Processing.
11. a kind of equipment for applying digital certificate, which is characterized in that include memory and one or one with
On program, one of them either more than one program be stored in memory and be configured by one or more than one
Reason device executes the instruction for being operated below that the one or more programs include:
Equipment, which is issued, to digital certificate sends digital certificate management request message, what the digital certificate management request message carried
Certificate request data are through data session key encryption;Wherein, the data session key is that the applying digital certificate is set
The standby and described digital certificate issues the wildcard between equipment;Receive the digital certificate pipe that digital certificate issues equipment transmission
Manage response message;
The digital certificate management response message is handled, handling result is obtained.
12. a kind of digital certificate issues equipment, which is characterized in that the equipment includes:
Receiving unit, the digital certificate management request message for receiving the transmission of applying digital certificate equipment, the digital certificate
The certificate request data of request message carrying are managed through data session key encryption;Wherein, the data session key is
The applying digital certificate equipment and the digital certificate issue the wildcard between equipment;
Processing unit for handling the digital certificate management request message, and generates digital certificate management response and disappears
Breath;
Transmission unit, for sending digital certificate management response message to the applying digital certificate equipment.
13. equipment according to claim 12, which is characterized in that the receiving unit is additionally operable to receive the number application
The digital certificate management confirmation message that equipment is sent;
The processing unit is additionally operable to handle the digital certificate management confirmation message.
14. equipment according to claim 13, which is characterized in that the digital certificate management that the transmission unit is sent
The certificate response data that response message carries are through the data session key encryption;
The equipment further includes encryption unit, is specifically used for:It is rung using digital certificate management described in the data session key pair
The certificate response data that message carries are answered to be encrypted;
Wherein, the certificate request data that the digital certificate management request message that the receiving unit receives carries are through data meeting
Key encryption is talked about, the certificate request data include certificate request information, signature algorithm identifier and signature value, the card
Book solicited message includes version, holder names, holder's public key information, extension, sequence number, issuer title and the term of validity;
When the digital certificate, which issues equipment, supports two or more Encryption Algorithm, the certificate of the transmission unit transmission
Response data still further comprises encryption algorithm identification, specifically includes encryption algorithm identification, and utilize the Encryption Algorithm mark
Know corresponding Encryption Algorithm, utilize the data obtained after certificate response data encryption processing described in the data session key pair;
Correspondingly, the encryption unit also particularly useful for:
Using the corresponding Encryption Algorithm of the encryption algorithm identification, utilize certificate response data described in the data session key pair
It is encrypted.
15. the equipment according to claim 13 or 14, which is characterized in that the equipment further includes:
Safe data channel establishes unit, and safe number is established with the negotiation of applying digital certificate equipment for the authorization code using acquisition
According to channel, security key is generated;Wherein, the security key includes data communication key;
The transmission unit is specifically used for:Using the safe data channel number card is sent to the applying digital certificate equipment
Book managing response message, the digital certificate management response message is through the data communication key encryption;
The encryption unit is additionally operable to:The digital certificate management response message is encrypted using the data communication key
Processing.
16. a kind of equipment issued for digital certificate, which is characterized in that include memory and one or one with
On program, one of them either more than one program be stored in memory and be configured by one or more than one
Reason device executes the instruction for being operated below that the one or more programs include:
The digital certificate management request message that applying digital certificate equipment is sent is received, the digital certificate management request message is taken
The certificate request data of band are through data session key encryption;Wherein, the data session key is the digital certificate Shen
Please equipment and the digital certificate issue the wildcard between equipment;
The digital certificate management request message is handled, and generates digital certificate management response message;
Digital certificate management response message is sent to the applying digital certificate equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710211790.1A CN108667781A (en) | 2017-04-01 | 2017-04-01 | A kind of digital certificate management method and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710211790.1A CN108667781A (en) | 2017-04-01 | 2017-04-01 | A kind of digital certificate management method and equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108667781A true CN108667781A (en) | 2018-10-16 |
Family
ID=63784142
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710211790.1A Pending CN108667781A (en) | 2017-04-01 | 2017-04-01 | A kind of digital certificate management method and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108667781A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110768795A (en) * | 2019-10-30 | 2020-02-07 | 迈普通信技术股份有限公司 | Session establishment method and device |
CN111490879A (en) * | 2020-04-13 | 2020-08-04 | 山东确信信息产业股份有限公司 | Digital certificate generation method and system based on biological characteristics |
