CN101170413B - A digital certificate and private key acquisition, distribution method and device - Google Patents
A digital certificate and private key acquisition, distribution method and device Download PDFInfo
- Publication number
- CN101170413B CN101170413B CN2007101955698A CN200710195569A CN101170413B CN 101170413 B CN101170413 B CN 101170413B CN 2007101955698 A CN2007101955698 A CN 2007101955698A CN 200710195569 A CN200710195569 A CN 200710195569A CN 101170413 B CN101170413 B CN 101170413B
- Authority
- CN
- China
- Prior art keywords
- private key
- digital certificate
- download
- network equipment
- ssl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a personal identification technology in a communication network, in particular to a digital certificate to authenticate identity and a private key distribution technology. The digital certificate private key obtaining method comprises the following steps: a receiving network management server sends download information through a command channel; wherein, the download information comprises a digital certificate private key file name and a digital certificate private key download path; the download information sets up an anonymous Secure Sockets Layer (SSL) connection on a file transmit channel; the anonymous SSL is used to connect the download digital certificate private key according to the digital certificate private key file name and the digital certificate private key download path in the download information. The invention also provides a digital certificate private key distribution method, network equipment and a network management server. Compared with the manual distribution method, the invention is more effective by the application of the network management server to send the download the command through the command channel and the network equipment to download the digital certificate and the private key through the anonymous SSL encryption connection method. At the same time, the invention guarantees the security of the distribution process.
Description
Technical field
The present invention relates to the identity recognizing technology in the communication network, relate in particular to the technology of the secure distribution of a kind of digital certificate and private key.
Background technology
Digital certificate is a kind of authoritative electronic document.It provide a kind of on Internet the mode of identity verification, its effect is similar to driver's driving license or the identity card in the daily life.It is to be issued by authoritative institution's----CA (Certificate Authority, certificate granting) center by one, can discern the other side's identity in internet communication with it.
Digital certificate must have uniqueness and reliability.In order to reach this purpose, need to adopt a lot of technology to realize.Usually, digital certificate adopts public key system, promptly utilizes a pair of key that matches each other to encrypt, decipher.Each user oneself sets one and only is my all private cipher keys (private key) specific, is decrypted and signs with it; Set a public keys (PKI) and open simultaneously, shared, be used for encrypting and certifying signature by one group of user by me.When sending a classified document, transmit leg uses recipient's PKI that data are encrypted, and the recipient then uses the private key deciphering of oneself, and information just can arrive the destination safe and punctually like this.Means by numeral guarantee that ciphering process is an irreversible process, promptly have only with private cipher key and could decipher.Public key technique has solved the problem of management of cipher key distribution, and the user can disclose its public-key cryptography, and keeps its private cipher key.
Digital signature (Digital Signature) technology is that the typical case of asymmetrical encryption algorithm uses.The application process of digital signature is, the data source transmit leg uses the private key of oneself to carry out encryption to the data verification or to other variablees relevant with data content, finish legal " signature " to data, " digital signature " that the data receiver then utilizes the other side's PKI to understand to receive, and will understand the result and be used for check to the data integrality, to confirm the legitimacy of signature.Digital signature technology is an important technology of confirming identity in the network system virtual environment, can replace " autographic signature " in the real process fully, in technology and guaranteed legally.At PKI and private key management aspect, digital signature applications is just in time opposite with privacy enhanced mail PGP (Pretty GoodPrivacy) technology.In digital signature applications, sender's PKI can obtain easily, but his private key then needs to hold in close confidence.
Along with popularizing of Internet, digital certificate is widely applied among the every field.In mobile communications network, general network enabled device is as inserting base transceiver station, the base station controller of surveying, the mobile switching centre of core-network side, GGSN (Gateway GPRS Support Node, GGSN) etc.Centralized management to these network equipments is finished by network management system, and this network management system can be carried out intensive data configuration, performance monitoring, alarm management, log collection analysis, fault management etc. to these network equipments.Network management system generally is a station server, i.e. NM server, and it can directly link to each other with all-network equipment.
