CN114157432A - Digital certificate acquisition method, device, electronic equipment, system and storage medium - Google Patents
Digital certificate acquisition method, device, electronic equipment, system and storage medium Download PDFInfo
- Publication number
- CN114157432A CN114157432A CN202111413394.XA CN202111413394A CN114157432A CN 114157432 A CN114157432 A CN 114157432A CN 202111413394 A CN202111413394 A CN 202111413394A CN 114157432 A CN114157432 A CN 114157432A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- server
- service server
- target service
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Abstract
The embodiment of the invention discloses a digital certificate acquisition method, a digital certificate acquisition device, electronic equipment, a digital certificate acquisition system and a storage medium, wherein the method is applied to a proxy server, and the proxy server is provided with a preset SDK (software development kit), and the method comprises the following steps: loading a first digital certificate of a target service server and acquiring identification information of the first digital certificate; calling a preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate; when the state of the first digital certificate is invalid, calling a preset SDK to download a second digital certificate of a target service server; and sending the second digital certificate to the terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate. In the embodiment of the invention, the whole digital certificate acquisition process does not need the participation of a user in operation, thereby bringing convenience to the user; because the proxy server is provided with the SDK for confirming and acquiring the digital certificate state, the proxy server can communicate with various terminals, and the application scene is wide.
Description
Technical Field
The embodiment of the invention relates to a network security technology, in particular to a method, a device, electronic equipment, a system and a storage medium for acquiring a digital certificate.
Background
The hypertext Transfer Protocol over Secure Socket Layer (HTTPS) Protocol is a network Protocol that can perform encrypted transmission and identity authentication, and can prevent data from being stolen and changed during transmission, thereby ensuring the integrity of data. As network security issues become more appreciated, the use of HTTPS protocol is also becoming more prevalent. During the use of the HTTPS protocol, the terminal needs to be provided with a digital certificate to secure communication, but the digital certificate may be invalid for various reasons. In the prior art, when the digital certificate is invalid, a user is often required to operate at a terminal to manually apply and download the digital certificate of the latest version, so that the user operation is complicated, and inconvenience is brought to the user.
Disclosure of Invention
The embodiment of the invention provides a method, a device, electronic equipment, a system and a storage medium for acquiring a digital certificate, which can simplify user operation and bring convenience to users.
In a first aspect, an embodiment of the present invention provides a digital certificate acquisition method, which is applied to a proxy server (e.g., Nginx), in which a preset Software Development Kit (SDK) is installed, and the method includes:
loading a first digital certificate of a target service server, and acquiring identification information of the first digital certificate;
calling a preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate;
when the state of the first digital certificate is invalid, calling the preset SDK to download a second digital certificate of the target service server;
and sending the second digital certificate to a terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate.
In a second aspect, an embodiment of the present invention further provides a digital certificate obtaining apparatus, which is applied to a proxy server, where a preset software development kit SDK is installed in the proxy server, and the apparatus includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for loading a first digital certificate of a target service server and acquiring identification information of the first digital certificate;
the query module is used for calling a preset SDK to query the state of the first digital certificate based on the identification information of the first digital certificate;
the downloading module is used for calling the preset SDK to download the second digital certificate of the target service server when the state of the first digital certificate is invalid;
and the sending module is used for sending the second digital certificate to a terminal so that the terminal establishes communication connection with the target service server based on the second digital certificate.
In a third aspect, an embodiment of the present invention further provides a digital Certificate acquisition system, including a terminal, an Online Certificate Status Protocol (OCSP) server, a Certificate Authority CA (CA) server, a target service server, and a proxy server configured to execute the digital Certificate acquisition method according to any one of the embodiments of the present invention.
In a fourth aspect, the embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the digital certificate acquiring method according to any one of the embodiments of the present invention.
In the embodiment of the invention, the proxy server is provided with the preset SDK, and after the first digital certificate of the target service server is loaded and the identification information of the first digital certificate is acquired, the proxy server can call the preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate; when the state of the first digital certificate is invalid, calling a preset SDK to download a second digital certificate of a target service server; and sending the second digital certificate to the terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate. In other words, in the embodiment of the present invention, the proxy server may automatically query the state of the digital certificate by using the preset SDK, and automatically download the new digital certificate and feed back the new digital certificate to the terminal when the digital certificate is invalid, so that the terminal establishes a communication connection with the target service server based on the new digital certificate.
In addition, because the proxy server is provided with the SDK for confirming and acquiring the digital certificate state, the proxy server can communicate with various terminals, thereby providing automatic certificate acquisition service for the various terminals and having wide application scenes.
Drawings
Fig. 1 is a schematic flowchart of a digital certificate acquisition method according to an embodiment of the present invention.
Fig. 2 is another schematic flow chart of the digital certificate acquisition method according to the embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a digital certificate acquisition apparatus according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a digital certificate acquisition system according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Fig. 1 is a schematic flow chart of a digital certificate acquisition method according to an embodiment of the present invention, which is applicable to a case where a proxy server automatically downloads a latest version of a digital certificate to a terminal when the digital certificate fails, and the method may be executed by a digital certificate acquisition apparatus, and the apparatus may be implemented in a hardware and/or software manner. In a particular embodiment, the apparatus may be integrated in a proxy server, which may be Nginx. The following embodiments will be described by taking the device integrated in the proxy server as an example, and as shown in fig. 1, the method may specifically include the following steps:
step 101: and loading the first digital certificate of the target service server and acquiring the identification information of the first digital certificate.