CN113301523A (en) * | 2021-04-14 | 2021-08-24 | 江铃汽车股份有限公司 | Application and update method and system for V2X vehicle-mounted terminal digital certificate |
CN113810411A (en) * | 2021-09-17 | 2021-12-17 | 公安部交通管理科学研究所 | Traffic control facility digital certificate management method and system |
CN114553427A (en) * | 2020-11-24 | 2022-05-27 | 安讯士有限公司 | System and method for managing certificates associated with components located at remote locations |
CN114884963A (en) * | 2022-06-20 | 2022-08-09 | 中国工商银行股份有限公司 | Management method and management device of digital certificate |
US11516020B2 (en) * | 2018-06-06 | 2022-11-29 | Tencent Technology (Shenzhen) Company Limited | Key management method, apparatus, and system, storage medium, and computer device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801029A (en) * | 2004-12-31 | 2006-07-12 | 联想(北京)有限公司 | Method for generating digital certificate and applying the generated digital certificate |
WO2007073623A1 (en) * | 2005-12-29 | 2007-07-05 | Zte Corporation | A method of downloading digital certification and key |
CN104160656A (en) * | 2012-03-01 | 2014-11-19 | 塞尔蒂卡姆公司 | System and method for connecting client devices to a network |
CN105812136A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Update method, update system and security authentication device |
CN106533692A (en) * | 2016-11-01 | 2017-03-22 | 济南浪潮高新科技投资发展有限公司 | Digital certificate application method based on TPM |
CN108667609A (en) * | 2017-04-01 | 2018-10-16 | 西安西电捷通无线网络通信股份有限公司 | A kind of digital certificate management method and equipment |
-
2017
- 2017-04-01 CN CN201710211790.1A patent/CN108667781A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1801029A (en) * | 2004-12-31 | 2006-07-12 | 联想(北京)有限公司 | Method for generating digital certificate and applying the generated digital certificate |
WO2007073623A1 (en) * | 2005-12-29 | 2007-07-05 | Zte Corporation | A method of downloading digital certification and key |
CN101305542A (en) * | 2005-12-29 | 2008-11-12 | 中兴通讯股份有限公司 | Method for downloading digital certificate and cryptographic key |
CN104160656A (en) * | 2012-03-01 | 2014-11-19 | 塞尔蒂卡姆公司 | System and method for connecting client devices to a network |
CN105812136A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Update method, update system and security authentication device |
CN106533692A (en) * | 2016-11-01 | 2017-03-22 | 济南浪潮高新科技投资发展有限公司 | Digital certificate application method based on TPM |
CN108667609A (en) * | 2017-04-01 | 2018-10-16 | 西安西电捷通无线网络通信股份有限公司 | A kind of digital certificate management method and equipment |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11516020B2 (en) * | 2018-06-06 | 2022-11-29 | Tencent Technology (Shenzhen) Company Limited | Key management method, apparatus, and system, storage medium, and computer device |
CN110768795A (en) * | 2019-10-30 | 2020-02-07 | 迈普通信技术股份有限公司 | Session establishment method and device |
CN111490879A (en) * | 2020-04-13 | 2020-08-04 | 山东确信信息产业股份有限公司 | Digital certificate generation method and system based on biological characteristics |
CN114553427A (en) * | 2020-11-24 | 2022-05-27 | 安讯士有限公司 | System and method for managing certificates associated with components located at remote locations |
CN114553427B (en) * | 2020-11-24 | 2023-09-08 | 安讯士有限公司 | System and method for managing certificates associated with components located at remote locations |
CN113301523A (en) * | 2021-04-14 | 2021-08-24 | 江铃汽车股份有限公司 | Application and update method and system for V2X vehicle-mounted terminal digital certificate |
CN113810411A (en) * | 2021-09-17 | 2021-12-17 | 公安部交通管理科学研究所 | Traffic control facility digital certificate management method and system |
CN113810411B (en) * | 2021-09-17 | 2023-02-14 | 公安部交通管理科学研究所 | Traffic control facility digital certificate management method and system |
CN114884963A (en) * | 2022-06-20 | 2022-08-09 | 中国工商银行股份有限公司 | Management method and management device of digital certificate |
CN114884963B (en) * | 2022-06-20 | 2023-11-03 | 中国工商银行股份有限公司 | Digital certificate management method and management device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108667609A (en) | A kind of digital certificate management method and equipment | |
CN108667781A (en) | A kind of digital certificate management method and equipment | |
EP3661120B1 (en) | Method and apparatus for security authentication | |
CN107040922B (en) | Wireless network connecting method, apparatus and system | |
CN105554747B (en) | Wireless network connecting method, apparatus and system | |
CN109474432A (en) | Digital certificate management method and equipment | |
KR101508360B1 (en) | Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer | |
TW478269B (en) | Method and apparatus for initializing mobile wireless devices | |
TW498669B (en) | Method and apparatus for exclusively pairing wireless devices | |
CN103427992B (en) | The method and system of secure communication is set up between node in a network | |
CN108390851A (en) | A kind of secure remote control system and method for industrial equipment | |
CN101720071B (en) | Short message two-stage encryption transmission and secure storage method based on safety SIM card | |
CN108667791B (en) | Identity authentication method | |
CN110445747A (en) | System and method for the exchange of encrypted transport data service | |
CN104378379B (en) | A kind of digital content encrypted transmission method, equipment and system | |
CN104202170B (en) | A kind of identity authorization system and method based on mark | |
CN101090316A (en) | Identify authorization method between storage card and terminal equipment at off-line state | |
CN101159624B (en) | Account use monitoring method | |
CN106571915A (en) | Terminal master key setting method and apparatus | |
CN109936509A (en) | A kind of equipment group authentication method and system based on diverse identities | |
JP5495194B2 (en) | Account issuing system, account server, service server, and account issuing method | |
CN109978479A (en) | A kind of electronic invoice method of charging out, device, data sharing server and system | |
CN108683506A (en) | A kind of applying digital certificate method, system, mist node and certificate authority | |
KR101568940B1 (en) | Authentication method for device to device communication in mobile open iptv system and device to device communication method in mobile open iptv system | |
CN113163399A (en) | Communication method and device of terminal and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20181016 |
|
WD01 | Invention patent application deemed withdrawn after publication |