Have management and the relation of being managed between the NM server and the network equipment.For avoiding the disabled user that the network equipment is carried out malicious operation, need guarantee that the legitimacy to identity authenticates between the network equipment and the NM server, can adopt digital certificate to carry out authentication.The network equipment install configuration finish after before the commencement of commercial operation, operator's digital certificate that granting is trusted to NM server and PKI thereof, digital certificate that granting is trusted to the network equipment and private key thereof, the distribution of certificate and private key is the process of a key, must be able to ensure the fail safe of digital certificate and private key.Be stolen for fear of private key in distribution procedure, thus generally be to adopt password to encrypt for private key, and this private key password also is distributed in the network equipment, with the private key password private key is decrypted then, obtain available private key.
Because NM server and all-network equipment all have the network annexation, sending certificate by network to all-network equipment is a selection easily, but can ensure just after the escape way that must set up between the webmaster and the network equipment that certificate, private key and private key password can not intercepted in providing the way.According to the characteristics of safe transmission technology, before setting up secure transmission tunnel between two nodes, must possess certain precondition, promptly on two nodes, disposed the voucher of mutual trust, that is digital certificate and certificate private key.From the two existence contradictory relation successively as can be seen here, there is not distributes digital certificates just can't set up safe being connected with private key, setting up the safety connection just can not safe granting digital certificate and private key.
Because above contradiction, cause can't safety the network that passes through connect to all-network equipment and send certificate and private key, and can only select manual type that the certificate and the private key of each network equipment are copied on the network equipment one by one, this is a consuming time and inefficient methodology.
Between communication network device and NM server, generally all can there be two communication ports: command channel and file transfer passage.The command channel is used to transmit operational order or the response of operational order is answered; The file transfer passage is used for uploading and downloading of file.This document transmission channel adopts FTP (File Transfer Protocol, file transfer protocol (FTP)) agreement, and File Transfer Protocol support data can be connected between one or more network equipments by network from server with the form of bag to be transmitted.
File Transfer Protocol is also supported FTPS (FTP OVER SSL, security extension) agreement, and the FTPS agreement can be supported the encrypted transmission of SSL (Security Socket Layer, SSL), also supports the identification of digital certificate authentication mode.Connect the communicating pair safety of data transmission that can guarantee that network connects by the SSL security protocol among the FTPS.This mode has improved fail safe significantly with respect to plaintext transmission.
Can consider and utilize the file transfer passage to adopt anonymous SSL to connect to come digital certificate transmission, private key and private key password.But there is the problem of two aspects in actual applications in this method: one, the file transfer passage of File Transfer Protocol only is suitable for transmitting data and file, but and is not suitable for transmission command, parameter, password etc.So can not directly transmit the private key password by the file transfer passage; If two by file transfer channel transfer digital certificate, private key and private key password, make word certificate, private key and private key password in same transmission channel, to be intercepted and captured simultaneously, cause digital certificate and private key illegally to be used.
Summary of the invention
The embodiment of the invention provides acquisition, the distribution method of a kind of digital certificate and private key thereof, in order to realize efficient distribution digital certificate private key.
The embodiment of the invention provides a kind of acquisition, distribution method and equipment of digital certificate, in order to realize distributes digital certificates and private key thereof efficiently.
A kind of preparation method of digital certificate private key comprises the steps:
Receive the download message that NM server sends by the command channel, described download message comprises: the download path of digital certificate private key file name, digital certificate private key and the private key password of digital certificate private key; Setting up anonymous SSL SSL with described NM server on the file transfer passage is connected; According to the download path of digital certificate private key file name in the described download message and digital certificate private key, connect the downloading digital certificate private key by described anonymous SSL, activate described digital certificate private key according to described private key password.
A kind of distribution method of digital certificate private key, comprise the steps: to send download message by the command channel to the network equipment, described download message comprises: the download path of digital certificate private key file name, digital certificate private key and the private key password of digital certificate private key; After receiving the anonymous SSL SSL of the foundation connection requests of the described network equipment, on the file transfer passage, set up anonymous SSL with the described network equipment and be connected; After receiving the download request that the described network equipment sends according to the download path of the private key file name of described digital certificate and digital certificate private key, by described anonymous SSL connection described digital certificate private key is distributed to the network equipment, described private key password activates described private key in order to the network equipment.