The service server may be a server that provides various service data for the terminal user, such as a page server, an application server, and the like, the service data may be a web page, a picture, a table, and the like, which is not specifically limited herein, and the target service server may be a service server that the current terminal requests to access. Specifically, the proxy server may invoke a preset SDK to download the first digital certificate of each service server from the certificate authority CA server, where each service server includes a target service server.
For example, the preset SDK may be preconfigured in the proxy server, and the proxy server may invoke a preset SDK access Public Key Infrastructure (PKI) to download the digital certificate of each service server, where the basic technologies of the PKI include: public key encryption, digital signature, data integrity mechanism, digital envelope (hybrid encryption) and dual digital signature, and the functions that PKI can realize include authentication, data integrity, data confidentiality, non-repudiation of operation, and the like.
The CA server is the core of the PKI, and the functions that the CA server can realize include processing a digital Certificate application, issuing a digital Certificate, updating the digital Certificate, accepting an inquiry of an end user digital Certificate, generating a Revocation, issuing a digital Certificate Revocation List (CRL), archiving the digital Certificate, and the like.
Illustratively, the proxy server calls a preset SDK to access the PKI service to send a request for loading a keystore, where the keystore is a file stored in a keytool, the keytool is a management tool for data certificates, the keytool stores keys and certificates in a file named keystore, and the keystore file includes keys or private keys and a public pairing key (using asymmetric encryption) and a trusted certificate entity. The downloading of the digital certificate of each service server by calling the preset SDK specifically comprises the following steps:
1) and calling a preset SDK to send a request for downloading the keystore to the PKI service, wherein after the PKI service receives the request, the keytool can generate a CA digital certificate with a self-signature, can be used for signing the digital certificates of the terminal and the service server, and generates a pair of keys (the CA digital certificate with the self-signature) for the service server and stores the keys in a folder. And the keytool request CA server signs the self-signed digital certificate of the service server to generate a signature request file.
2) The proxy server obtains the digital certificate signed by the CA server for the service server, and exports and stores the obtained digital certificate in a local folder.
3) The proxy server updates the digital certificate of the service server, and after the digital certificate is signed by the CA server, the digital certificate of the CA server is also stored in the local folder to form a complete certificate chain.
Further, the proxy server may obtain the digital certificate of each service server and store the digital certificate. The proxy server finishes the loading of the keystore, downloads and stores the digital certificate of each service server, and then can verify the state of the digital certificate.
The proxy server may query the status of the first digital certificate by accessing the OCSP protocol in PKI, which is a relatively simple request/response protocol. When the proxy server needs to check the status of one or more digital certificates, the proxy server may establish a connection with the OCSP server to generate an OCSP request message that includes information needed to identify the digital certificate to be queried, such as the serial number of the certificate, the name of the issuer of the certificate, the public key information of the issuer of the certificate, and the encryption algorithm used, and may also include options such as Nonce value (used to bind a request and corresponding response), the name of the requestor, a signature for the request, and any other necessary extension information. The proxy server submits the OCSP request information to the OCSP server by calling a preset SDK, and waits for the OCSP server to return a determined response, wherein the response comprises the status information of a reply certificate, the status information of the reply certificate can be 'normal', 'expired' or 'revoke', 'normal' status indicates that the certificate is not revoked, and the certificate is in a valid state; the state of 'revoke' indicates that the certificate has been revoked, and the certificate is invalid; "expired" means that the certificate has expired and the certificate is invalid.
The proxy server can obtain the address of the OCSP server through the configured SDK, send a request for inquiring the status of the certificate to the OCSP server and obtain the status information of the digital certificate, when the status of the digital certificate is valid, the proxy server stores the digital certificate, and when the status of the digital certificate is invalid, the proxy server can reload the keystore to download the digital certificate.
Further, the proxy server stores the downloaded digital certificate of the service server, and calls the preset SDK to load the first digital certificate of the target service server from the stored digital certificate of the service server, and specifically, the first digital certificate may include information such as a certificate serial number, a certificate Name, a certificate expiration time, a site organization Name, a site Domain Name System (DNS) host Name, a site public key, a certificate issuer Name, and a certificate signature. The identification information of the first digital certificate may be information such as a certificate serial number of the first digital certificate or a name of the first digital certificate.
Step 102: and calling a preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate.
For example, the preset SDK may be preconfigured in the proxy server, and the terminal may query the status of the first digital certificate based on the identification information of the first digital certificate by calling the preset SDK through the proxy server. For example, the proxy server may query the status of the first digital certificate by accessing the OCSP protocol in the PKI, and the proxy server may establish a connection with the OCSP server, generate an OCSP request message and wait for the OCSP server to return a certain response, where the response includes status information of the returned certificate, and the status information of the returned certificate may be "normal", "expired" or "revoked", where the "normal" status indicates that the certificate is not revoked and the certificate is in a valid status; the state of 'revoke' indicates that the certificate has been revoked, and the certificate is invalid; "expired" means that the certificate has expired and the certificate is invalid. The proxy server can obtain the address of the OCSP server through the configured SDK, send a certificate status query request to the OCSP server and obtain the status information of the first digital certificate, and when the status of the first digital certificate is valid, the proxy server sends the first digital certificate to the terminal, so that the terminal establishes communication connection with the service server based on the first digital certificate.
Step 103: and when the state of the first digital certificate is invalid, calling a preset SDK to download a second digital certificate of the target service server.
After determining the status of the first digital certificate, if the status of the first digital certificate is invalid, the proxy server may invoke a preset SDK to access the CA server to obtain a second digital certificate, where a version of the second digital certificate may be higher than a version of the first digital certificate. The proxy server can call a preset SDK to send an application request of a second digital certificate to the CA server, after the CA server receives the application of the second digital certificate and authenticates the identity information of a user, the CA server can take the information of a public key, the identity information, the validity period of the digital certificate and the like of a terminal as message originals, and uses a private key of the CA server to encrypt and sign the message originals to form a digital signature, and the digital signature and other information of the public key, the identity information, the validity period of the second digital certificate and the like of an owner (terminal) of the second digital certificate jointly form the second digital certificate. The proxy server may download the second digital certificate from the CA server.
Step 104: and sending the second digital certificate to the terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate.
After the proxy server obtains the second digital certificate, further, the proxy server may call a preset SDK to send a request for querying a state of the second digital certificate to the OCSP server based on the identification information of the second digital certificate, query the state of the second digital certificate, and when the state of the second digital certificate is valid, the proxy server sends the second digital certificate to the terminal, so that the terminal establishes a communication connection with the service server based on the second digital certificate.
According to the technical scheme of the embodiment, the first digital certificate of the target service server is loaded, and the identification information of the first digital certificate is acquired; calling a preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate; when the state of the first digital certificate is invalid, calling a preset SDK to download a second digital certificate of a target service server; and sending the second digital certificate to the terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate. In other words, in the embodiment of the present invention, the proxy server may automatically query the state of the digital certificate by using the preset SDK, and automatically download the new digital certificate and feed back the new digital certificate to the terminal when the digital certificate is invalid, so that the terminal establishes a communication connection with the target service server based on the new digital certificate.
The method for acquiring a digital certificate according to the embodiment of the present invention is further described below, and a specific method may be shown in fig. 2, where the method may include the following steps:
The preset SDK can be configured in the proxy server in advance, the proxy server can call the preset SDK to access the PKI to download the digital certificate of each service server, and after the downloading is completed, the domain name of each service server and the digital certificate can be correspondingly stored.
For example, the proxy server may call a preset SDK to access the PKI service to load the keystore, and a specific process of downloading the digital certificate of each service server from the CA server by calling the preset SDK is described in step 101, which is not described herein again.
For example, the terminal may send an access request to the proxy server, where the access request includes a domain name of the target service server. And the proxy server receives the access request sent by the terminal and analyzes the access request so as to obtain the domain name of the target service server.
For example, the proxy server may query the storage based on the resolved domain name, thereby obtaining the first digital certificate of the target service server.
And step 204, acquiring the identification information of the first digital certificate.
Specifically, the first digital certificate may include information such as a certificate serial number, a certificate name, a certificate expiration time, a site organization name, a DNS host name, a site public key, a certificate issuer name, and a certificate signature. The identification information of the first digital certificate may be information such as a serial number of the first digital certificate or a name of the first digital certificate.
For example, the preset SDK may be preconfigured in the proxy server, and the proxy server may invoke the preset SDK to query the status of the first digital certificate based on the identification information of the first digital certificate. For example, the proxy server may send a first digital certificate status query to the OCSP server and wait until the OCSP server returns a response, and the OCSP request may include the following data: protocol version, service request, first digital certificate identification information, and optional extension.
Illustratively, an OCSP request includes request information and a signature for the request information, where the signature for the request information is optional. If the OCSP server is configured to receive signed requests and the request actually received is not signed, the OCSP server returns an error message "needs to be signed". The request information includes version number, requester name (optional), request list and optional extension, and one OCSP request can query the status of multiple certificates.
And step 206, receiving the OCSP response fed back by the OCSP server.
After the proxy server sends a request for digital certificate status query to the OCSP server, the OCSP server returns a response to the received request, and when the OCSP server returns error information, the response is not signed. Error information includes information that the request encoding format is incorrect, internal errors, a retry at a later time, the request needs a signature, and no authorization. When the OCSP server returns a positive reply, the response must be digitally signed. One determined reply message includes information such as the OCSP server version number, the OCSP server name, a reply to each requested digital certificate, an optional extension signing algorithm object identification, and a signature value.
For example, an OCSP response typically includes a response status and a response byte, which is not set if the response status is an error condition. The response state has six values: one is "success", meaning that the OCSP server returns a positive reply to the received request. The other five are error messages: error information includes incorrect request encoding format, internal errors, later retries, requests requiring signatures, and unauthorized. If a request which does not conform to the grammar specification of the OCSP server is received, the server returns that the request coding format is incorrect, the response state is internal error, the OCSP server is in an uncoordinated internal state, and the request needs to be tried again; if the OCSP server is working, but cannot return the status of the requested digital certificate, the response status is "retry later"; when the OCSP server needs to sign the request and then can generate a response, the response state is 'request needs to sign'; the response status is "unauthorized" when it is not authorized to allow the request to be sent to the OCSP server. Wherein, the value of the response byte is composed of a response type identifier and response information coded into a character string; the value of the response message is the encoding of the basic OCSP response; the signature value is the result of signing the response data, which includes the version number, the OCSP server identification, the response generation time, the response list, and optional extensions. If an OCSP request contains multiple requests for queries for digital certificates, then the response list lists the responses for the status of all digital certificates in the request. Each digital certificate status response comprises digital certificate identification information, digital certificate status, current updating time, next updating time (optional) and extension items, and the digital certificate status may comprise three conditions of normal, expired or overhead.
As described in the above steps, the OCSP server includes a digital certificate status value in a reply to each requested digital certificate, where the digital certificate status value may be "normal", "expired", or "revocation (invalidation)", where the "normal" status indicates that the first digital certificate is not revoked at this time, and the first digital certificate is valid, and when the OCSP server returns that the first digital certificate status is "normal", the proxy server sends the first digital certificate to the terminal, so that the terminal establishes a communication connection with the service server based on the first digital certificate. When the status of the first digital certificate returned by the OSCP server is "revoke", it indicates that the first digital certificate has been revoked, and the communication connection with the service server cannot be normally established. When the OSCP server returns that the status of the first digital certificate is 'expired', the certificate is expired and is invalid.
According to the above steps, receiving the status of the first digital certificate of the OCSP response, further determining whether the status of the first digital certificate is valid or invalid, executing step 215 when the status of the first digital certificate is valid, and executing step 209 when the status of the first digital certificate is invalid.
And step 209, acquiring the domain name of the target service server.
For example, the proxy server may analyze an access request sent by the terminal, so as to obtain a domain name of the target service server, or may obtain a domain name of the target service server that is preset or stored.
After the domain name information of the service server is obtained, the preset SDK is called to download a second digital certificate of the service server from a Certificate Authority (CA) server based on the domain name information of the current service server. For example, the downloading, by the proxy server, the second digital certificate from the CA server specifically includes:
the proxy server sends a digital certificate application message of the service server to the CA server, establishes connection with the CA server in a Secure Socket Layer (SSL) Secure mode in the application process of the digital certificate, fills in personal information, and the browser generates a private key and a public key pair, stores the private key in a specific file of the proxy server, requires the password to protect the private key, and submits the public key and the personal information to the Secure server. The security server transmits the application information of the user to a Registration Authority server (RA). The proxy server sends the identity information of the user to the RA server, an operator corresponding to the RA server establishes SSL (secure socket layer) secure communication with the RA server by using a browser, and the RA server needs to perform strict identity authentication on the operator and comprises information such as a digital certificate and an IP (Internet protocol) address of the operator. The RA server operator checks the user information and may make appropriate modifications, if the RA server operator agrees to the user request for a certificate, the certificate request information must be digitally signed. All communication between the RA server operator and the RA server adopts encryption and signature, so that the security and the denial resistance are realized, and the security and the effectiveness of the communication process are ensured. After the RA server passes the audit, the RA server transmits the user information and the identification information of the digital certificate to the CA server, and after receiving the information, the CA server sends the information to a Key Management Center (KMC) to obtain a Key pair, wherein the Key pair is generated by an encryption machine. The CA server makes the user information and the public key obtained from the KMC into a new digital certificate to sign the new digital certificate, and the proxy server can obtain the digital certificate from the CA server.
Further, after the preset SDK is called to download the second digital certificate from the CA server, the second digital certificate may be sent to the terminal, and the terminal may install the second digital certificate and delete the first digital certificate.
And step 211, acquiring the identification information of the second digital certificate.
The identification information of the second digital certificate may be information such as a certificate serial number of the second digital certificate or a name of the second digital certificate.
Specifically, the proxy server may invoke the preset SDK to send a certificate status query request to the OCSP server based on the identification information of the second digital certificate, and wait until the server returns a response. After the proxy server sends the request for inquiring the certificate status to the OCSP server, the OCSP server returns a response to the received request, wherein the response comprises a determined reply message, and the reply message comprises the information of the server version number, the server name, the reply to the second digital certificate, the optional extension signing algorithm object identifier, the signing value and the like. The reply information of the second digital certificate comprises the state information of the second digital certificate, wherein the state information can be 'normal', 'expired' or 'revoked', and the 'normal' state indicates that the certificate is not revoked and the certificate is in a valid state; the "revoke" state indicates that the certificate has been revoked; "expired" means that the certificate has expired and the certificate is invalid.
Step 213 determines whether the second digital certificate status is valid.
The OCSP server includes a digital certificate status value in a reply to each requested digital certificate, where the digital certificate status value may be "normal", "expired" (expired), or "revoked" (expired) "," normal "status indicates that the second digital certificate has not been revoked at this time, the second digital certificate is valid, and when the OCSP server returns that the second digital certificate status is" normal ", step 214 is performed. And when the state of the second digital certificate is invalid, ending the communication.
And step 214, sending the second digital certificate to the terminal, so that the terminal establishes a communication connection with the target service server based on the second digital certificate.
And when the state of the second digital certificate is valid, the proxy server sends the second digital certificate to the terminal, and the terminal establishes communication connection with the service server based on the second digital certificate.
And when the state of the first digital certificate is valid, the proxy server sends the first digital certificate to the terminal, and the terminal establishes communication connection with the service server based on the first digital certificate.
According to the technical scheme of the embodiment, the preset SDK is called to download the first digital certificate of each service server from the CA server of the certificate authority and store the first digital certificate; receiving an access request sent by a terminal, wherein the access request comprises a domain name of a target service server; loading the first digital certificate of the target service server from the stored first digital certificates of the service servers on the basis of the domain name; loading a first digital certificate of a target service server and acquiring identification information of the first digital certificate; calling a preset SDK to send an OCSP request to an OCSP server based on the identification information of the first digital certificate; receiving an OCSP response fed back by the OCSP server; determining a status of the first digital certificate based on an OCSP response; determining whether a status of the first digital certificate is valid; acquiring a domain name of a target service server; calling a preset SDK (software development kit) to download a second digital certificate of a target service server from a CA (certificate authority) server based on a domain name; acquiring identification information of the second digital certificate; calling a preset SDK to inquire the state of the second digital certificate based on the identification information of the second digital certificate; determining whether the second digital certificate status is valid; sending a second digital certificate to the terminal so that the terminal establishes a communication connection with a target service server based on the second digital certificate; and sending the first digital certificate to the terminal so that the terminal establishes a communication connection with the target service server based on the first digital certificate. In other words, in the embodiment of the present invention, the proxy server may automatically query the state of the digital certificate by using the preset SDK, and automatically download the new digital certificate and feed back the new digital certificate to the terminal when the digital certificate is invalid, so that the terminal establishes a communication connection with the target service server based on the new digital certificate.
Fig. 3 is a structural diagram of a digital certificate acquisition apparatus according to an embodiment of the present invention, which is adapted to execute the digital certificate acquisition method according to the embodiment of the present invention. As shown in fig. 3, the apparatus may specifically include:
an obtaining module 301, configured to load a first digital certificate of a target service server, and obtain identification information of the first digital certificate;
the query module 302 is configured to invoke a preset SDK to query a state of the first digital certificate based on the identification information of the first digital certificate;
the downloading module 303 is configured to, when the state of the first digital certificate is invalid, invoke a preset SDK to download the second digital certificate of the target service server;
a sending module 304, configured to send the second digital certificate to the terminal, so that the terminal establishes a communication connection with the target service server based on the second digital certificate.
Optionally, the downloading module 303 is further configured to:
calling a preset SDK (software development kit) to download a first digital certificate of each service server from a Certificate Authority (CA) server and storing the first digital certificate;
the obtaining module 301 loads the first digital certificate of the target service server, and specifically includes:
and loading the first digital certificate of the target service server from the stored first digital certificates of the service servers.
Optionally, the loading, by the obtaining module 301, the first digital certificate of the target service server specifically includes:
receiving an access request sent by a terminal, wherein the access request comprises a domain name of the target service server;
and loading the first digital certificate of the target service server from the stored first digital certificates of the service servers based on the domain name.
Optionally, the query module 302 is specifically configured to:
calling the preset SDK to send an OCSP request to an OCSP server based on the identification information of the first digital certificate;
receiving an OCSP response fed back by the OCSP server;
determining a status of the first digital certificate based on the OCSP response.
Optionally, the downloading module 303 is specifically configured to:
and calling the preset SDK to download the second digital certificate of the target service server.
Optionally, the downloading module 303 is specifically configured to:
acquiring a domain name of the target service server;
and calling the preset SDK to download the second digital certificate of the target service server from the CA server based on the domain name.
Optionally, the obtaining module 301 is further configured to obtain identification information of the second digital certificate;
the query module 302 is further configured to invoke the preset SDK to query the state of the second digital certificate based on the identification information of the second digital certificate;
the sending module 304 is specifically configured to send the second digital certificate to a terminal when the status of the second digital certificate is valid, so that the terminal establishes a communication connection with the target service server based on the second digital certificate.
The digital certificate acquisition device provided by the embodiment of the invention can execute the digital certificate acquisition method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. Reference may be made to the description of any method embodiment of the invention not specifically described in this embodiment.
The embodiment of the present invention further provides a digital certificate acquisition system, as shown in fig. 4, including a terminal 401, a proxy server 402, an OCSP server 403, a CA server 404, and a service server 405.
The terminal 401 is configured to: sending an access request to the proxy server 403, where the access request includes a domain name of the target service server, receiving the first digital certificate or the second digital certificate sent by the proxy server 403, and when receiving the first digital certificate, establishing a communication connection with the target service server 405 based on the first digital certificate, or when receiving the second digital certificate, establishing a communication connection with the target service server 405 based on the second digital certificate.
The proxy server 402 is used to: sending a certificate download request to a CA server and storing digital certificates of each service server, receiving an access request sent by a terminal 401, loading a first digital certificate of a target service server, acquiring identification information of the first digital certificate, sending an OCSP request to an OCSP server 403 based on the identification information of the first digital certificate, receiving an OCSP response fed back by the OCSP server 403, and determining the state of the first digital certificate based on the OCSP response; when the state of the first digital certificate is valid, sending the first digital certificate to the terminal, so that the terminal can establish a communication connection with the target service server 405 based on the first digital certificate; when the state of the first digital certificate is invalid, a certificate download request may be sent to the CA server 404 to download the second digital certificate of the service server 405 from the CA server 404; after the second digital certificate is downloaded, the identification information of the second digital certificate may be acquired, an OCSP request is sent to the OCSP server 403 based on the identification information of the second digital certificate, an OCSP response fed back by the OCSP server 403 is received, and the status of the second digital certificate is determined based on the OCSP response; and when the state of the second digital certificate is valid, sending the second digital certificate to the terminal so that the terminal establishes a communication connection with the target service server 405 based on the second digital certificate.
The OCSP server 403 is used to: receives an OCSP request sent by proxy server 402 and makes an OCSP response.
The CA server 404 is configured to: a certificate download request of the proxy server 402 is received, and the first digital certificate of each service server and the second digital certificate of the target service server are sent to the proxy server.
The target service server 405 is configured to: a communication connection is established with the terminal 401 based on a valid digital certificate, such as the first digital certificate or the second digital certificate.
For details of other implementations of the method for acquiring a digital certificate, reference may be made to the description of the foregoing embodiment, which is not described herein again.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Referring to FIG. 5, a block diagram of a computer system 500 suitable for use with a terminal implementing an embodiment of the invention is shown. The terminal shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the system 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 501.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units described in the embodiments of the present invention may be implemented by software, and may also be implemented by hardware. The described modules and/or units may also be provided in a processor, and may be described as: a processor includes an acquisition module, a query module, a download module, and a sending module. Wherein the names of the modules do not in some cases constitute a limitation of the module itself.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: loading a first digital certificate of a target service server, and acquiring identification information of the first digital certificate; calling a preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate; when the state of the first digital certificate is invalid, calling the preset SDK to download a second digital certificate of the target service server; and sending the second digital certificate to a terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate.
According to the technical scheme of the embodiment of the invention, the proxy server is provided with the SDK, and after the first digital certificate of the target service server is loaded and the identification information of the first digital certificate is acquired, the proxy server can call the preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate; when the state of the first digital certificate is invalid, calling a preset SDK to download a second digital certificate of a target service server; and sending the second digital certificate to the terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate. In other words, in the embodiment of the present invention, the proxy server may automatically query the state of the digital certificate by using the preset SDK, and automatically download the new digital certificate and feed back the new digital certificate to the terminal when the digital certificate is invalid, so that the terminal establishes a communication connection with the target service server based on the new digital certificate.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A digital certificate acquisition method is applied to a proxy server, wherein a preset Software Development Kit (SDK) is installed in the proxy server, and the method comprises the following steps:
loading a first digital certificate of a target service server, and acquiring identification information of the first digital certificate;
calling a preset SDK to inquire the state of the first digital certificate based on the identification information of the first digital certificate;
when the state of the first digital certificate is invalid, calling the preset SDK to download a second digital certificate of the target service server;
and sending the second digital certificate to a terminal so that the terminal establishes a communication connection with the target service server based on the second digital certificate.
2. The method according to claim 1, further comprising, before loading the first digital certificate of the target service server:
calling the preset SDK to download the first digital certificate of each service server from a Certificate Authority (CA) server and storing the first digital certificate;
the loading of the first digital certificate of the target service server includes:
and loading the first digital certificate of the target service server from the stored first digital certificates of the service servers.
3. The method according to claim 2, wherein the loading the first digital certificate of the target service server from the stored first digital certificates of the service servers comprises:
receiving an access request sent by a terminal, wherein the access request comprises a domain name of the target service server;
and loading the first digital certificate of the target service server from the stored first digital certificates of the service servers based on the domain name.
4. The method according to claim 1, wherein the invoking the preset SDK to query the status of the first digital certificate based on the identification information of the first digital certificate comprises:
calling the preset SDK to send an OCSP request to an OCSP server based on the identification information of the first digital certificate;
receiving an OCSP response fed back by the OCSP server;
determining a status of the first digital certificate based on the OCSP response.
5. The method according to claim 1, wherein the invoking the preset SDK to download the second digital certificate of the target service server comprises:
acquiring a domain name of the target service server;
and calling the preset SDK to download the second digital certificate of the target service server from the CA server based on the domain name.
6. The method according to claim 1, further comprising, after invoking the preset SDK to download the second digital certificate of the target service server:
acquiring identification information of the second digital certificate;
calling the preset SDK to inquire the state of the second digital certificate based on the identification information of the second digital certificate;
and when the state of the second digital certificate is valid, triggering and executing the step of sending the second digital certificate to a terminal so that the terminal establishes communication connection with the target service server based on the second digital certificate.
7. A digital certificate acquisition device is applied to a proxy server, wherein a preset Software Development Kit (SDK) is installed in the proxy server, and the device comprises:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for loading a first digital certificate of a target service server and acquiring identification information of the first digital certificate;
the query module is used for calling a preset SDK to query the state of the first digital certificate based on the identification information of the first digital certificate;
the downloading module is used for calling the preset SDK to download the second digital certificate of the target service server when the state of the first digital certificate is invalid;
and the sending module is used for sending the second digital certificate to a terminal so that the terminal establishes communication connection with the target service server based on the second digital certificate.
8. A digital certificate acquisition system comprising a terminal, an online certificate status protocol, OCSP, server, a certificate authority, CA, server, a target service server, and a proxy server for executing the digital certificate acquisition method according to any one of claims 1 to 6.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the digital certificate acquisition method as recited in any one of claims 1 to 6 when executing the program.
10. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the digital certificate acquisition method as recited in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111413394.XA CN114157432A (en) | 2021-11-25 | 2021-11-25 | Digital certificate acquisition method, device, electronic equipment, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111413394.XA CN114157432A (en) | 2021-11-25 | 2021-11-25 | Digital certificate acquisition method, device, electronic equipment, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114157432A true CN114157432A (en) | 2022-03-08 |
Family
ID=80457530
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111413394.XA Pending CN114157432A (en) | 2021-11-25 | 2021-11-25 | Digital certificate acquisition method, device, electronic equipment, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157432A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114598549A (en) * | 2022-03-25 | 2022-06-07 | 杭州迪普科技股份有限公司 | Client SSL certificate verification method and device |
| CN114666112A (en) * | 2022-03-14 | 2022-06-24 | 亿咖通(湖北)技术有限公司 | Communication authentication method, device, electronic equipment and storage medium |
| CN115314274A (en) * | 2022-08-01 | 2022-11-08 | 北京天空卫士网络安全技术有限公司 | Method and device for accessing server |
| CN115987527A (en) * | 2022-12-28 | 2023-04-18 | 北京深盾科技股份有限公司 | Certificate management method, account management system of network equipment and electronic equipment |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1304109A (en) * | 2000-01-07 | 2001-07-18 | 国际商业机器公司 | System and method for effectively collecting aranging and access to withdrew table of certificate |
| US20020059144A1 (en) * | 2000-04-28 | 2002-05-16 | Meffert Gregory J. | Secured content delivery system and method |
| US6826685B1 (en) * | 1998-06-10 | 2004-11-30 | International Business Machines Corporation | Method and system for the digital certificate generation and distribution |
| CN101651540A (en) * | 2008-08-12 | 2010-02-17 | 中国移动通信集团公司 | Method, device and system for updating digital certificate |
| CN102609841A (en) * | 2012-01-13 | 2012-07-25 | 东北大学 | Remote mobile payment system based on digital certificate and payment method |
| CN102916872A (en) * | 2011-08-02 | 2013-02-06 | 李帜 | Communication proxy gateway |
| CN105553671A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Digital certificate managing method, device and system |
| CN107426157A (en) * | 2017-04-21 | 2017-12-01 | 杭州趣链科技有限公司 | A kind of alliance's chain authority control method based on digital certificate and ca authentication system |
| CN109412812A (en) * | 2018-08-29 | 2019-03-01 | 中国建设银行股份有限公司 | Data safe processing system, method, apparatus and storage medium |
| CN109617698A (en) * | 2019-01-09 | 2019-04-12 | 腾讯科技(深圳)有限公司 | Provide the method for digital certificate, digital certificate issues center and medium |
| CN111526161A (en) * | 2020-05-27 | 2020-08-11 | 联想(北京)有限公司 | Communication method, communication equipment and proxy system |
| CN111541665A (en) * | 2020-04-16 | 2020-08-14 | 苏州浪潮智能科技有限公司 | Data access method, device, storage medium and cluster type security management platform |
| CN111917554A (en) * | 2020-07-13 | 2020-11-10 | 北京天空卫士网络安全技术有限公司 | Method and device for verifying digital certificate |
| CN112714121A (en) * | 2020-12-23 | 2021-04-27 | 航天信息股份有限公司 | Method and system for processing industrial internet digital certificate |
| CN112865956A (en) * | 2019-11-26 | 2021-05-28 | 华为技术有限公司 | Certificate updating method and device, terminal equipment and server |
| CN112994897A (en) * | 2021-03-22 | 2021-06-18 | 杭州迪普科技股份有限公司 | Certificate query method, device, equipment and computer readable storage medium |
| CN113014676A (en) * | 2021-04-21 | 2021-06-22 | 联通雄安产业互联网有限公司 | System and method for storing Internet of things data into block chain based on SIM card |
| CN113364795A (en) * | 2021-06-18 | 2021-09-07 | 北京天空卫士网络安全技术有限公司 | Data transmission method and proxy server |
| CN113569285A (en) * | 2021-07-26 | 2021-10-29 | 长春吉大正元信息安全技术有限公司 | Identity authentication and authorization method, device, system, equipment and storage medium |
-
2021
- 2021-11-25 CN CN202111413394.XA patent/CN114157432A/en active Pending
Patent Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6826685B1 (en) * | 1998-06-10 | 2004-11-30 | International Business Machines Corporation | Method and system for the digital certificate generation and distribution |
| CN1304109A (en) * | 2000-01-07 | 2001-07-18 | 国际商业机器公司 | System and method for effectively collecting aranging and access to withdrew table of certificate |
| US20020059144A1 (en) * | 2000-04-28 | 2002-05-16 | Meffert Gregory J. | Secured content delivery system and method |
| CN101651540A (en) * | 2008-08-12 | 2010-02-17 | 中国移动通信集团公司 | Method, device and system for updating digital certificate |
| CN102916872A (en) * | 2011-08-02 | 2013-02-06 | 李帜 | Communication proxy gateway |
| CN102609841A (en) * | 2012-01-13 | 2012-07-25 | 东北大学 | Remote mobile payment system based on digital certificate and payment method |
| CN105553671A (en) * | 2015-12-23 | 2016-05-04 | 北京奇虎科技有限公司 | Digital certificate managing method, device and system |
| CN107426157A (en) * | 2017-04-21 | 2017-12-01 | 杭州趣链科技有限公司 | A kind of alliance's chain authority control method based on digital certificate and ca authentication system |
| CN109412812A (en) * | 2018-08-29 | 2019-03-01 | 中国建设银行股份有限公司 | Data safe processing system, method, apparatus and storage medium |
| CN109617698A (en) * | 2019-01-09 | 2019-04-12 | 腾讯科技(深圳)有限公司 | Provide the method for digital certificate, digital certificate issues center and medium |
| CN112865956A (en) * | 2019-11-26 | 2021-05-28 | 华为技术有限公司 | Certificate updating method and device, terminal equipment and server |
| CN111541665A (en) * | 2020-04-16 | 2020-08-14 | 苏州浪潮智能科技有限公司 | Data access method, device, storage medium and cluster type security management platform |
| CN111526161A (en) * | 2020-05-27 | 2020-08-11 | 联想(北京)有限公司 | Communication method, communication equipment and proxy system |
| CN111917554A (en) * | 2020-07-13 | 2020-11-10 | 北京天空卫士网络安全技术有限公司 | Method and device for verifying digital certificate |
| CN112714121A (en) * | 2020-12-23 | 2021-04-27 | 航天信息股份有限公司 | Method and system for processing industrial internet digital certificate |
| CN112994897A (en) * | 2021-03-22 | 2021-06-18 | 杭州迪普科技股份有限公司 | Certificate query method, device, equipment and computer readable storage medium |
| CN113014676A (en) * | 2021-04-21 | 2021-06-22 | 联通雄安产业互联网有限公司 | System and method for storing Internet of things data into block chain based on SIM card |
| CN113364795A (en) * | 2021-06-18 | 2021-09-07 | 北京天空卫士网络安全技术有限公司 | Data transmission method and proxy server |
| CN113569285A (en) * | 2021-07-26 | 2021-10-29 | 长春吉大正元信息安全技术有限公司 | Identity authentication and authorization method, device, system, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 周泽敏, 苏锐丹, 许正磊, 周利华: "基于Web服务的证书验证服务模型的设计与实现", 微机发展, no. 07 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114666112A (en) * | 2022-03-14 | 2022-06-24 | 亿咖通(湖北)技术有限公司 | Communication authentication method, device, electronic equipment and storage medium |
| CN114666112B (en) * | 2022-03-14 | 2023-08-15 | 亿咖通(湖北)技术有限公司 | Communication authentication method, device, electronic equipment and storage medium |
| CN114598549A (en) * | 2022-03-25 | 2022-06-07 | 杭州迪普科技股份有限公司 | Client SSL certificate verification method and device |
| CN114598549B (en) * | 2022-03-25 | 2023-07-07 | 杭州迪普科技股份有限公司 | Customer SSL certificate verification method and device |
| CN115314274A (en) * | 2022-08-01 | 2022-11-08 | 北京天空卫士网络安全技术有限公司 | Method and device for accessing server |
| CN115987527A (en) * | 2022-12-28 | 2023-04-18 | 北京深盾科技股份有限公司 | Certificate management method, account management system of network equipment and electronic equipment |
| CN115987527B (en) * | 2022-12-28 | 2024-04-12 | 北京深盾科技股份有限公司 | Certificate management method, account management system of network equipment and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5099139B2 (en) | How to get and check public key certificate status | |
| US8078866B2 (en) | Trust information delivery scheme for certificate validation | |
| CN114157432A (en) | Digital certificate acquisition method, device, electronic equipment, system and storage medium | |
| US8788811B2 (en) | Server-side key generation for non-token clients | |
| CN101027676B (en) | A personal token and a method for controlled authentication | |
| US20020035685A1 (en) | Client-server system with security function intermediary | |
| US20050114670A1 (en) | Server-side digital signature system | |
| US20100138907A1 (en) | Method and system for generating digital certificates and certificate signing requests | |
| US20110296171A1 (en) | Key recovery mechanism | |
| US20130339740A1 (en) | Multi-factor certificate authority | |
| KR20160025531A (en) | Method to enroll a certificate to a device using scep and respective management application | |
| WO2010144898A1 (en) | Certificate status information protocol (csip) proxy and responder | |
| WO2008082778A2 (en) | Method and apparatus for distributing root certificates | |
| CN113472790A (en) | Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server | |
| US20020194471A1 (en) | Method and system for automatic LDAP removal of revoked X.509 digital certificates | |
| JP2002101093A (en) | Method for certifying expiration date of public key and secret key for certifying authority and system for the same | |
| CN115345617A (en) | Method and device for generating non-homogeneous general evidence | |
| CN114143010A (en) | Digital certificate acquisition method, device, terminal, system and storage medium | |
| CN114598455A (en) | Method, device, terminal entity and system for signing and issuing digital certificate | |
| CN111787044A (en) | Internet of things terminal platform | |
| CN107172172B (en) | Communication method and system in IaaS system | |
| CN115134154A (en) | Authentication method and device, and method and system for remotely controlling vehicle | |
| Cisco | Configuring Certification Authority Interoperability | |
| CN110740039B (en) | Digital certificate management system, method and service terminal | |
| WO2015184507A1 (en) | Identity verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |