CN113765899A - Certificate replacement method, system and device for node agent - Google Patents
Certificate replacement method, system and device for node agent Download PDFInfo
- Publication number
- CN113765899A CN113765899A CN202110964781.6A CN202110964781A CN113765899A CN 113765899 A CN113765899 A CN 113765899A CN 202110964781 A CN202110964781 A CN 202110964781A CN 113765899 A CN113765899 A CN 113765899A
- Authority
- CN
- China
- Prior art keywords
- certificate
- server
- node
- request
- request file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000010076 replication Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 5
- 230000008569 process Effects 0.000 abstract description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001193 catalytic steam reforming Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/068—Network architectures or network communication protocols for network security for supporting key management in a packet data network using time-dependent keys, e.g. periodically changing keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/562—Brokering proxy services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method, a system and a device for replacing a certificate of a node proxy, wherein the method comprises the steps that the node proxy checks the validity period of the certificate and sends a certificate signature request to a server for the certificate to be expired; the server monitors the establishment of a certificate request file, and carries out approval and certificate signing on the established certificate request file to form a secure transport layer protocol certificate; and the node agent acquires the secure transport layer protocol certificate and utilizes the secure transport layer protocol certificate to connect the server. The invention checks the validity period of the self certificate through the node agent, sends a certificate signing request to the certificate which is about to expire, realizes the approval and signing of the certificate in the server, forms a secure transport layer protocol certificate, and the node agent acquires and utilizes the secure transport layer protocol certificate to reestablish the connection with the server, thereby simplifying the replacement mode of the certificate, avoiding the participation of manpower in the whole process and greatly saving the manpower and time cost.
Description
Technical Field
The invention relates to the technical field of cluster security, in particular to a certificate replacement method, system and device for a node proxy.
Background
Container technology is a more computing resource-saving and more flexible virtualization technology than virtual machine technology. With the development of container technology, a plurality of container arrangement engines for managing containers are appeared, and Kubernets (open source system for automatically deploying, expanding and managing containerized applications) technology is emerging as a de facto standard in the field of container arrangement.
With the gradual maturity of cloud native technologies, a kubernets system is extended to an edge computing scenario, an edge node is connected with a central cloud through a public network, and an encryption Protocol based on HTTPS (Hyper Text Transfer Protocol over secure session Layer, HTTP channel targeting security) is required to ensure the security of communication.
The stage of HTTPS establishing a connection is the process of asymmetric encryption + symmetric encryption + digital certificate co-action. However, the digital certificate is time-limited, once the HTTPS expires, the HTTPS cannot continue to establish a connection for communication, so that the certificate needs to be replaced regularly, and the alternation of the certificate update causes great labor maintenance and time cost to enterprises.
Disclosure of Invention
The invention provides a method, a system and a device for replacing a certificate of a node proxy, which are used for solving the problem that the existing certificate updating rotation brings a large amount of time and labor cost to enterprises.
In order to achieve the purpose, the invention adopts the following technical scheme:
a first aspect of the present invention provides a certificate replacement method for a node agent, including the steps of:
the node agent checks the validity period of the certificate and sends a certificate signature request to the server for the certificate to be expired;
the server monitors the establishment of a certificate request file, and carries out approval and certificate signing on the established certificate request file to form a secure transport layer protocol certificate;
and the node agent acquires the secure transport layer protocol certificate and utilizes the secure transport layer protocol certificate to connect the server.
Further, the certificate signing request sent to the server includes a unit name of the node proxy, and the unit name is used as a proxy identifier.
Further, the steps of performing the verification of the created certificate request file and signing the certificate specifically include:
detecting the identification attribute of the created certificate request file, and performing replication when the identification attribute is consistent with the agent identification;
and monitoring the state of the certificate request file, signing the certificate for the approved certificate request file, and attaching the signed certificate to the certificate signing request.
Further, the creation of the certificate request file is realized by calling an interface of the API server by the node.
Further, the node is an edge node, and the server is an API server.