A kind of network equipment comprises:
The command analysis module, be used for after receiving the download message of NM server by the command channel transmission, parse the digital certificate private key file name in the described download message, the download path of digital certificate private key and the private key password of digital certificate private key, wherein, the private key password of described digital certificate private key is used to activate the digital certificate private key;
Download module is used for setting up anonymous SSL with described NM server on the file transfer passage and is connected, and downloads described digital certificate private key by described SSL connection according to the download path of described digital certificate private key file name and digital certificate private key.
A kind of NM server comprises:
The instruction issuing module is used for sending download message by the command channel to the network equipment, and described download message comprises: the download path of digital certificate private key file name, digital certificate private key and the private key password of digital certificate private key;
Download respond module, being used for setting up anonymous SSL with the described network equipment on the file transfer passage is connected, and respond the described network equipment and connect, the request of the described digital certificate private key of download that sends according to the download path of described digital certificate private key file name and digital certificate private key by described SSL;
Encrypting module is used for adopting symmetric encipherment algorithm to encrypt the private key password of described digital certificate private key.
The embodiment of the invention is because NM server sends download instruction and encrypted secret key password by the command channel, the network equipment is encrypted connected mode downloading digital certificate and private key thereof by the anonymous SSL of file transfer passage, have more high efficiency compared with artificial distributes digital certificates and private key thereof, and encrypt the fail safe that digital certificate transmission and digital certificate private key under the connected mode have guaranteed distribution procedure at anonymous SSL; And, can prevent better that the key password and digital certificate, the private key that transmit from being intercepted in distribution procedure because the network equipment obtains key password and digital certificate, private key by different passage.
Description of drawings
Fig. 1 a is digital certificate, the private key dissemination system schematic diagram of the embodiment of the invention;
Fig. 1 b is digital certificate, the private key distribution method flow chart of the embodiment of the invention one;
Fig. 2 is digital certificate, the private key dissemination system structured flowchart of the embodiment of the invention one;
Fig. 3 is digital certificate, the private key distribution method flow chart of the embodiment of the invention two;
Fig. 4 is digital certificate, the private key dissemination system structured flowchart of the embodiment of the invention two.
Embodiment
As shown in Figure 1a, the embodiment of the invention is transmitted the instruction of downloading digital certificate and private key by the plaintext command channel between the NM server and the network equipment, and the SSL by the file transfer passage between NM server and the network equipment encrypts and is connected digital certificate transmission and private key, thereby reaches efficient, the safe purpose to each network equipment distributes digital certificates and private key.
The embodiment of the invention one provides NM server by the technical scheme of download instruction informing network equipment with SSL cipher mode downloading digital certificate and private key; The embodiment of the invention two provide NM server by download instruction informing network equipment with SSL cipher mode downloading digital certificate and private key, thereby and make the network equipment obtain the key password with activation instruction to activate the digital certificate downloaded and the technical scheme of private key.
Embodiment one
The embodiment of the invention one provides a kind of digital certificate, private key distribution method, and flow chart comprises following concrete steps shown in Fig. 1 b:
Step S101: NM server sends download instruction by the command channel to the network equipment.
NM server sends download instruction by the command channel to the network equipment, comprises following download message in this download instruction:
The download path of digital certificate filename and digital certificate is used to make the digital certificate filename that the network equipment knows that needs are downloaded and the download path of this digital certificate.
The download path of private key file name and private key is used to make the private key file name that the network equipment knows that needs are downloaded and the download path of this private key.
Private key password after the encryption, to this private key password employing is that symmetry approach is encrypted.
Above-mentioned download instruction is used for informing network equipment and downloads corresponding digital certificate, private key and private key password to NM server.
Step S102: the network equipment is set up anonymous SSL with NM server at the file transfer passage and is connected after receiving download instruction.
The network equipment sends the connection request of setting up anonymous SSL to NM server after receiving download instruction, NM server responds this request, sets up anonymous SSL and connects.
Step S103: after SSL connected foundation, the network equipment was by file transfer passage downloading digital certificate and private key.
After SSL connected foundation, the network equipment was downloaded the corresponding digital certificate according to the download path of digital certificate filename and digital certificate in the download instruction, downloads corresponding private key according to the download path of private key file name and private key.Used the private key password encryption in advance at this private key of NM server.
Because private key is used for digital certificate is encrypted in the above-mentioned download message, the fail safe of private key has determined the fail safe of digital certificate, so in order to guarantee the safety of private key, the download path that must comprise private key file name and private key in the download message, the download of private key then must connect to guarantee its fail safe by SSL.Then can take other approach to obtain for digital certificate, obtain such as downloading by file transfer passage expressly.The private key password is in order further to guarantee the safety of private key, to download so the private key password both can connect by SSL, also can obtaining by other approach.
Step S104: the private key password of the network equipment after to the encryption that comprises in the download instruction that receives is decrypted with symmetric encipherment algorithm.
In order further to guarantee the fail safe of private key password, the embodiment of the invention utilizes symmetric encipherment algorithm to encrypt at network server end private key password, utilizes symmetric encipherment algorithm to be decrypted at network equipment end.This symmetric cryptographic key sets in advance in the webserver and the network equipment.Certainly, in realization, also can transmit the private key password of not encrypting, but this will reduce the fail safe in the digital certificate distribution procedure.
Like this, the acquisition of the network equipment safety digital certificate and private key, and the private key password of this private key, and available this private key password activates private key.
The embodiment of the invention provides a kind of digital certificate, private key dissemination system, and its structured flowchart comprises as shown in Figure 2: NM server 201 and at least one network equipment 202.
Command channel and file transfer passage are arranged between the NM server 201 and the network equipment 202.
NM server 201 comprises: instruction issuing module 203, download respond module 204, encrypting module 208.
The network equipment 202 comprises: command analysis module 205, download module 206, deciphering module 207.
Instruction issuing module 203 sends download instruction by the command channel to the network equipment 202.This download instruction comprises following download message:
The download path of digital certificate filename and digital certificate is used to make the network equipment to know the filename of the digital certificate that needs are downloaded and the download path of this digital certificate.
The download path of private key file name and private key is used to make the network equipment to know the filename of the private key that needs are downloaded and the download path of this private key.
Private key password after the encryption, to this private key password employing is that symmetry approach is encrypted.
The encrypting module 208 of NM server 201 is used for adopting symmetric encipherment algorithm to encrypt the private key password of digital certificate private key.
The command analysis module 205 of the network equipment 202 is used to receive the order that NM server 201 sends by the command channel, and the order that receives is resolved.After command analysis module 205 receives download instruction, parse digital certificate filename in the download instruction and digital certificate download path, private key file name and private key download path and encrypt after the private key password, and, send deciphering to deciphering module 207 and notify to download module 206 transmission download notices.
Download module 206 sends to NM server 201 and to set up anonymous SSL connection requests after receiving the download notice that command analysis module 205 sends.Described download module 206 is for supporting the client modules of FTPS agreement.
Download respond module 204 this anonymity of response SSL connection requests of NM server 201 are set up anonymous SSL at file transfer Management Of Resources, Accesses ﹠ Network equipment 202 and are connected.
The download module 206 of the network equipment 202 connects by this SSL, the download path of the digital certificate filename in the download instruction that parses according to command analysis module 205 and download path, private key file name and the private key of digital certificate is downloaded corresponding digital certificate and private keys from NM server 201.
The download request of the download respond module 204 response download modules 206 of NM server 201 connects to the network equipment 202 transmission digital certificate and private keys by SSL.Described download respond module 204 is for supporting the server end module of FTPS agreement.
Deciphering module 207 is after receiving deciphering notice, and the private key password of the encryption that command analysis module 205 is parsed with symmetric encipherment algorithm is decrypted, and obtains the private key password of non-encrypted state.
Thereby, the acquisition of the network equipment 202 safety the private key password after digital certificate, private key and the deciphering, and available private key password activates private key.
The embodiment of the invention is because NM server sends download instruction and private key password by the command channel, and the network equipment is encrypted connected mode downloading digital certificate and private key by the SSL of file transfer passage, has guaranteed the fail safe of digital certificate and private key distribution; And, can prevent better that the private key password that transmits and digital certificate etc. from being intercepted in distribution procedure because the network equipment obtains private key password and digital certificate etc. by different passage.
Embodiment two
The embodiment of the invention two provides a kind of digital certificate, private key distribution method, and flow chart comprises following concrete steps as shown in Figure 3:
Step S301: NM server sends download instruction by the command channel to the network equipment.
NM server sends download instruction by the command channel to the network equipment, comprises following information in this download instruction:
The download path of digital certificate filename and digital certificate is used to make the digital certificate filename that the network equipment knows that needs are downloaded and the download path of this digital certificate.
The download path of private key file name and private key is used to make the network equipment to know the filename of the private key that needs are downloaded and the download path of this private key.
Step S302: the network equipment is set up anonymous SSL with NM server at the file transfer passage and is connected after receiving download instruction.
The network equipment sends the connection request of setting up anonymous SSL to NM server after receiving download instruction, NM server responds this request, sets up anonymous SSL and connects.
Step S303: after SSL connected foundation, the network equipment was by file transfer passage downloading digital certificate and private key.
After SSL connected foundation, the network equipment was downloaded the corresponding digital certificate according to the download path of digital certificate filename and digital certificate in the download instruction, downloads corresponding private key according to the download path of private key file name and private key.Used the private key password encryption in advance at this private key of NM server.
Because private key is used for digital certificate is encrypted in the above-mentioned download message, the fail safe of private key has determined the fail safe of digital certificate, so in order to guarantee the safety of private key, the download path that must comprise private key file name and private key in the download message, the download of private key then must connect to guarantee its fail safe by SSL.Then can take other approach to obtain for digital certificate, obtain such as downloading by file transfer passage expressly.
Step S304: after download was finished, NM server sent activation instruction by the command channel to the network equipment.
After download was finished, NM server sent activation instruction by the command channel to the network equipment, included the private key password after the encryption in this activation instruction.This private key password is encrypted for adopting symmetry approach.
In order further to guarantee the fail safe of private key password, the embodiment of the invention utilizes the symmetric cryptographic key of symmetric encipherment algorithm to encrypt at network server end private key password, utilizes symmetric cryptographic key to be decrypted at network equipment end.This symmetric cryptographic key sets in advance in the webserver and the network equipment.Certainly, in realization, also can transmit the private key password of not encrypting, but this will reduce the fail safe in the digital certificate distribution procedure.
Step S305: after the network equipment is received activation instruction, with the private key password of the encryption in the symmetry approach deciphering activation instruction.
NM server passes through to send activation instruction to the network equipment, thereby digital certificate and private key that informing network equipment receives carry out activation manipulation.The private key password of encryption is arranged, after the network equipment is received this activation instruction, with the private key password of encrypting in the symmetry approach deciphering activation instruction in activation instruction.
Like this, the acquisition of the network equipment safety digital certificate and private key, and the private key password of this private key.
The embodiment of the invention provides a kind of digital certificate, private key dissemination system, as shown in Figure 4, comprising: NM server 401 and at least one network equipment 402.
Command channel and file transfer passage are arranged between the NM server 401 and the network equipment 402.
The network equipment 402 comprises: command analysis module 405, download module 406, deciphering module 407.
The encrypting module 408 of NM server 401 is used for adopting symmetric encipherment algorithm to encrypt the private key password of digital certificate private key.
The instruction issuing module 403 of NM server 401 sends download instruction by the command channel to the network equipment 402.This download instruction comprises following information:
The download path of digital certificate filename and digital certificate is used to make the network equipment to know the filename of the digital certificate that needs are downloaded and the download path of this digital certificate.
The download path of private key file name and private key is used to make the network equipment to know the filename of the private key that needs are downloaded and the download path of this private key.
The command analysis module 405 of the network equipment 402 is used to receive the order that NM server 401 sends by the command channel, and the order that receives is resolved.After command analysis module 405 receives download instruction, parse the download path of download path, private key file name and the private key of digital certificate filename in the download instruction and digital certificate, and send to download module 406 and to download notice.
Download respond module 404 this anonymity of response SSL connection requests of NM server 401 are set up anonymous SSL at file transfer Management Of Resources, Accesses ﹠ Network equipment 402 and are connected.
The download module 406 of the network equipment 402 connects by this SSL, the download path of the digital certificate filename in the download instruction that parses according to command analysis module 405 and download path, private key file name and the private key of digital certificate is downloaded corresponding digital certificate and private keys from NM server 401.
The download request of the download respond module 404 response download modules 406 of NM server 401 connects to the network equipment 402 transmission digital certificate and private keys by SSL.Described download respond module 406 is for supporting the server end module of FTPS agreement.
After download module 406 was finished the download of digital certificate and private key, instruction issuing module 403 sent activation instruction by the command channel to the network equipment 402.Comprised the private key password of encrypting with symmetric encipherment algorithm in this activation instruction.
After command analysis module 405 receives activation instruction, parse the private key password of the encryption in the activation instruction, and send the deciphering notice to deciphering module 407.
After deciphering module 407 received deciphering notice, the private key password of the encryption that command analysis module 405 is parsed was decrypted with symmetric encipherment algorithm, obtains the private key password of non-encrypted state.
Thereby, the acquisition of the network equipment 402 safety the private key password after digital certificate, private key and the deciphering.
The embodiment of the invention is because NM server sends download instruction and private key password by the command channel, and the network equipment is encrypted connected mode downloading digital certificate and private key by the SSL of file transfer passage, has guaranteed the fail safe of digital certificate and private key distribution; And, can prevent better that the private key password that transmits and digital certificate etc. from being intercepted in distribution procedure because the network equipment obtains private key password and digital certificate etc. by different passage.
The embodiment of the invention makes that the download of digital certificate and private key and activation are more flexible because download instruction and activation instruction are separated transmission.NM server can allow each network equipment download digital certificate and private key in advance, then when needs activate, send the private key password by activation instruction again, make the network equipment to come decrypted private key, thereby activate digital certificate and private key by this private key password.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, this program can be stored in the computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. the preparation method of a digital certificate private key is characterized in that, comprises the steps:
Receive the download message that NM server sends by the command channel, described download message comprises: the download path of digital certificate private key file name, digital certificate private key and the private key password of digital certificate private key;
Setting up anonymous SSL SSL with described NM server on the file transfer passage is connected;
According to the download path of digital certificate private key file name in the described download message and digital certificate private key, connect the downloading digital certificate private key by described anonymous SSL, activate described digital certificate private key according to described private key password.
2. the method for claim 1 is characterized in that, described download message also comprises: the download path of digital certificate filename and digital certificate; And
Described method also comprises: according to the download path of described digital certificate filename and digital certificate, connect the described digital certificate of download by described anonymous SSL.
3. the method for claim 1 is characterized in that, described private key password adopts symmetric cryptographic key to encrypt by described NM server; And
With symmetric cryptographic key described private key password is decrypted.
4. the distribution method of a digital certificate private key is characterized in that, comprises the steps:
Send download message by the command channel to the network equipment, described download message comprises: digital certificate private key file name, the private key password of the download path of digital certificate private key and digital certificate private key;
After receiving the anonymous SSL SSL of the foundation connection requests of the described network equipment, on the file transfer passage, set up anonymous SSL with the described network equipment and be connected;
After receiving the download request that the described network equipment sends according to the download path of the private key file name of described digital certificate and digital certificate private key, by described anonymous SSL connection described digital certificate private key is distributed to the network equipment, described private key password activates described private key in order to the network equipment.
5. method as claimed in claim 4 is characterized in that, described download message also comprises: the download path of digital certificate filename and digital certificate; And
Described method also comprises: after receiving the download request that the described network equipment sends according to the download path of described digital certificate filename and digital certificate, connect by described anonymous SSL described digital certificate is distributed to the network equipment.
6. method as claimed in claim 4 is characterized in that, also comprises:
Encrypt described private key password with symmetric cryptographic key, the private key password after the described encryption is deciphered with symmetric cryptographic key by the described network equipment.
7. a network equipment is characterized in that, comprising:
The command analysis module, be used for after receiving the download message of NM server by the command channel transmission, parse the digital certificate private key file name in the described download message, the download path of digital certificate private key and the private key password of digital certificate private key, wherein, the private key password of described digital certificate private key is used to activate the digital certificate private key;
Download module is used for setting up anonymous SSL with described NM server on the file transfer passage and is connected, and downloads described digital certificate private key by described SSL connection according to the download path of described digital certificate private key file name and digital certificate private key.
8. equipment as claimed in claim 7 is characterized in that, described download message also comprises: the download path of digital certificate filename and digital certificate; And
Described command analysis module also is used for parsing the described digital certificate filename of described download message and the download path of digital certificate;
Described download module also is used for connecting by described SSL, according to the download path downloading digital certificate of described digital certificate filename and digital certificate.
9. a NM server is characterized in that, comprising:
The instruction issuing module is used for sending download message by the command channel to the network equipment, and described download message comprises: the download path of digital certificate private key file name, digital certificate private key and the private key password of digital certificate private key;
Download respond module, being used for setting up anonymous SSL with the described network equipment on the file transfer passage is connected, and respond the described network equipment and connect, the request of the described digital certificate private key of download that sends according to the download path of described digital certificate private key file name and digital certificate private key by described SSL;
Encrypting module is used for adopting symmetric encipherment algorithm to encrypt the private key password of described digital certificate private key.
10. NM server as claimed in claim 9 is characterized in that, described download message also comprises: the download path of digital certificate filename and digital certificate; And
Described download respond module also is used to respond the described network equipment and connects by described SSL, the request of the downloading digital certificate that sends according to the download path of described digital certificate filename and digital certificate.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101955698A CN101170413B (en) | 2007-12-06 | 2007-12-06 | A digital certificate and private key acquisition, distribution method and device |
| PCT/CN2008/073151 WO2009074053A1 (en) | 2007-12-06 | 2008-11-21 | A digital certificate and its private key acquisition and distribution method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101955698A CN101170413B (en) | 2007-12-06 | 2007-12-06 | A digital certificate and private key acquisition, distribution method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101170413A CN101170413A (en) | 2008-04-30 |
| CN101170413B true CN101170413B (en) | 2011-01-05 |
Family
ID=39390894
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101955698A Active CN101170413B (en) | 2007-12-06 | 2007-12-06 | A digital certificate and private key acquisition, distribution method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101170413B (en) |
| WO (1) | WO2009074053A1 (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101170413B (en) * | 2007-12-06 | 2011-01-05 | 华为技术有限公司 | A digital certificate and private key acquisition, distribution method and device |
| JP4252620B1 (en) * | 2008-08-27 | 2009-04-08 | グローバルサイン株式会社 | Server certificate issuing system |
| CN101938490B (en) * | 2010-09-17 | 2013-01-09 | 浙江大学 | Remote control verification method for mobile Internet equipment |
| CN102624740B (en) * | 2012-03-30 | 2016-05-11 | 北京奇虎科技有限公司 | A kind of data interactive method and client, server |
| CN102970582A (en) * | 2012-11-23 | 2013-03-13 | 四川长虹电器股份有限公司 | Digital certificate transmission method |
| CN105337977B (en) * | 2015-11-16 | 2019-01-25 | 江苏通付盾科技有限公司 | A kind of the safety moving communication system and its implementation of dynamic bidirectional certification |
| US10142323B2 (en) * | 2016-04-11 | 2018-11-27 | Huawei Technologies Co., Ltd. | Activation of mobile devices in enterprise mobile management |
| US10419421B2 (en) * | 2016-08-11 | 2019-09-17 | Big Switch Networks, Inc. | Systems and methods to securely construct a network fabric |
| EP3685546B1 (en) * | 2017-09-21 | 2024-07-24 | Lg Electronics, Inc. | Cryptographic methods and systems for managing digital certificates with linkage values |
| CN110071940A (en) * | 2019-05-06 | 2019-07-30 | 深圳市网心科技有限公司 | Software package encipher-decipher method, server, user equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1866827A (en) * | 2006-06-14 | 2006-11-22 | 北京飞天诚信科技有限公司 | Method for Direct Client system authentication in LAN |
| CN101068207A (en) * | 2006-05-05 | 2007-11-07 | 美国博通公司 | Communication structure, packet exchange, network node and data packet transmission method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2385683A (en) * | 2002-02-22 | 2003-08-27 | Thirdspace Living Ltd | Distribution system with content replication |
| US7761703B2 (en) * | 2002-03-20 | 2010-07-20 | Research In Motion Limited | System and method for checking digital certificate status |
| CN101170413B (en) * | 2007-12-06 | 2011-01-05 | 华为技术有限公司 | A digital certificate and private key acquisition, distribution method and device |
-
2007
- 2007-12-06 CN CN2007101955698A patent/CN101170413B/en active Active
-
2008
- 2008-11-21 WO PCT/CN2008/073151 patent/WO2009074053A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068207A (en) * | 2006-05-05 | 2007-11-07 | 美国博通公司 | Communication structure, packet exchange, network node and data packet transmission method |
| CN1866827A (en) * | 2006-06-14 | 2006-11-22 | 北京飞天诚信科技有限公司 | Method for Direct Client system authentication in LAN |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009074053A1 (en) | 2009-06-18 |
| CN101170413A (en) | 2008-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101170413B (en) | A digital certificate and private key acquisition, distribution method and device | |
| US7584505B2 (en) | Inspected secure communication protocol | |
| US8060739B2 (en) | Apparatus and method for providing security service in home network | |
| US8788802B2 (en) | Constrained cryptographic keys | |
| CN107105060A (en) | A kind of method for realizing electric automobile information security | |
| JP6471112B2 (en) | COMMUNICATION SYSTEM, TERMINAL DEVICE, COMMUNICATION METHOD, AND PROGRAM | |
| US20030163700A1 (en) | Method and system for user generated keys and certificates | |
| KR20180095873A (en) | Wireless network access method and apparatus, and storage medium | |
| KR101706117B1 (en) | Apparatus and method for other portable terminal authentication in portable terminal | |
| EP2474178B1 (en) | A method for communicating data between a secure element and a network access point and a corresponding secure element | |
| TWI581599B (en) | Key generation system, data signature and encryption system and method | |
| KR20010004791A (en) | Apparatus for securing user's informaton and method thereof in mobile communication system connecting with internet | |
| CN104683359A (en) | Safety channel establishment method, and data protection method and safety channel key updating method thereof | |
| US20030188012A1 (en) | Access control system and method for a networked computer system | |
| CN108352982B (en) | Communication device, communication method, and recording medium | |
| CN101145915A (en) | An authentication system and method of trustable router | |
| CN105554008A (en) | User terminal, authentication server, middle server, system and transmission method | |
| US10764260B2 (en) | Distributed processing of a product on the basis of centrally encrypted stored data | |
| CN113922974B (en) | Information processing method and system, front end, server side and storage medium | |
| KR20070043639A (en) | A method to leverage a secure device to grant trust and identity to a second device | |
| KR101880999B1 (en) | End to end data encrypting system in internet of things network and method of encrypting data using the same | |
| KR100970552B1 (en) | Method for generating secure key using certificateless public key | |
| CN115567195A (en) | Secure communication method, client, server, terminal and network side equipment | |
| CN114531235B (en) | Communication method and system for end-to-end encryption | |
| WO2014005534A1 (en) | Method and system for transmitting data from data provider to smart card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |