CN113472720A - Digital certificate key processing method and device, terminal equipment and storage medium - Google Patents

Digital certificate key processing method and device, terminal equipment and storage medium Download PDF

Info

Publication number
CN113472720A
CN113472720A CN202010245315.8A CN202010245315A CN113472720A CN 113472720 A CN113472720 A CN 113472720A CN 202010245315 A CN202010245315 A CN 202010245315A CN 113472720 A CN113472720 A CN 113472720A
Authority
CN
China
Prior art keywords
digital certificate
key
request
information
user identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010245315.8A
Other languages
Chinese (zh)
Other versions
CN113472720B (en
Inventor
梅臻
李秀芳
陈立清
展召磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Yunhai Safety Certification Service Co ltd
Original Assignee
Shandong Yunhai Safety Certification Service Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Yunhai Safety Certification Service Co ltd filed Critical Shandong Yunhai Safety Certification Service Co ltd
Priority to CN202010245315.8A priority Critical patent/CN113472720B/en
Publication of CN113472720A publication Critical patent/CN113472720A/en
Application granted granted Critical
Publication of CN113472720B publication Critical patent/CN113472720B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application is applicable to the technical field of keys and provides a digital certificate key processing method, a digital certificate key processing device, terminal equipment and a storage medium. The digital certificate key processing method comprises the following steps: acquiring a digital certificate request sent by a user terminal, wherein the digital certificate request comprises first user identity information and digital certificate request information; verifying the first user identity information, and after the first user identity information is verified, sending the first user identity information and the digital certificate request information to a key management server; the digital certificate request information is used for instructing the key management server to generate an encryption key pair and a signature key pair, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information; and receiving the P10 request file sent by the key management server, generating a digital certificate according to the P10 request file and sending the digital certificate to the user terminal. The key is stored in the key management server, so that the security of the key can be improved.

Description

Digital certificate key processing method and device, terminal equipment and storage medium
Technical Field
The present application belongs to the technical field of keys, and in particular, to a method and an apparatus for processing a digital certificate key, a terminal device, and a storage medium.
Background
In the environment of cloud service, cloud computing, big data and massive information, a quick, convenient and simple method is started no matter in work or life, a mobile phone becomes a part which is not necessary to be separated by everyone, and a plurality of functional applications such as work platform login, payment, online shopping, reservation service and the like can be realized by scanning two-dimensional codes through a mobile phone terminal. However, the current method for storing the private key of the user by adopting the mobile phone terminal does not meet the requirement of national security level, and the cryptographic technology plays an important role in cloud security as a core for guaranteeing security in order to guarantee the security of data, transmission channels, user access, virtualization frameworks and the like in the cloud environment.
The key management technology related to the cryptographic technology is the basis of providing security cryptographic technologies such as cloud computing environment confidentiality, data source authentication, entity authentication, data integrity and digital signature, and comprises the whole life cycle from generation to final destruction of the key. Once the key is revealed or the key management system sinks, the security of a transmission channel, the security of virtualization, the data access in the cloud, the security of the data and the like cannot be guaranteed. The traditional key management technology also has the problems of poor security of user certificate key storage and poor security of certificate key application.
Disclosure of Invention
In order to overcome the problems in the related art, embodiments of the present application provide a method and an apparatus for processing a digital certificate key, a terminal device, and a storage medium.
The application is realized by the following technical scheme:
in a first aspect, an embodiment of the present application provides a method for processing a digital certificate key, which is applied to an authentication server, and the method includes:
acquiring a digital certificate request sent by a user terminal, wherein the digital certificate request comprises first user identity information and digital certificate request information;
verifying the first user identity information, and after the first user identity information is verified, sending the first user identity information and digital certificate request information to a key management server; the digital certificate request message is used for instructing the key management server to generate an encryption key pair and a signature key pair, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information;
and receiving the P10 request file sent by the key management server, generating a digital certificate according to the P10 request file and sending the digital certificate to the user terminal.
In a second aspect, an embodiment of the present application provides a digital certificate key processing method, which is applied to a key management server, and the method includes:
acquiring first user identity information and digital certificate request information sent by an authentication server;
generating an encryption key pair and a signature key pair according to the digital certificate request information, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information;
sending the P10 request file to the authentication server; wherein the P10 request file is used to instruct the authentication server to generate a digital certificate according to the P10 request file and send the digital certificate to the user terminal.
In a third aspect, an embodiment of the present application provides a digital certificate key processing apparatus, which is applied to an authentication server, and the apparatus includes:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a digital certificate request sent by a user terminal, and the digital certificate request comprises first user identity information and digital certificate request information;
the first sending module is used for verifying the first user identity information and sending the first user identity information and the digital certificate request information to a key management server after the first user identity information is verified; the digital certificate request message is used for instructing the key management server to generate an encryption key pair and a signature key pair, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information;
and the digital certificate generation module is used for receiving the P10 request file sent by the key management server, generating a digital certificate according to the P10 request file and sending the digital certificate to the user terminal.
In a fourth aspect, an embodiment of the present application provides a digital certificate key processing method, which is applied to a key management server, where the apparatus includes:
the second acquisition module is used for acquiring the first user identity information and the digital certificate request information sent by the authentication server;
a request file generation module, configured to generate an encryption key pair and a signature key pair according to the digital certificate request information, and generate a P10 request file according to the encryption key pair, the signature key, and the first user identity information;
a second sending module, configured to send the P10 request file to the authentication server; wherein the P10 request file is used to instruct the authentication server to generate a digital certificate according to the P10 request file and send the digital certificate to the user terminal.
In a fifth aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the digital certificate key processing method according to any one of the first aspect or the digital certificate key processing method according to any one of the second aspect when executing the computer program.
In a sixth aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored, and the computer program, when executed by a processor, implements the digital certificate key processing method according to any one of the first aspect or the digital certificate key processing method according to any one of the second aspect.
In a seventh aspect, an embodiment of the present application provides a computer program product, which, when run on a terminal device, causes the terminal device to execute the digital certificate key processing method described in any one of the above first aspects or the digital certificate key processing method described in any one of the above second aspects.
It is to be understood that, the beneficial effects of the second to seventh aspects may be referred to the relevant description of the first aspect, and are not repeated herein.
Compared with the prior art, the embodiment of the application has the advantages that:
in the embodiment of the application, when a user terminal needs to apply for a digital certificate, a digital certificate request including first user identity information and a digital certificate request is sent to an authentication server, the authentication server sends the first user identity information and the digital certificate request to a key management server, the key management server generates an encryption key pair and a signature key pair according to the key management server, generates a P10 request file according to the encryption key pair, the signature key and the first user identity information and sends the request file to the authentication server, the authentication server generates the digital certificate according to the P10 request file and sends the digital certificate to the user terminal, and the corresponding encryption key pair and the signature key pair are not sent to the authentication server and the user terminal but stored in the key management server without causing external transmission leakage, so that the security of user key storage is ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the specification.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic system structure diagram of a digital certificate key processing method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a digital certificate key processing method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a digital certificate key processing method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a digital certificate key processing method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of a digital certificate key processing method according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a digital certificate key processing method according to an embodiment of the present application;
FIG. 7 is a flowchart illustrating a method for processing a digital certificate key according to an embodiment of the present application;
FIG. 8 is a flowchart illustrating a method for processing a digital certificate key according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a digital certificate key processing apparatus according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a digital certificate key processing apparatus according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to" determining "or" in response to detecting ". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
Furthermore, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used for distinguishing between descriptions and not necessarily for describing or implying relative importance.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
In the environment of cloud service, cloud computing, big data and massive information, a quick, convenient and simple method is started no matter in work or life, a mobile phone becomes a part which is not necessary to be separated by everyone, and a plurality of functional applications such as work platform login, payment, online shopping, reservation service and the like can be realized by scanning two-dimensional codes through a mobile phone terminal. However, the current method for storing the private key of the user by adopting the mobile phone terminal does not meet the requirement of national security level, and the cryptographic technology plays an important role in cloud security as a core for guaranteeing security in order to guarantee the security of data, transmission channels, user access, virtualization frameworks and the like in the cloud environment.
The key management technology related to the cryptographic technology is the basis of providing security cryptographic technologies such as cloud computing environment confidentiality, data source authentication, entity authentication, data integrity and digital signature, and comprises the whole life cycle from generation to final destruction of the key. Once the key is revealed or the key management system sinks, the security of a transmission channel, the security of virtualization, the data access in the cloud, the security of the data and the like cannot be guaranteed. The traditional key management technology also has the problems of poor security of user certificate key storage and poor security of certificate key application.
In view of the above problems, in the digital certificate key processing method in the embodiment of the present application, when a user terminal needs to apply for a digital certificate, a digital certificate request including first user identity information and a digital certificate request is sent to an authentication server, the authentication server sends the first user identity information and the digital certificate request to a key management server, the key management server generates an encryption key pair and a signature key pair according to the key management server, generates a P10 request file according to the encryption key pair, the signature key and the first user identity information, and sends the generated file to the authentication server, the authentication server generates a digital certificate according to the P10 request file and sends the generated digital certificate to the user terminal, and the corresponding encryption key pair and signature key pair are not sent to the authentication server and the user terminal, but are stored in the key management server without causing external leakage, the security of user key storage can be improved.
By way of example, the embodiments of the present application may be applied to a system as shown in fig. 1. The system comprises an authentication server and a key management server, wherein an output interface and an input interface of the key management server are respectively connected with the authentication server and a certificate application cloud service center; the key management server comprises an archiving key bank, a key production module, a production key bank, a certificate key bank, a key production management module, a key distribution service module, a signature verification service module and an encryption and decryption service module. The key production management module is used for uniformly setting and managing the key production module, the production key library, the certificate key library and the key distribution service module, completing key request processing from the authentication server, providing services of an encryption key pair, a signature key pair and a P10 request file for the authentication server, and storing the encryption key pair and the signature key pair in the certificate key library; the signature verification service module and the encryption and decryption service module respectively provide services for a certificate application cloud service center to use a key of a specified user to complete signature verification and encryption and decryption request, and ensure that the key of the certificate user is not leaked out of the key management server.
The key distribution service module can be used for key extraction and distribution, key suspension, key archiving, key revocation, key destruction and P10 request file generation; the key production management module can be used for setting key generation amount, key production setting, key storage setting, key management setting and key security access setting; the key generation and management module can be used for generating a key pair and sending the key pair to the key distribution service module; the certificate key bank can be used for storing the key pair successfully issued by the key distribution service module and the information of the user to which the corresponding key belongs; the signature verification service module and the encryption and decryption service module can be used for providing key use services for certificate users, including digital signature, signature verification, encryption and decryption services.
Specifically, when a new certificate application user applies for a certificate to a CA authentication server through a user terminal, relevant identity authentication materials are submitted to the CA authentication server according to requirements, after the CA authentication server applies for verification, the CA authentication server packs key element information requested by the user according to a certain format and sends the key element information to a key management server through a special service interface; after the key management server receives the request information of the CA authentication server, a key distribution service module extracts a pair of signature key pairs and a pair of encryption key pairs from a production key library, the signature key pairs and the encryption key pairs are combined with user identity information according to a standard format to respectively generate a signature certificate P10 request file and an encryption certificate P10 request file, and then the two P10 request files are transmitted back to the CA authentication server; after receiving the P10 request file returned by the key management server, the CA authentication server produces a digital certificate (containing a signature certificate and an encryption certificate) according to the P10 request file, issues the digital certificate to the user terminal of the certificate application user according to the requirement of the security standard, and simultaneously informs the key management server of the result of the completion of the issuance of the digital certificate; after the key management server receives the instruction that the user certificate is issued, the key distribution service module stores the key ciphertext of the user in a certificate key library, and sets the use authority of the key as the certificate user only.
When a certificate user submits a certificate delay request to the CA authentication server, the CA authentication server only needs to perform user certificate delay service, and the service does not need to be requested from the key management server.
When a certificate user submits a certificate updating application to a CA authentication server, submitting related identity authentication materials to the CA authentication server according to requirements, and after the CA authentication server applies for verification, packaging key element information requested by the user according to a certain format by the CA authentication server and sending the key element information to a key management server through a special service interface; after the key management server receives the request information of the CA authentication server, a key distribution service module extracts a pair of signature key pairs and a pair of encryption key pairs from a production key library, the signature key pairs and the encryption key pairs are combined with user information according to a standard format to respectively generate a signature certificate P10 request file and an encryption certificate P10 request file, and then the two P10 request files are transmitted back to the CA authentication server; after receiving the P10 request file returned by the key management server, the CA authentication server produces a signature certificate and an encryption certificate according to the P10 request file, issues the signature certificate and the encryption certificate to a certificate application user according to the requirement of a safety standard, and simultaneously informs the key management server of the result of the completion of the issuance of the certificate; after the key management server receives the instruction that the user certificate is issued, the key distribution service module stores the key ciphertext of the user in a certificate key bank, and sets the use authority of the key as the certificate user only, and the original certificate key of the user in the certificate key bank is transferred and stored in an archival key bank, so that the key application service is not provided for the original certificate user, and the archival key is only special for judicial purposes when judicial evidence is obtained in the future.
When a certificate user submits a logout application to a CA authentication server, submitting related identity authentication materials to the CA authentication server according to requirements, and after the CA authentication server applies for verification and passes the verification, the CA authentication server sends a user key logout request to a key management server through a special service interface; after the key management server receives the certificate logout request information of the CA authentication server, the key distribution service module transfers the original certificate key of the user in the certificate key library to the filing key library and informs the CA authentication server that the key logout is completed, the key management server does not provide key application service for the original certificate user any more, and the filing key is only special for judicial application when judicial evidence is obtained in the future.
When a certificate user needs to apply a certificate of the certificate user to carry out signature, signature verification, encryption and decryption, submitting a corresponding request to a certificate application cloud service center, determining the accurate identity of an applicant after the certificate application cloud service center carries out strong identity authentication on the certificate user, and forwarding the corresponding user request to a key management server by the certificate application cloud service center; the key management server calls the key of the certificate user to perform signing, signature verification, encryption and decryption operations through the signature verification service module and the encryption and decryption service module according to the user request, so that the key application service is completed and corresponding results are output to the certificate user, the user key is not leaked out of the key management server in the whole process, and the safety of the user key application is ensured.
The key management server provides a special interface for judicial evidence obtaining service for the CA authentication server, when the judicial department needs the CA authentication server to obtain the judicial evidence, the judicial evidence obtaining service process is started, firstly, the relevant examination and approval procedures are completed according to the judicial evidence obtaining process of the CA authentication server, then the CA authentication server submits the judicial evidence obtaining request to the key management server, the key distribution service module extracts the key pair of the user from the key filing base or the certificate key base, obtains the use authority of the certificate user key to the judicial level, completes the judicial services such as decryption, signature verification and the like required by the judicial in the key management server, and restores the evidence required by the judicial.
The digital certificate key processing method of the present application is described in detail below with reference to fig. 1.
Fig. 2 is a schematic flow chart of a digital certificate key processing method provided in an embodiment of the present application, the digital certificate key processing method is applied to an authentication server, and referring to fig. 2, details of the digital certificate key processing method are as follows:
in step 101, a digital certificate request sent by a user terminal is obtained, where the digital certificate request includes first user identity information and digital certificate request information.
When a user needs to apply for a digital certificate, a digital certificate request for applying for the digital certificate may be input to the user terminal, where the digital certificate request may include first user identity information and digital certificate request information. The first user identity information is the identity information of the new user, and can be used for the authentication server to identify the authority of the user and determine whether the user can apply for a digital certificate through the authentication server.
In step 102, the first user identity information is verified, and after the first user identity information is verified, the first user identity information and the digital certificate request information are sent to a key management server.
The digital certificate request message is used for instructing the key management server to generate an encryption key pair and a signature key pair, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information. Specifically, the P10 request file may include a signed certificate P10 request file and an encrypted certificate P10 request file.
For example, the authentication server may package key element information (i.e., the first user identity information and the digital certificate request information) requested by the user according to a preset format, and then send the packaged key element information to the key management server through the dedicated service interface.
For example, after the key management server receives the first user identity information and the digital certificate request information sent by the authentication server, the key distribution service module may extract a pair of signing key pairs and a pair of encryption key pairs from the production key library, generate a signing certificate P10 request file according to the signing key pairs combined with the first user identity information according to the standard format, and generate an encryption certificate P10 request file according to the encryption key pairs combined with the first user identity information according to the standard format, so as to obtain a P10 request file. After obtaining the P10 request file, the key management server transmits the P10 request file back to the authentication server.
In step 103, the P10 request file sent by the key management server is received, and a digital certificate is generated according to the P10 request file and sent to the user terminal.
Illustratively, the digital certificate may include a signature certificate and an encryption certificate. Specifically, after receiving the P10 request file, the authentication server requests the file to generate a signed certificate according to the signed certificate P10 therein, and requests the file to generate an encrypted certificate according to the encrypted certificate P10 therein. The authentication server may send the signature certificate and the encryption certificate to the corresponding user terminal according to the security standard requirement.
Referring to fig. 3, in some embodiments, based on the embodiment shown in fig. 2, the above digital certificate key processing method may further include:
in step 104, sending a digital certificate issuance completion message to the key management server; the digital certificate issuance completion information is used for instructing the key management server to store the encryption key pair, the signing key and the first user identity information in an associated manner.
In this step, after the authentication server sends the digital certificate to the corresponding user terminal, the key management server needs to be informed of information that the digital certificate has been sent to the user terminal, so that the key management server stores the encryption key pair, the signature key, and the first user identity information in an associated manner.
Specifically, after receiving the instruction that the user certificate is issued, the key management server may store the key ciphertext (i.e., the encryption key pair and the signature key) of the user in the certificate key repository by the key distribution service module, and set the usage right of the key to only the user corresponding to the first user identity information.
It should be noted that the digital certificate request information may include request information for requesting generation of a digital certificate or request information for requesting update of a digital certificate. That is, the process of the new user applying for the digital certificate may be included, and the process of the user applying for the update of the digital integer may also be included.
The process of applying for a digital certificate for a new user may include:
when a user applies for a certificate to a CA authentication server through a user terminal, submitting related identity authentication materials to the CA authentication server according to requirements, after the CA authentication server applies for verification, packaging key element information requested by the user according to a certain format by the CA authentication server, and sending the key element information to a key management server through a special service interface; after the key management server receives the request information of the CA authentication server, a key distribution service module extracts a pair of signature key pairs and a pair of encryption key pairs from a production key library, the signature key pairs and the encryption key pairs are combined with user identity information according to a standard format to respectively generate a signature certificate P10 request file and an encryption certificate P10 request file, and then the two P10 request files are transmitted back to the CA authentication server; after receiving the P10 request file returned by the key management server, the CA authentication server produces a digital certificate (containing a signature certificate and an encryption certificate) according to the P10 request file, issues the digital certificate to the user terminal of the certificate application user according to the requirement of the security standard, and simultaneously informs the key management server of the result of the completion of the issuance of the digital certificate; after the key management server receives the instruction that the user certificate is issued, the key distribution service module stores the key ciphertext of the user in a certificate key library, and sets the use authority of the key as the certificate user only.
The process of the user for updating the numerical integer may include:
when a certificate user submits a certificate updating application to a CA authentication server, submitting related identity authentication materials to the CA authentication server according to requirements, and after the CA authentication server applies for verification, packaging key element information requested by the user according to a certain format by the CA authentication server and sending the key element information to a key management server through a special service interface; after the key management server receives the request information of the CA authentication server, a key distribution service module extracts a pair of signature key pairs and a pair of encryption key pairs from a production key library, the signature key pairs and the encryption key pairs are combined with user information according to a standard format to respectively generate a signature certificate P10 request file and an encryption certificate P10 request file, and then the two P10 request files are transmitted back to the CA authentication server; after receiving the P10 request file returned by the key management server, the CA authentication server produces a signature certificate and an encryption certificate according to the P10 request file, issues the signature certificate and the encryption certificate to a certificate application user according to the requirement of a safety standard, and simultaneously informs the key management server of the result of the completion of the issuance of the certificate; after the key management server receives the instruction that the user certificate is issued, the key distribution service module stores the key ciphertext of the user in a certificate key bank, sets the use authority of the key as the certificate user, and transfers the original certificate key of the user in the certificate key bank into an archival key bank, so that the archival key can be used for judicial application service when judicial evidence is obtained in the future without providing key application service for the original certificate user.
When a user submits a digital certificate delay request to the CA authentication server through the user terminal, the user terminal only needs to send a digital certificate delay application to the CA authentication server, and the authentication server carries out delay processing on the digital certificate according to the digital certificate delay application.
Referring to fig. 4, in some embodiments, based on the embodiment shown in fig. 2, the above digital certificate key processing method may further include:
in step 105, a digital certificate logout request sent by the user terminal is obtained, where the digital certificate request includes the second user identity information and the digital certificate logout request information.
In step 106, the second user identity information is verified, and after the second user identity information is verified, the second user identity information and the digital certificate logout request information are sent to a key management server.
The digital certificate logout request information is used for instructing the key management server to logout an encryption key pair and a signature key associated with the second user identity information.
In step 107, the digital certificate revocation completion information sent by the key management server is received.
For example, the process of the user applying for digital certificate revocation may include:
the user submits a digital certificate logout request to the CA authentication server through the user terminal, submits related identity authentication information (namely second user identity information) to the CA authentication server according to requirements, and after the CA authentication server applies for verification, the CA authentication server sends the second user identity information and the digital certificate logout request information to the key management server through the special service interface; after the key management server receives the information of the CA authentication server, the key distribution service module transfers the original certificate key of the user in the certificate key base to the filing key base, and informs the CA authentication server that the key cancellation is completed, the key management server does not provide the key application service for the original certificate user any more, and the filing key is only special for judicial when the judicial is in the future.
In addition, when a certificate user needs to apply a digital certificate of the certificate user to carry out signature, signature verification, encryption and decryption, a corresponding request can be submitted to the certificate application cloud service center through the user terminal, and after the certificate application cloud service center carries out digital certificate user identity authentication and determines the accurate identity of an applicant, the certificate application cloud service center forwards the corresponding user request to the key management server; the key management server calls the key of the certificate user to perform signing, signature verification, encryption and decryption operations through the signature verification service module and the encryption and decryption service module according to the user request, so that the key application service is completed and corresponding results are output to the certificate user, the user key is not leaked out of the key management server in the whole process, and the safety of the user key application is ensured.
The key management server provides a special interface for judicial evidence obtaining service for the CA authentication server, when the judicial department needs the CA authentication server to obtain the judicial evidence, the judicial evidence obtaining service process is started, firstly, the relevant examination and approval procedures are completed according to the judicial evidence obtaining process of the CA authentication server, then the CA authentication server submits the judicial evidence obtaining request to the key management server, the key distribution service module extracts the key pair of the user from the key filing base or the certificate key base, obtains the use authority of the certificate user key to the judicial level, completes the judicial services such as decryption, signature verification and the like required by the judicial in the key management server, and restores the evidence required by the judicial.