A second aspect of the present invention provides a certificate exchange system of a node agent, the system including:
the certificate checking unit is used for checking the validity period of the certificate through the node proxy, sending a certificate signing request to the server for the certificate to be expired, wherein the certificate signing request comprises the unit name of the node proxy and takes the unit name as a proxy identifier;
the certificate request file processing unit monitors the establishment of a certificate request file through a server, and carries out approval and certificate signing on the established certificate request file to form a secure transport layer protocol certificate;
and the certificate replacing unit acquires the secure transport layer protocol certificate through the node agent and connects the server by using the secure transport layer protocol certificate.
Further, the certificate request file processing unit includes:
the reply module is used for detecting the identification attribute of the created certificate request file, and when the identification attribute is consistent with the agent identification, the reply is carried out;
and the signature module is used for monitoring the state of the certificate request file, signing the certificate for the approved certificate request file and attaching the signed certificate to the certificate signature request.
The third aspect of the present invention provides a node proxy certificate replacement apparatus, including a node proxy and a server, where the node proxy checks the validity period of a certificate, sends a certificate signing request to the server for the certificate that will expire, and obtains a secure transport layer protocol certificate formed by the server based on the certificate signing request, and connects the server using the secure transport layer protocol certificate; the server monitors the establishment of a certificate request file, and carries out approval and certificate signing on the established certificate request file to form a secure transport layer protocol certificate; the certificate signing request comprises a unit name of the node agent, and the unit name is used as an agent identifier.
Further, the server comprises a replication controller and a signature controller;
the replication controller detects the identification attribute of the created certificate request file, and performs replication when the identification attribute is consistent with the agent identification;
the signature controller monitors the state of the certificate request file, signs the certificate for the approved certificate request file, and attaches the signed certificate to the certificate signature request.
A fourth aspect of the invention provides a computer storage medium having stored thereon computer instructions which, when run on the system, cause the system to perform the steps of the method.
The certificate exchange system according to the second aspect and the certificate exchange apparatus according to the third aspect of the present invention are each capable of implementing the method according to the first aspect and each implementation manner of the first aspect, and achieve the same effects.
The effect provided in the summary of the invention is only the effect of the embodiment, not all the effects of the invention, and one of the above technical solutions has the following advantages or beneficial effects:
the invention checks the validity period of the self certificate through the node agent, sends a certificate signing request to the certificate which is about to expire, realizes the approval and signing of the certificate in the server, forms a secure transport layer protocol certificate, and the node agent acquires and utilizes the secure transport layer protocol certificate to reestablish the connection with the server, thereby simplifying the replacement mode of the certificate, avoiding the participation of manpower in the whole process and greatly saving the manpower and time cost.
Drawings
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present invention, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without creative efforts.
FIG. 1 is a schematic flow diagram of the process of the present invention;
FIG. 2 is a schematic diagram of a specific implementation process of the method of the present invention;
FIG. 3 is a schematic diagram of the system of the present invention;
fig. 4 is a schematic diagram of the working principle of the device of the present invention.
Detailed Description
In order to clearly explain the technical features of the present invention, the following detailed description of the present invention is provided with reference to the accompanying drawings. The following disclosure provides many different embodiments, or examples, for implementing different features of the invention. To simplify the disclosure of the present invention, the components and arrangements of specific examples are described below. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. It should be noted that the components illustrated in the figures are not necessarily drawn to scale. Descriptions of well-known components and processing techniques and procedures are omitted so as to not unnecessarily limit the invention.
As shown in fig. 1, the method for replacing a certificate of a node proxy according to the present invention includes the following steps:
s1, the node proxy checks the validity period of the certificate and sends a certificate signing request to the server for the certificate to be expired;
s2, the server monitors the establishment of the certificate request file, and carries out the approval and the signing of the certificate on the established certificate request file to form a secure transport layer protocol certificate;
and S3, the node agent acquires the secure transport layer protocol certificate and uses the secure transport layer protocol certificate to connect with the server.
In step S1, the certificate signing request sent to the server includes the unit name of the node agent, where the unit name is used as an agent identifier.
In step S2, the steps of performing the verification of the created certificate request file and signing the certificate specifically include: detecting the identification attribute of the created certificate request file, and performing replication when the identification attribute is consistent with the agent identification; and monitoring the state of the certificate request file, signing the certificate for the approved certificate request file, and attaching the signed certificate to the certificate signing request. Wherein, the replication of the certificate request file is realized by a replication controller in the server; the signing of the certificate is realized by a signature controller in the server.
And the creation of the certificate request file is realized by calling an interface of the API server by the node.
As shown in fig. 2, a specific process of implementing the method according to the present invention is as follows, where the node is an edge node, and the server is an API server kubernets APIServer.
1) And the date of the certificate is checked by the edge node agent regularly.
2) The edge node proxy sends a certificate Signing request CSR (certificate Signing request) to the kubernets apis server for the certificate to be expired, where the CSR includes a public key and a proxy identifier, and in this embodiment, Organization of the proxy is used as the proxy identifier.
3) And the replication controller performs replication on the CSR meeting the condition, wherein the condition is that the identification attribute consistent with the agent identification exists in the created certificate request file.
4) And returning the reply result to the Kubernetes APIServer.
5) The signature controller performs certificate signing on the approved CSRs.
6) The signing controller appends the signed certificate to the certificate signing request.
7) The edge node proxy requests the kubernets APIServer to obtain the signed certificate.
8) Kubernetes APIServer returns a signed secure transport layer protocol certificate TLS to the edge node proxy.
9) And the edge node proxy writes the TLS certificate into a disk and performs certificate rotation.
10) Close the previous connection and update the connection with kubernets APIServer, reconnect to kubernets APIServer using the new credentials.
As shown in fig. 3, the present invention also provides a certificate exchange system of a node agent, which includes a certificate checking unit 1, a certificate request file processing unit 2, and a certificate exchange unit 3.
The certificate checking unit 1 checks the validity period of a certificate through a node proxy, and sends a certificate signing request to a server for the certificate to be expired, wherein the certificate signing request comprises a unit name of the node proxy and takes the unit name as a proxy identifier; the certificate request file processing unit 2 monitors the creation of a certificate request file through a server, and carries out approval and certificate signing on the created certificate request file to form a secure transport layer protocol certificate; the certificate replacing unit 3 obtains the secure transport layer protocol certificate through the node agent, and connects the server by using the secure transport layer protocol certificate.
The certificate request file processing unit includes a wholesale module 21 and a signature module 22.
The replication module 21 is configured to detect an identifier attribute of the created certificate request file, and perform replication when the identifier attribute is consistent with the agent identifier; the signature module 22 is configured to monitor a state of the certificate request file, perform certificate signing on the certified certificate request file, and attach the signed certificate to the certificate signature request.
As shown in fig. 4, the certificate exchange apparatus for a node proxy according to the present invention includes a node proxy and a server kubernets APIServer. The edge nodes are connected with the central cloud through a public network. The server comprises a replication controller and a signature controller.
The node agent checks whether the certificate is expired or not at regular time through a timer, and sends a certificate signing request CSR to the server for the certificate to be expired; the server monitors the establishment of a certificate request file CSR, and the replication controller detects the identification attribute of the established certificate request file, and performs replication when the identification attribute is consistent with the agent identification; and the signature controller monitors the state of the certificate request file, signs the certificate for the certified certificate request file, and attaches the signed certificate to the certificate signature request to form a security transport layer protocol certificate (TLS).
The proxy acquires a security transport layer protocol certificate TLS formed by the server based on the certificate signing request, writes the security transport layer protocol certificate TLS into a disk, performs certificate rotation, and establishes HTTPS connection with the server by using the security transport layer protocol certificate;
the present invention also provides a computer storage medium having stored thereon computer instructions which, when run on the system, cause the system to perform the steps of the method.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.
Claims (10)
1. A method for replacing a certificate of a node agent, the method comprising the steps of:
the node agent checks the validity period of the certificate and sends a certificate signature request to the server for the certificate to be expired;
the server monitors the establishment of a certificate request file, and carries out approval and certificate signing on the established certificate request file to form a secure transport layer protocol certificate;
and the node agent acquires the secure transport layer protocol certificate and utilizes the secure transport layer protocol certificate to connect the server.
2. The method for replacing a certificate of a node proxy as claimed in claim 1, wherein the certificate signing request sent to the server includes a unit name of the node proxy, and the unit name is used as a proxy identifier.
3. The method for replacing a certificate of a node proxy according to claim 2, wherein said signing the created certificate request file and the certificate specifically comprises:
detecting the identification attribute of the created certificate request file, and performing replication when the identification attribute is consistent with the agent identification;
and monitoring the state of the certificate request file, signing the certificate for the approved certificate request file, and attaching the signed certificate to the certificate signing request.
4. The method of claim 1, wherein the creation of the certificate request file is performed by a node calling an interface of an API server.
5. The method of claim 1 wherein the node is an edge node and the server is an API server.
6. A certificate exchange system for a node agent, the system comprising:
the certificate checking unit is used for checking the validity period of the certificate through the node proxy, sending a certificate signing request to the server for the certificate to be expired, wherein the certificate signing request comprises the unit name of the node proxy and takes the unit name as a proxy identifier;
the certificate request file processing unit monitors the establishment of a certificate request file through a server, and carries out approval and certificate signing on the established certificate request file to form a secure transport layer protocol certificate;
and the certificate replacing unit acquires the secure transport layer protocol certificate through the node agent and connects the server by using the secure transport layer protocol certificate.
7. The node-agent certificate exchange system as claimed in claim 6, wherein said certificate request file processing unit comprises:
the reply module is used for detecting the identification attribute of the created certificate request file, and when the identification attribute is consistent with the agent identification, the reply is carried out;
and the signature module is used for monitoring the state of the certificate request file, signing the certificate for the approved certificate request file and attaching the signed certificate to the certificate signature request.
8. A node proxy certificate replacing device comprises a node proxy and a server, and is characterized in that the node proxy checks the validity period of a certificate, sends a certificate signing request to the server for the certificate to be expired, acquires a secure transport layer protocol certificate formed by the server based on the certificate signing request, and connects the server by using the secure transport layer protocol certificate; the server monitors the establishment of a certificate request file, and carries out approval and certificate signing on the established certificate request file to form a secure transport layer protocol certificate; the certificate signing request comprises a unit name of the node agent, and the unit name is used as an agent identifier.
9. The node agent's certificate exchange apparatus as claimed in claim 8, wherein said server comprises a wholesale controller and a signature controller;
the replication controller detects the identification attribute of the created certificate request file, and performs replication when the identification attribute is consistent with the agent identification;
the signature controller monitors the state of the certificate request file, signs the certificate for the approved certificate request file, and attaches the signed certificate to the certificate signature request.
10. A computer storage medium having computer instructions stored thereon, which when run on the system of claim 6 or 7, cause the system to perform the steps of the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110964781.6A CN113765899A (en) | 2021-08-20 | 2021-08-20 | Certificate replacement method, system and device for node agent |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110964781.6A CN113765899A (en) | 2021-08-20 | 2021-08-20 | Certificate replacement method, system and device for node agent |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113765899A true CN113765899A (en) | 2021-12-07 |
Family
ID=78790735
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110964781.6A Pending CN113765899A (en) | 2021-08-20 | 2021-08-20 | Certificate replacement method, system and device for node agent |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113765899A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114513415A (en) * | 2022-02-15 | 2022-05-17 | 平安科技(深圳)有限公司 | Processing method, system, equipment and medium for updating security transport layer protocol certificate |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138907A1 (en) * | 2008-12-01 | 2010-06-03 | Garret Grajek | Method and system for generating digital certificates and certificate signing requests |
| CN106302391A (en) * | 2016-07-27 | 2017-01-04 | 上海华为技术有限公司 | A kind of enciphered data transmission method and proxy server |
| CN108370374A (en) * | 2015-12-14 | 2018-08-03 | 亚马逊技术有限公司 | Certificate update and deployment |
| CN108880821A (en) * | 2018-06-28 | 2018-11-23 | 中国联合网络通信集团有限公司 | A kind of authentication method and equipment of digital certificate |
| CN109150616A (en) * | 2018-09-03 | 2019-01-04 | 成都嗨翻屋科技有限公司 | A kind of Intelligent gateway and its working method that can increase https entrance automatically |
| CN110071911A (en) * | 2019-03-20 | 2019-07-30 | 北京龙鼎源科技股份有限公司 | The method and device of information transferring method and device, certificate update |
| CN112073401A (en) * | 2020-08-28 | 2020-12-11 | 苏州浪潮智能科技有限公司 | Method, program and medium for automatically updating certificate based on HTTPS protocol web application |
-
2021
- 2021-08-20 CN CN202110964781.6A patent/CN113765899A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138907A1 (en) * | 2008-12-01 | 2010-06-03 | Garret Grajek | Method and system for generating digital certificates and certificate signing requests |
| CN108370374A (en) * | 2015-12-14 | 2018-08-03 | 亚马逊技术有限公司 | Certificate update and deployment |
| CN106302391A (en) * | 2016-07-27 | 2017-01-04 | 上海华为技术有限公司 | A kind of enciphered data transmission method and proxy server |
| CN108880821A (en) * | 2018-06-28 | 2018-11-23 | 中国联合网络通信集团有限公司 | A kind of authentication method and equipment of digital certificate |
| CN109150616A (en) * | 2018-09-03 | 2019-01-04 | 成都嗨翻屋科技有限公司 | A kind of Intelligent gateway and its working method that can increase https entrance automatically |
| CN110071911A (en) * | 2019-03-20 | 2019-07-30 | 北京龙鼎源科技股份有限公司 | The method and device of information transferring method and device, certificate update |
| CN112073401A (en) * | 2020-08-28 | 2020-12-11 | 苏州浪潮智能科技有限公司 | Method, program and medium for automatically updating certificate based on HTTPS protocol web application |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114513415A (en) * | 2022-02-15 | 2022-05-17 | 平安科技(深圳)有限公司 | Processing method, system, equipment and medium for updating security transport layer protocol certificate |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11456864B2 (en) | Information storage method, device, and computer-readable storage medium | |
| CN110191007B (en) | Node management method, system and computer readable storage medium | |
| CN111262872B (en) | Enterprise block chain service platform | |
| CN110166577B (en) | Distributed application group session processing system and method | |
| US8713365B2 (en) | Re-establishing push notification channels via user identifiers | |
| CN106598633B (en) | Configuration file updating method, client and server | |
| KR20220006623A (en) | Blockchain consensus method, device and system | |
| US20190207979A1 (en) | System and method of pre-establishing ssl session connections for faster ssl connection establishment | |
| WO2019011028A1 (en) | Method for restoring session, device and computer storage medium | |
| TW201709698A (en) | Verifying source addresses associated with a terminal | |
| WO2023206909A1 (en) | Volte voice encrypted communication method, terminal and system | |
| US9357014B2 (en) | Service-based networking | |
| US20190312937A1 (en) | System and method for improving efficiency of ssl/tls connections | |
| CN103812913A (en) | Remote access method and device based on VNC (virtual network computing) | |
| CN108712457A (en) | Back-end server dynamic load method of adjustment and device based on Nginx reverse proxys | |
| US20120233628A1 (en) | Out-of-band host management via a management controller | |
| WO2017071337A1 (en) | Database table data management method, apparatus and system | |
| CN112416396B (en) | Application program updating method and system | |
| CN106775993A (en) | A kind of physical machine is migrated to the method and system of cloud computing platform | |
| CN113765899A (en) | Certificate replacement method, system and device for node agent | |
| CN112468571A (en) | Intranet and extranet data synchronization method and device, electronic equipment and storage medium | |
| CN106559236B (en) | Equipment resource management method and device of service board, main control board and frame type equipment | |
| CN109246212B (en) | Multi-bank data interaction implementation method based on long connection | |
| CN104092737A (en) | Location-based service middleware method based on cloud technology | |
| WO2015117365A1 (en) | Method, device and system for interacting hello packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211207 |