The digital certificate key processing method has the following advantages:
(1) the key service required by a user for applying a digital certificate request is provided for a CA authentication server through a key distribution service module, the key service comprises request services of obtaining an encryption key pair, a signature key pair, key updating, key recovery, generating a P10 file and the like, after the key service is completed, a key production management module archives and stores keys provided for the user into a certificate key bank according to the type of the user request, in the whole key issuing service process, the keys forming the user certificate are all stored into the certificate key bank, particularly, a private key ciphertext is stored in the certificate key bank and is not leaked, and the storage safety of the user key is ensured;
(2) the key management server selects automatic production or manual production for the key production mode of the key production module through key production setting, sets the stock buffer amount of the production key bank, for the automatic production mode, if the key stock amount of the production key bank is less than the set amount, the key production module supplements the automatic production key to the stock amount of the production key bank at any time, and through key storage setting, the key distribution service module directly files the key and the key state to the certificate key bank after completing the services of key extraction and distribution, key suspension, key revocation, key destruction and the like, stores the key for the certificate user, provides the key signature, signature verification, encryption and decryption services required in certificate application, records various operations and related events of the key through key management setting and key security access setting, the access control of the key is used for avoiding unauthorized access of users, and auditing the access authority of a key visitor, so as to determine whether the authority of accessing the key is provided or not, thereby controlling the behavior of the key, and the access control mode of the key can reliably support effective isolation and integrity protection on information of different levels or categories of multiple users;
(3) through the key management server, when a certificate user applies the certificate and needs to sign, check, encrypt and decrypt, the certificate user submits a corresponding request to the certificate application cloud service center, the certificate application cloud service center calls the key of the certificate user to carry out signing, check, encrypting and decrypting operations through the signature check service module and the encryption and decryption service module, the key application service is completed, corresponding results are output to the certificate user, the user key is not leaked out of the certificate key service system in the whole process, and the safety of user key application is ensured.
Fig. 5 is a schematic flow chart of a digital certificate key processing method provided in an embodiment of the present application, the digital certificate key processing method is applied to a key management server, and with reference to fig. 5, the digital certificate key processing method is described in detail as follows:
in step 201, first user identity information and digital certificate request information sent by an authentication server are acquired.
In step 202, an encryption key pair and a signature key pair are generated according to the digital certificate request message, and a P10 request file is generated according to the encryption key pair, the signature key and the first user identity information.
After receiving the first user identity information and the digital certificate request information sent by the authentication server, the key management server may extract a pair of signing key pairs and a pair of encryption key pairs from the production key library through the key distribution service module, generate signing certificate P10 request files respectively according to the signing key pairs in combination with the first user identity information according to the standard format, and generate encryption certificate P10 request files respectively according to the encryption key pairs in combination with the first user identity information according to the standard format, thereby obtaining a P10 request file.
In step 203, sending the P10 request file to the authentication server; wherein the P10 request file is used to instruct the authentication server to generate a digital certificate according to the P10 request file and send the digital certificate to the user terminal.
Illustratively, the digital certificate may include a signature certificate and an encryption certificate. Specifically, after receiving the P10 request file, the authentication server requests the file to generate a signed certificate according to the signed certificate P10 therein, and requests the file to generate an encrypted certificate according to the encrypted certificate P10 therein. The authentication server may send the signature certificate and the encryption certificate to the corresponding user terminal according to the security standard requirement.
Referring to fig. 6, in some embodiments, based on the embodiment shown in fig. 5, the above digital certificate key processing method may further include:
in step 204, the digital certificate issuance completion information sent by the authentication server is acquired.
In step 205, after receiving the digital certificate issuance completion information, the encryption key pair, the signing key and the first user identity information are stored in association with each other.
In this step, after the authentication server sends the digital certificate to the corresponding user terminal, the key management server needs to be informed of information that the digital certificate has been sent to the user terminal, and the key management server stores the encryption key pair, the signature key, and the first user identity information in an associated manner.
Specifically, after receiving the instruction that the user certificate is issued, the key management server may store the key ciphertext (i.e., the encryption key pair and the signature key) of the user in the certificate key repository by the key distribution service module, and set the usage right of the key to only the user corresponding to the first user identity information.
It should be noted that the digital certificate request information may include request information for requesting generation of a digital certificate or request information for requesting update of a digital certificate. That is, the process of the new user applying for the digital certificate may be included, and the process of the user applying for the update of the digital integer may also be included.
For the process of applying for the digital certificate by the new user and the process of applying for updating the digital integer by the user, the aforementioned related contents may be referred to, and are not described herein again.
Referring to fig. 7, in some embodiments, based on the embodiment shown in fig. 5, the above digital certificate key processing method may further include:
in step 206, second user identity information and digital certificate logout request information sent by the authentication server are obtained.
In step 207, the encryption key pair and the signature key associated with the second user identity information are revoked according to the digital certificate revocation request information.
In step 208, a digital certificate revocation completion message is sent to the authentication server.
The digital certificate key processing method receives a digital certificate request which is sent by an authentication server and contains first user identity information and a digital certificate request, generates an encryption key pair and a signature key pair according to the digital certificate request information, generates a P10 request file according to the encryption key pair, the signature key and the first user identity information, and sends the P10 request file to the authentication server, so that the authentication server generates a digital certificate according to the P10 request file and sends the digital certificate to a user terminal, and the corresponding encryption key pair and signature key pair are not sent to the authentication server and the user terminal but stored in a key management server without causing external transmission leakage, thereby improving the security of user key storage.
Fig. 8 is a schematic flow chart of a digital certificate key processing method according to an embodiment of the present application, and with reference to fig. 8, the digital certificate key processing method is described in detail as follows:
in step 301, after receiving a digital certificate request input by a user, a user terminal sends the digital certificate request to a CA authentication server, where the digital certificate request includes first user identity information and digital certificate request information.
In step 302, after receiving the digital certificate request, the CA authentication server verifies the first user identity information in the digital certificate request. After the first user identity information is verified, executing step 303; otherwise, ending.
In step 303, after the first user identity information is verified, the first user identity information and the digital certificate request information are sent to the key management server.
In step 304, the key management server generates an encryption key pair and a signature key pair based on the digital certificate request message, and generates a P10 request file based on the encryption key pair, the signature key pair, and the first user identification information.
In step 305, the key management server sends a P10 request file to the CA authentication server.
In step 306, the CA authentication server generates a digital certificate from the P10 request file.
In step 307, the CA authentication server transmits the digital certificate to the user terminal.
In step 308, after transmitting the digital certificate to the user terminal, the CA authentication server transmits digital certificate transmission completion information to the key management server.
In step 309, the key management server stores the encryption key pair, the signature key pair, and the first user identification information in association with each other.
In step 310, the user terminal sends a digital certificate revocation request to the CA authentication server after receiving the digital certificate revocation request. Wherein the digital certificate logout request includes second user identity information and digital certificate logout request information.
In step 311, the CA authentication server verifies the second user identity information after receiving the digital certificate logout request. After the CA authentication server verifies the second user identity information, step 312 is executed; otherwise, ending.
In step 312, after the CA authentication server verifies the second user identity information, the CA authentication server sends the second user identity information and the digital certificate logout request information to the key management server.
In step 313, the key management server performs logout processing on the encryption key pair and the signature key pair associated with the second user identity information according to the digital certificate logout request information.
In step 314, the key management server transmits digital certificate deregistration completion information to the CA authentication server.
In the above digital certificate key processing method, when a user terminal needs to apply for a digital certificate, a digital certificate request including first user identity information and a digital certificate request is sent to an authentication server, the authentication server sends the first user identity information and the digital certificate request to a key management server, the key management server generates an encryption key pair and a signature key pair according to the key management server, and generates a P10 request file according to the encryption key pair, the signature key and the first user identity information, and transmits the request file to the authentication server, the authentication server generates a digital certificate according to the P10 request file and transmits the digital certificate to the user terminal, while the corresponding encryption key pair and signing key pair are not sent to the authentication server and user terminal, but the secret key is stored in the secret key management server, so that the external transmission leakage is avoided, and the security of user secret key storage can be improved.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Fig. 9 shows a block diagram of a digital certificate key processing apparatus provided in an embodiment of the present application, which corresponds to the digital certificate key processing method applied to the authentication server described in the above embodiment, and only shows a part related to the embodiment of the present application for convenience of description.
Referring to fig. 9, the digital certificate key processing apparatus in the embodiment of the present application may include a first obtaining module 401, a first sending module 402, and a digital certificate generating module 403.
The first obtaining module 401 is configured to obtain a digital certificate request sent by a user terminal, where the digital certificate request includes first user identity information and digital certificate request information;
a first sending module 402, configured to verify the first user identity information, and send the first user identity information and digital certificate request information to a key management server after the first user identity information is verified; the digital certificate request message is used for instructing the key management server to generate an encryption key pair and a signature key pair, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information;
a digital certificate generating module 403, configured to receive the P10 request file sent by the key management server, generate a digital certificate according to the P10 request file, and send the digital certificate to the user terminal.
Optionally, the digital certificate request information includes request information for requesting generation of a digital certificate or request information for requesting updating of a digital certificate.
Optionally, the digital certificate key processing apparatus may further include:
a digital certificate issuance completion information sending module for sending digital certificate issuance completion information to the key management server; the digital certificate issuance completion information is used for instructing the key management server to store the encryption key pair, the signing key and the first user identity information in an associated manner.
Optionally, the digital certificate key processing apparatus may further include: the system comprises a first digital certificate logout request acquisition module, a digital certificate logout request information sending module and a digital certificate logout completion information receiving module;
the system comprises a first digital certificate logout request acquisition module, a second digital certificate logout request acquisition module and a digital certificate logout processing module, wherein the first digital certificate logout request acquisition module is used for acquiring a digital certificate logout request sent by a user terminal, and the digital certificate request comprises second user identity information and digital certificate logout request information;
the digital certificate logout request information sending module is used for verifying the second user identity information and sending the second user identity information and the digital certificate logout request information to a key management server after the second user identity information is verified; the digital certificate logout request information is used for instructing the key management server to logout an encryption key pair and a signature key which are associated with the second user identity information;
and the digital certificate logout completion information receiving module is used for receiving the digital certificate logout completion information sent by the key management server.
Fig. 10 shows a block diagram of a digital certificate key processing apparatus provided in an embodiment of the present application, which corresponds to the digital certificate key processing method applied to the key management server described in the above embodiment, and only shows a part related to the embodiment of the present application for convenience of description.
Referring to fig. 10, the digital certificate key processing apparatus in the embodiment of the present application may include a second obtaining module 501, a request file generating module 502, and a second sending module 503.
The second obtaining module 501 is configured to obtain first user identity information and digital certificate request information sent by an authentication server;
a request file generating module 502, configured to generate an encryption key pair and a signature key pair according to the digital certificate request information, and generate a P10 request file according to the encryption key pair, the signature key, and the first user identity information;
a second sending module 503, configured to send the P10 request file to the authentication server; wherein the P10 request file is used to instruct the authentication server to generate a digital certificate according to the P10 request file and send the digital certificate to the user terminal.
Optionally, the digital certificate request information includes request information for requesting generation of a digital certificate or request information for requesting updating of a digital certificate.
Optionally, the digital certificate key processing apparatus may further include a digital certificate issuance completion information obtaining module and an associated storage module;
the system comprises an authentication server, a digital certificate issuing completion information acquisition module and a digital certificate issuing management module, wherein the digital certificate issuing completion information acquisition module is used for acquiring digital certificate issuing completion information sent by the authentication server;
and the association storage module is used for associating and storing the encryption key pair, the signature key and the first user identity information after receiving the digital certificate issuing completion information.
Optionally, the digital certificate key processing apparatus may further include a second digital certificate revocation request information obtaining module, a revocation processing module, and a digital certificate revocation completion information sending module;
the second digital certificate logout request information acquisition module is used for acquiring second user identity information and digital certificate logout request information sent by the authentication server;
the logout processing module is used for performing logout processing on the encryption key pair and the signature key associated with the second user identity information according to the digital certificate logout request information;
and the digital certificate logout completion information sending module is used for sending digital certificate logout completion information to the authentication server.
It should be noted that, for the information interaction, execution process, and other contents between the above-mentioned devices/units, the specific functions and technical effects thereof are based on the same concept as those of the embodiment of the method of the present application, and specific reference may be made to the part of the embodiment of the method, which is not described herein again.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
An embodiment of the present application further provides a terminal device, referring to fig. 11, where the terminal device 600 may include: at least one processor 610, a memory 620, and a computer program stored in the memory 620 and executable on the at least one processor 610, wherein the processor 610, when executing the computer program, implements the steps of any of the above-mentioned method embodiments, such as the steps S101 to S103 in the embodiment shown in fig. 2, or the steps S201 to S203 in the embodiment shown in fig. 5. Alternatively, the processor 610, when executing the computer program, implements the functions of each module/unit in the above-described device embodiments, such as the functions of the modules 401 to 403 shown in fig. 9 or the functions of the modules 501 to 503 shown in fig. 10.
Illustratively, the computer program may be divided into one or more modules/units, which are stored in the memory 620 and executed by the processor 610 to accomplish the present application. The one or more modules/units may be a series of computer program segments capable of performing specific functions, which are used to describe the execution of the computer program in the terminal device 600.
Those skilled in the art will appreciate that fig. 11 is merely an example of a terminal device and is not limiting and may include more or fewer components than shown, or some components may be combined, or different components such as input output devices, network access devices, buses, etc.
The Processor 610 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 620 may be an internal storage unit of the terminal device, or may be an external storage device of the terminal device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. The memory 620 is used for storing the computer program and other programs and data required by the terminal device. The memory 620 may also be used to temporarily store data that has been output or is to be output.
The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, the buses in the figures of the present application are not limited to only one bus or one type of bus.
The digital certificate key processing method provided by the embodiment of the application can be applied to terminal devices such as a server, a computer, a wearable device, a vehicle-mounted device, a tablet computer, a notebook computer, a netbook, a Personal Digital Assistant (PDA), an Augmented Reality (AR)/Virtual Reality (VR) device, and a mobile phone, and the specific type of the terminal device is not limited at all in the embodiment of the application.
Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored, and when being executed by a processor, the computer program implements the steps in the embodiments of the digital certificate key processing method applied to the authentication server, or implements the steps in the embodiments of the digital certificate key processing method applied to the key management server.
Embodiments of the present application provide a computer program product, which, when running on a mobile terminal, enables the mobile terminal to implement the steps in the embodiments of the digital certificate key processing method applied to an authentication server, or implement the steps in the embodiments of the digital certificate key processing method applied to a key management server.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium and can implement the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing apparatus/terminal apparatus, a recording medium, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), an electrical carrier signal, a telecommunications signal, and a software distribution medium. Such as a usb-disk, a removable hard disk, a magnetic or optical disk, etc. In certain jurisdictions, computer-readable media may not be an electrical carrier signal or a telecommunications signal in accordance with legislative and patent practice.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other ways. For example, the above-described apparatus/network device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.

Claims (10)

1. A digital certificate key processing method, applied to an authentication server, the method comprising:
acquiring a digital certificate request sent by a user terminal, wherein the digital certificate request comprises first user identity information and digital certificate request information;
verifying the first user identity information, and after the first user identity information is verified, sending the first user identity information and digital certificate request information to a key management server; the digital certificate request message is used for instructing the key management server to generate an encryption key pair and a signature key pair, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information;
and receiving the P10 request file sent by the key management server, generating a digital certificate according to the P10 request file and sending the digital certificate to the user terminal.
2. The digital certificate key processing method as claimed in claim 1, wherein the digital certificate request information includes request information for requesting generation of a digital certificate or request information for requesting renewal of a digital certificate.
3. The digital certificate key processing method of claim 1, wherein the method further comprises:
sending digital certificate issuing completion information to the key management server; the digital certificate issuance completion information is used for instructing the key management server to store the encryption key pair, the signing key and the first user identity information in an associated manner.
4. The digital certificate key processing method of claim 3, wherein the method further comprises:
acquiring a digital certificate logout request sent by a user terminal, wherein the digital certificate request comprises second user identity information and digital certificate logout request information;
verifying the second user identity information, and sending the second user identity information and digital certificate logout request information to a key management server after the second user identity information is verified; the digital certificate logout request information is used for instructing the key management server to logout an encryption key pair and a signature key which are associated with the second user identity information;
and receiving digital certificate logout completion information sent by the key management server.
5. A digital certificate key processing method, applied to a key management server, the method comprising:
acquiring first user identity information and digital certificate request information sent by an authentication server;
generating an encryption key pair and a signature key pair according to the digital certificate request information, and generating a P10 request file according to the encryption key pair, the signature key and the first user identity information;
sending the P10 request file to the authentication server; wherein the P10 request file is used to instruct the authentication server to generate a digital certificate according to the P10 request file and send the digital certificate to the user terminal.
6. The digital certificate key processing method as claimed in claim 5, wherein the digital certificate request information includes request information for requesting generation of a digital certificate or request information for requesting renewal of a digital certificate.
7. The digital certificate key processing method of claim 5, wherein the method further comprises:
acquiring digital certificate issuing completion information sent by the authentication server;
and after receiving the digital certificate issuing completion information, storing the encryption key pair, the signature key and the first user identity information in an associated manner.
8. The digital certificate key processing method of claim 7, wherein the method further comprises:
acquiring second user identity information and digital certificate logout request information sent by the authentication server;
carrying out logout processing on an encryption key pair and a signature key associated with the second user identity information according to the digital certificate logout request information;
and sending digital certificate logout completion information to the authentication server.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 8 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 8.
CN202010245315.8A 2020-03-31 2020-03-31 Digital certificate key processing method, device, terminal equipment and storage medium Active CN113472720B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010245315.8A CN113472720B (en) 2020-03-31 2020-03-31 Digital certificate key processing method, device, terminal equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010245315.8A CN113472720B (en) 2020-03-31 2020-03-31 Digital certificate key processing method, device, terminal equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113472720A true CN113472720A (en) 2021-10-01
CN113472720B CN113472720B (en) 2024-02-06

Family

ID=77865520

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010245315.8A Active CN113472720B (en) 2020-03-31 2020-03-31 Digital certificate key processing method, device, terminal equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113472720B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205076A (en) * 2021-11-18 2022-03-18 广东电网有限责任公司 Quantum key distribution system based on digital certificate
CN114218548A (en) * 2021-12-14 2022-03-22 北京海泰方圆科技股份有限公司 Identity verification certificate generation method, authentication method, device, equipment and medium
CN114978611A (en) * 2022-04-29 2022-08-30 苏州浪潮智能科技有限公司 Security management method for requesting access to public network, public network service system and storage medium
CN115001699A (en) * 2022-05-05 2022-09-02 华东师范大学 Digital authentication issuing system of internet education platform
CN115842632A (en) * 2022-11-15 2023-03-24 宁德时代新能源科技股份有限公司 Identity authentication method, device, equipment and medium
CN116882636A (en) * 2023-09-05 2023-10-13 苏州浪潮智能科技有限公司 Certificate life cycle management method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
WO2016177052A1 (en) * 2015-08-21 2016-11-10 中兴通讯股份有限公司 User authentication method and apparatus
CN108768664A (en) * 2018-06-06 2018-11-06 腾讯科技(深圳)有限公司 Key management method, device, system, storage medium and computer equipment
CN110445614A (en) * 2019-07-05 2019-11-12 阿里巴巴集团控股有限公司 Certificate request method, apparatus, terminal device, gateway and server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778381B (en) * 2009-12-31 2012-07-04 卓望数码技术(深圳)有限公司 Digital certificate generation method, user key acquisition method, mobile terminal and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102970299A (en) * 2012-11-27 2013-03-13 西安电子科技大学 File safe protection system and method thereof
WO2016177052A1 (en) * 2015-08-21 2016-11-10 中兴通讯股份有限公司 User authentication method and apparatus
CN108768664A (en) * 2018-06-06 2018-11-06 腾讯科技(深圳)有限公司 Key management method, device, system, storage medium and computer equipment
CN110445614A (en) * 2019-07-05 2019-11-12 阿里巴巴集团控股有限公司 Certificate request method, apparatus, terminal device, gateway and server

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205076A (en) * 2021-11-18 2022-03-18 广东电网有限责任公司 Quantum key distribution system based on digital certificate
CN114218548A (en) * 2021-12-14 2022-03-22 北京海泰方圆科技股份有限公司 Identity verification certificate generation method, authentication method, device, equipment and medium
CN114978611A (en) * 2022-04-29 2022-08-30 苏州浪潮智能科技有限公司 Security management method for requesting access to public network, public network service system and storage medium
CN114978611B (en) * 2022-04-29 2023-07-14 苏州浪潮智能科技有限公司 Security management method for requesting access to public network, public network service system and storage medium
CN115001699A (en) * 2022-05-05 2022-09-02 华东师范大学 Digital authentication issuing system of internet education platform
CN115842632A (en) * 2022-11-15 2023-03-24 宁德时代新能源科技股份有限公司 Identity authentication method, device, equipment and medium
CN116882636A (en) * 2023-09-05 2023-10-13 苏州浪潮智能科技有限公司 Certificate life cycle management method, device, equipment and storage medium
CN116882636B (en) * 2023-09-05 2024-01-16 苏州浪潮智能科技有限公司 Certificate life cycle management method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN113472720B (en) 2024-02-06

Similar Documents

Publication Publication Date Title
CN113472720A (en) Digital certificate key processing method and device, terminal equipment and storage medium
CN109697365B (en) Information processing method, block chain node and electronic equipment
CN110264200B (en) Block chain data processing method and device
US8495383B2 (en) Method for the secure storing of program state data in an electronic device
EP3779792B1 (en) Two-dimensional code generation method, data processing method, apparatus, and server
CN112232814B (en) Encryption and decryption methods of payment key, payment authentication method and terminal equipment
CN110598429B (en) Data encryption storage and reading method, terminal equipment and storage medium
CN111914293A (en) Data access authority verification method and device, computer equipment and storage medium
CN108471403A (en) A kind of method, apparatus, terminal device and the storage medium of account migration
CN110266653B (en) Authentication method, system and terminal equipment
CN106656955A (en) Communication method and system and user terminal
CN112507296A (en) User login verification method and system based on block chain
CN114372242A (en) Ciphertext data processing method, authority management server and decryption server
CN114143306A (en) Block chain-based bid document transmission method and transmission device
CN111464295B (en) Bank card making method and device
JP5781678B1 (en) Electronic data utilization system, portable terminal device, and method in electronic data utilization system
CN110601836B (en) Key acquisition method, device, server and medium
CN109547404B (en) Data acquisition method and server
CN116528230A (en) Verification code processing method, mobile terminal and trusted service system
CN107395350B (en) Method and system for generating key and key handle and intelligent key safety equipment
CN107070648B (en) Key protection method and PKI system
CN106911625B (en) Text processing method, device and system for safe input method
EP4016921A1 (en) Certificate management method and apparatus
CN114640491A (en) Communication method and system
CN109104393B (en) Identity authentication method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant