JP5493697B2 - Certification authority apparatus migration method, certification authority apparatus migration program, certification authority apparatus - Google Patents

Description

  The present invention relates to a technique for migrating a certificate authority device that issues an electronic certificate.

In general, an organization that issues an electronic certificate is called a certificate authority. In this specification, an information processing apparatus that issues an electronic certificate in a certificate authority is referred to as a certificate authority apparatus.
The configuration of the certificate authority device is shown in FIG.

  The certificate authority apparatus includes a certificate issuing function 211, a CRL (Certificate Revolution List) issuing function 212, a certificate serial number counter 213, a certificate profile template 214, a CRL serial number counter 215, and a thumbprint verification function. 216, a signature verification function 217, a profile analysis function 218, and a certificate authority repository (certificate management database) 219. Further, the certificate authority device includes a public key and a private key.

  The certificate issuing function 211 uses a certificate profile template 214 to issue a certificate with the serial number stored in the certificate serial number counter 213 when issuing the certificate. The CRL issuing function 212 is a place for issuing revocation information of a certificate that has already been issued. The CRL is issued periodically, and each time the CRL is issued, the CRL serial number counter 215 is incremented.

  When a certificate issued by another certificate authority is received, the thumbprint verification function 216 compares the publicly-printed thumbprint with the certificate's thumbprint in order to confirm the correctness of the certificate. This is to confirm the correctness of the book.

  When the signature verification function 217 receives a certificate or CRL issued by another certificate authority, the signature verification function 217 checks the signature of the certificate received using the public key in order to confirm the correctness of the certificate. It verifies and confirms the correctness of the certificate.

The profile analysis function 218 analyzes a profile such as a received certificate.
The certificate authority repository 219 is a database for managing issued certificates, CRLs, and the like where issued certificates, CRLs, and information related to certificate issuance (issue information) are stored.

  A case where the key is updated in such a certificate authority apparatus will be described with reference to FIG. When updating the key within the same CA, the certificate is verified for both users who trust the certificate issued with the old key and those who trust the certificate issued with the new key. You must be able to do it. To that end, the certificate authority issues a certificate (NewWithOld) signed with the old private key to the new public key and a certificate (OldWithNew) signed with the new private key to the old public key. Certificates such as NewWithOld and OldWithNew are called link certificates.

  This section describes how to verify the validity of a certificate using a link certificate. First, when a user who trusts an old CA certificate verifies the validity of a new certificate issued by the CA, the link certificate (NewWithOld) is verified with the old certificate (OldWithOld) (A-1 ). Then, the new certificate (NewWithNew) is verified by the link certificate (NewWithOld) (A-2).

  When a user who trusts a new certificate verifies the reliability of the old certificate issued by the certificate authority, the link certificate (OldWithNew) is verified with the new certificate (NewWithNew) (B-1). Then, the old certificate (OldWithOld) is verified with the link certificate (OldWithNew).

  As described above, the link certificate enables the user of either certificate to verify the validity during the period in which two certificates, OldWithOld and NewWithNew, exist.

Further, a case where mutual authentication is performed between different certificate authorities in the certificate authority apparatus shown in FIG. 21 will be described with reference to FIG.

  When performing mutual authentication, each certificate authority issues a certificate to the other certificate authority. This certificate is called “Cross Certificate”. This mutual authentication certificate is stored in a repository in the certificate authority device. A user who uses a certificate (a certificate issued by a certificate authority, an EE certificate (end entity certificate)) follows the mutual authentication certificate, and the certificate of another CA user (EE certificate) Can be verified.

  Starting from the certificate you want to verify, tracing the trust relationship in order, and connecting to the certificate authority that you trust is called the certification path. In FIG. 23, the certificate of the user 1 (User1) is departed from the mutual authentication certificate, an authentication path is generated up to the certificate authority CA2, and the certificate of the user 2 can be verified.

  By the way, when a certificate authority device that issues a certificate becomes old, it is necessary to replace the certificate authority device with a new one. In order to continue the function as the certificate authority, it is necessary to transfer the assets of the old certificate authority device, that is, the information stored and managed in the certificate authority repository 219, to the new certificate authority device. When replacement is performed between certificate authority devices of the same product, migration can be realized by importing (importing) the product-specific assets such as information in the certificate management repository 219 and other files into the succeeding product as they are.

  However, since there are no rules regarding asset transfer between certificate authority apparatuses, each vendor that manufactures the certificate authority apparatus manages assets by a method unique to each company. For this reason, there was no compatibility between products, and there was no way to transfer assets between different CA products. The certificate authority operator must build a new certificate authority device that is the migration destination while maintaining the migration source certificate authority device, and all certificates issued by the migration source certificate authority device are revoked. There is a problem that the operation cost is doubled because parallel operation is necessary until the expiration date.

  Thus, there is a demand for smooth transition between different certificate authority device products. However, the following problems (1) to (3) need to be solved in order to enable migration between certificate authority apparatuses having different certificate management repository 219 configurations.

(1) Coordination between source certificate authority device and destination certificate authority device of issue information If the destination certificate authority device and source certificate authority device do not maintain the consistency of the serial number of the issued certificate Don't be. For this purpose, it is necessary to capture the issue information of all certificates issued by the transfer source certificate authority device into the transfer destination certificate authority device. There are two methods for fetching issuance information into the migration destination certification authority device: a method for fetching product-specific assets, and a method for fetching all certificates issued by the migration source certification authority device into the migration destination certification authority device.

  When migrating a product-specific asset, it is a precondition that the internal specifications of the migration source CA device are disclosed, and the migration destination CA device needs to be built according to the specifications. There is a problem that the internal specifications of the certificate authority device must be disclosed and a problem that modification is required for each migration source certificate authority device.

  Also, when transferring all certificates issued by the migration source CA device to the migration destination CA device, it is highly versatile, but if the number of certificates increases, each certificate cannot be verified manually. , There will be room for misoperation and fraud by the operating operator, resulting in poor efficiency.

(2) Cooperation between revocation information transfer source CA device and transfer destination CA device In the transfer destination CA device, in order to enable the certificate issued by the transfer source CA device to be revoked, It is necessary to import the revocation information of the certificate authority device into the migration destination certificate authority device. There are two methods for fetching revocation information into the migration destination certificate authority device: a method for fetching product-specific assets and a method for fetching revocation information such as CRL.

  When migrating by importing product-specific assets, it is a precondition that the migration source CA device publishes the internal specifications, and it is necessary to build in the migration destination CA device and the migration source CA device according to the specifications. . There is a problem that the internal specification of the certificate authority device must be disclosed, and a problem that modification is required for each destination certificate authority device.

  In addition, the method of transferring revocation information such as CRL is highly versatile, but the number of CRLs is increased to capture a large amount of revocation information, resulting in an operator's erroneous operation and room for fraud, resulting in poor efficiency. .

(3) Show the source CA and the destination CA as if they were the same CA
After migration, the validity of both the user who trusts the certificate issued by the source CA and the user who trusts the certificate issued by the destination CA can be verified. I have to keep it. For this purpose, the transfer destination certificate authority device and the transfer source certificate authority device must be shown to the same certificate authority. In order to pass such an authentication path, it is necessary to capture the link certificate issued by the migration source certificate authority device into the migration destination certificate authority device and to ensure the consistency of the serial number in the certificate. However, in the conventional certificate authority device, in order to ensure the consistency of the serial number of the certificate, the serial number cannot be designated from the outside at the time of issuance. Therefore, an authentication path in which the transfer destination certificate authority apparatus and the transfer destination certificate authority apparatus can be viewed by the same certificate authority cannot be realized.

JP 2002-217901 A JP 2001-350406 A

An object of the present invention is to enable smooth transition between certificate authority apparatuses having different certificate management repository configurations.
In order to achieve this object, the following problems (1) to (3) are solved.
(1) The issue information can be linked between the transfer source certificate authority device and the transfer destination certificate authority device.
(2) The revocation information can be linked between the transfer source certificate authority device and the transfer destination certificate authority device.
(3) Generate an authentication path that recognizes the transfer source certificate authority device and the transfer destination certificate authority device as the same certificate authority while maintaining the consistency of the serial number of the certificate.

This method of migration between certificate authority apparatuses having different certificate management repository configurations solves the problems (1) to (3) as follows.
(1) The migration destination certificate authority device reads and analyzes all certificates issued by the migration source certificate authority device, and issues a certificate authority specific to the migration destination certificate authority device in the certificate management repository of the migration destination certificate authority device. Create and manage information.

(2) The migration destination CA device reads and analyzes the latest CRL (list of revoked certificates) issued by the migration source CA device, and is managed in the certificate management repository of the migration destination CA device It is managed by adding to the information issued by the CA.

  (3) In order to generate an authentication path in which the source certificate authority apparatus and the destination certificate authority apparatus are recognized as the same certificate authority, a key update function in the same certificate authority apparatus and a mutual relationship between the certificate authority apparatuses Realized by using authentication function together. At this time, the issuer name and the issuer name of the certificate of the migration source / destination certificate authority apparatus are matched, and the same mutual authentication certificate as the link certificate is issued. Also, a dummy certificate is issued as the transfer destination CA device captures the forward mutual authentication certificate, avoiding duplicate certificate serial numbers in the transfer destination CA device, Keep the serial number consistent.

  The disclosed migration method between certificate authority devices does not require any modification of the migration source certificate authority device or disclosure of internal specifications, and can be realized simply by adding a migration function to the migration destination certificate authority device. As a result, it is possible to move between certificate authority apparatuses of any configuration. Until now, when replacing certificate authority devices with different certificate management repository configurations, both the migration destination certificate authority device and the migration source certificate authority device must be operated for a long period of time. There were various burdens on the load. However, according to the disclosed method for migrating a certificate authority device, there is an effect that the burden is reduced in the future.

1 is a diagram illustrating a system configuration of Embodiment 1. FIG. It is a figure explaining the production | generation of the certification | authentication path | pass in the same certification authority apparatus. It is a figure explaining certification path generation between different certification authorities. It is a figure explaining the certification | authentication path production | generation between the certification authority apparatuses in Example 1. FIG. FIG. 10 is a diagram illustrating a correspondence relationship between an operation related to certificate issuance when a key is updated by the same certificate authority device and an operation for linking a certificate between certificate authority devices in the first embodiment. It is a figure which shows the correspondence of the operation | movement regarding CRL issuing in the case of updating a key with the same certification authority apparatus, and the operation | movement for making CRL cooperate between certification authority apparatuses in Example 1. FIG. FIG. 6 is a diagram for explaining a flow of transferring certificates, revocation information, and the like between a migration source and a migration destination certificate authority apparatus in the first embodiment. FIG. 3 is a diagram illustrating an overall processing flow of the first embodiment. It is a figure which shows the structure of the certification authority issue information managed by the certification authority repository of Example 1. It is a flowchart which shows the more detailed description of step S1 of FIG. FIG. 9 is an example of a screen when the flow of FIG. 8 is executed, and is an example of a screen for designating whether to construct a new certificate authority or perform a migration operation of a certificate authority device. It is an example of a screen when the flow of FIG. 8 is executed, and is an example of a screen for designating certificate information of a migration source CA device. FIG. 9 is an example of a screen when the flow of FIG. 8 is executed, and is an example of a screen for designating revocation information of a migration source CA device. It is a figure explaining the process which a transfer destination certificate authority apparatus registers information into a certificate authority repository from the certificate and CRL which the transfer origin certificate authority apparatus issued. It is a flowchart which shows the more detailed description of step S2 of FIG. It is a figure which shows the example of a screen at the time of performing the flow of FIG. 11, and is a figure which shows the example of the screen for producing | generating a seed value. It is a figure which shows the example of a screen at the time of performing the flow of FIG. 11, and is a figure which shows the example of a screen at the time of designating a key length. It is a figure which shows the example of a screen at the time of performing the flow of FIG. 11, and is a figure which shows the example of the screen which designates the dummy certificate issued with the transfer origin certification authority apparatus. It is a figure which shows the example of a screen at the time of performing the flow of FIG. 11, and is a figure which shows the example of a screen at the time of reflecting an input matter in a certificate profile template. It is a flowchart which shows the more detailed description of step S3 of FIG. It is a figure which shows the example of a screen at the time of performing the flow of FIG. 13, and is a figure which shows the example of a screen at the time of creating the issuance application of a forward direction mutual authentication certificate. It is a figure which shows the example of a screen when the flow of FIG. 13 is performed, and is a figure which shows the example of a screen at the time of reading a forward direction mutual authentication certificate with a transfer destination certification authority apparatus. It is a figure which shows an example of the issued forward mutual certificate. It is a flowchart which shows the more detailed description of step S4 of FIG. It is a figure which shows the example of a screen at the time of performing the flow of FIG. 16, and is a figure which shows the example of a screen at the time of reading the issue application of a reverse direction mutual authentication certificate in a transfer destination certification authority apparatus. It is a figure which shows the example of a screen when the flow of FIG. 16 is performed, and is a figure which shows the example of a screen when a reverse direction mutual authentication certificate is issued. It is a figure which shows an example of the issued reverse mutual certificate. It is a figure which shows an example of the screen displayed by FIG.6 S5. It is a figure which shows the hardware constitutions of the information processing apparatus which comprises a transfer destination certificate authority apparatus. It is a figure which shows the structure of the conventional certificate authority apparatus. It is a figure shown about the case where a key is updated in the same certification authority apparatus. It is a figure shown about the case where mutual authentication is performed between different certificate authorities.

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 shows a system configuration of the first embodiment.
First, the migration source certificate authority device 2 and the migration destination certificate authority device 1 exist.
When the certificate authority apparatus 2 issues a certificate or a revocation list (e.g., CRL) of the issued certificate, the issued certificate, the issued revocation list, and each issue information are not shown in FIG. Are stored in the certificate authority repository in the migration source certificate authority apparatus 2. In this embodiment, when data stored in the certificate authority repository in the migration source certificate authority apparatus 2 is moved to the migration destination certificate authority apparatus 1, the data in the certificate authority repository in the migration source certificate authority apparatus 2 is portable. Data is moved by recording the data in a storage medium or the like and reading the portable storage medium or the like by a medium driving device included in the information processing apparatus that constitutes the transfer destination certificate authority apparatus 1. Accordingly, in FIG. 1, for example, the certificate authority certificate [Old RootCA Cert.] Issued by the migration source certificate authority apparatus 2 is depicted as being directly received by the migration destination certificate authority apparatus 1. The administrator or the like records data from the database of one certificate authority device to a portable storage medium, and causes the other certificate authority device to read the data from the portable recording medium. .

  As shown in FIG. 1, the migration source certificate authority device 2 and the migration destination certificate authority device 1 have a public key (migration source: OldPublicKey (a), migration destination: NewPublicKey (A)) and a private key (migration source: OldPrivateKey ( b), migration destination: NewPrivateKey (B)).

  The transfer destination certificate authority apparatus 1 includes a transfer function 11, a certificate issue function 12, a CRL issue function 13, a certificate authority repository (or certificate authority management DB, hereinafter referred to as a certificate authority repository) 14, and a certificate serial number. The configuration includes a counter 15, a certificate profile template 16, and a CRL serial counter 17.

The certificate issuing function 12 and the CRL issuing function 13 are functions provided in a normal certificate authority device. The certificate issuing function 12 issues a certificate, and the CRL issuing function 13 issues a CRL.
The certificate authority repository 14 stores and manages issued certificate information, revocation information, and the like in a list. Although the configuration of the certificate authority repository 14 will be described later, in the first embodiment, the issue information corresponding to each issued certificate is simply referred to as “issue information”, and a list including records corresponding to each issue information. What is managed by the certificate authority repository 14 is referred to as “certificate authority issue information” (an example is shown in FIG. 7).

  The certificate serial counter 15 is a counter that stores the serial number of the issued certificate, and the CRL serial number counter 17 is a counter that stores the CRL serial number. The certificate profile template 16 is a storage area for storing a profile of a certificate to be issued.

The migration function 11 is a function for migration. More specifically, the migration source certificate receiving function 18, the migration source CRL receiving function 19, the certificate authority certificate migration issuing function 20, the certification path generation function (forward direction) ) 21 and an authentication path generation function (reverse direction) 22. The migration function 11 includes a thumbprint verification function, a signature verification function, and a profile analysis function not shown in FIG. These functions are the same as those provided in a normal certificate authority device, and each function (18 to 22) in the migration function 11 uses a thumbprint verification function, a signature verification function, and a profile analysis function as necessary.
Hereinafter, each function in the migration function 11 will be described.

  The transfer source certificate receiving function 18 first reads the certificate authority certificate [Old RootCA Cert.] Issued by the transfer source certificate authority apparatus 2. A certificate authority certificate has the same functional characteristics as a normal certificate, but information indicating that the certificate authority device that issued the certificate authority certificate is an electronic certificate authority is included in the certificate. It is what is in. The transfer source certificate receiving function 18 verifies the read certificate authority certificate [Old RootCA Cert.] Using the thumbprint verification function, extracts the certificate profile using the profile analysis function, and extracts the certificate profile. The profile and the read certificate authority certificate of the migration source certificate authority apparatus 2 are stored in the certificate authority repository 14.

  Further, the transfer source certificate receiving function 18 includes all certificates [Old EE Cert.] (EE is an abbreviation of an end entity) issued by the transfer source certificate authority device 2 for a user or the like who has requested certificate issuance. Is verified using the signature verification function, analyzed, and stored in the certificate authority repository 14. The storage in the certificate authority repository 14 will be described later. Briefly, the storage is performed by adding a record corresponding to the issuance of each certificate to the certificate authority issuance information managed in the certificate authority repository 14. Is called.

  The migration source CRL receiving function 19 reads the latest CRL [Old CRL] issued by the migration source certificate authority apparatus 2. At this time, other issued CRLs may be read. Then, the migration source CRL receiving function 19 verifies the signature of the read CRL using the signature verification function. After the signature verification, if it is confirmed that the read CRL is correct, the serial number of the revoked certificate is extracted from the CRL. Then, the certificate revocation information is registered for the record that matches the serial number in the certificate authority issuance information managed in the certificate authority repository 14. Details of the registration of the revocation information will be described later. When the latest CRL is read, the CRL serial number is extracted and set in the CRL serial number counter 17.

  The certificate authority certificate migration issue function 20 receives a dummy certificate [dummy certificate] issued by the migration source certificate authority device 2. This dummy certificate is usually a certificate that the migration source certificate authority administrator or the like issues to the migration source certificate authority apparatus 2 in the same manner as issuing a certificate to a user who requests certificate issuance. It is. The transfer destination certificate authority apparatus 1 reads the issued certificate by the certificate authority certificate transfer issue function 20 and verifies the signature using the signature verification function. Then, the serial number of the dummy certificate is extracted, and the extracted serial number is set in the certificate serial counter 15. In addition, the certificate authority certificate profile extracted by the migration source certificate receiving function 18 using the profile analysis function is stored in the certificate profile template 16 to set the certificate profile. Then, based on the value set in the certificate serial counter 15 and the template set in the certificate profile template 16, a migration destination certificate authority certificate [New RootCA Cert.] Is issued. Further, a record corresponding to the issue record is added to the certificate authority issuance information managed in the certificate authority repository 14. As described above, the serial number of the certification authority certificate [New Root CA Cert.] Issued by the migration destination certification authority apparatus 1 is transferred by the dummy certificate issued by the migration source certification authority apparatus 2 in the first embodiment. It can be made to be continuous with the serial number of the certificate that has been issued until now in the former certificate authority apparatus 2.

  The certification path generation function (forward direction) 21 is a forward mutual authentication certificate issued by the migration source certification authority apparatus 2 based on the application for issuance of the forward mutual authentication certificate created by the migration destination certification authority apparatus 1. Receive [Link / Cross Cert.2]. As described above, a “mutual authentication certificate” is a certificate issued to each other's certificate authority when two different certificate authorities authenticate each other. The forward mutual authentication certificate issued here is the one issued by the migration source certificate authority device 2 and the migration destination certificate authority device 1 for mutual authentication. This is a mutual authentication certificate issued to 1. Further, the forward mutual authentication certificate is issued so as to be the same as the link certificate that is normally issued when the key is updated by the same certificate authority apparatus. In the first embodiment, the source certificate authority device 2 issues [NewWithOld]. The issuer name (IssureName) and issuer name (SubjectName) of the forward mutual authentication certificate are issued in the same manner.

  The certification path generation function (forward direction) 21 extracts the serial number of the received forward mutual authentication certificate and sets the extracted serial number in the certificate serial number counter 15. Based on the certificate serial number counter 15, a dummy certificate [dummy certificate] is issued, and a record corresponding to the issuance record is added to the certificate authority issuance information managed in the certificate authority repository 14. . Then, the binary data of the order direction mutual authentication certificate issued by the migration source certificate authority 2 is overwritten in the certificate data storage field in the added record. The dummy certificate issued by the transfer destination certificate authority apparatus 1 is issued in the same manner as issuing a certificate to a user who requests normal certificate issuance. Since the binary data of the forward mutual authentication certificate issued by the migration source certificate authority device 2 is overwritten on the record of the certificate authority issuance information corresponding to the issuance of the dummy certificate, the migration destination certificate authority device 1 [ NewWithOld] will be retained.

  The certification path generation function (reverse direction) 22 is a function in which the migration destination certification authority apparatus 1 issues a mutual certification certificate, contrary to the certification path generation function (forward direction) 21. The certification path generation function (reverse direction) 22 receives the reverse mutual authentication certificate issuance application form from the source certificate authority apparatus 2 and verifies the thumbprint using the thumbprint verification function. When the validity of the issuance application is confirmed, a reverse mutual authentication certificate is issued based on the validity. The reverse mutual authentication certificate is a mutual authentication certificate issued in the reverse direction of the above-described forward mutual authentication certificate, that is, the transfer destination certificate authority device 1 to the transfer source certificate authority device 2. Similar to the forward mutual authentication certificate, it is issued so as to be the same as the link certificate, and the transfer destination certificate authority device 1 issues a certificate [OldWithNew] signed with the new private key to the old public key. . Also, the issuer name (IsuureName) and the issuer name (SubjectName) of the reverse mutual authentication certificate are the same.

  In this way, the certification path generation functions (forward direction, reverse direction) 21 and 22 are the source certificate authority as in the case of the link certificate issued when the old key is updated to the new key in the same certificate authority apparatus. A certificate equivalent to a link certificate is issued as a mutual authentication certificate with the device key as the old key, the migration destination CA device key as the new key. At that time, the certificate issuer name and the issuer name are the same. Thereby, although the transfer destination certificate authority device 1 and the transfer source certificate authority device 2 are different certificate authority devices, an authentication path that is recognized as the same certificate authority is generated.

  The configuration of the destination certificate authority apparatus 1 according to the first embodiment has been described above with reference to FIG. The transfer destination certificate authority device 1 has a function of receiving transfer source certificate information such as issued certificate information and revocation information of the transfer source certificate authority device 2 even between certificate authority devices having different configurations of the certificate authority repository 14. 18 and the receiving function 19 of the migration source CRL. As a result, even if the configuration of the certificate authority repository of the migration source certificate authority device 2 and the configuration of the repository of the migration destination certificate authority device 1 are different, assets such as certificates and CRLs issued by the migration source certificate authority device 1 are migrated. It can be taken into the certificate authority device. Further, the certificate authority certificate transfer function 20 can issue the certificate authority certificate in the transfer destination certificate authority device 1 so as to continue to the serial number of the certificate issued by the transfer source certificate authority device 2. is there. Further, the certification path (forward and reverse) generation functions 21 and 22 can generate certification paths that are recognized as the same certification authority in the migration source certification authority apparatus 2 and the migration destination certification authority apparatus 1. is there. As described above, the transfer operation of the certificate authority device can be performed smoothly.

  Furthermore, in order to make the processing by the certification path generation function (forward direction) 21 and the certification path generation function (reverse direction) 22 in FIG. 1 easy to understand, the certification path generation in the first embodiment will be described with reference to FIG. Let me explain. Regarding the generation of the certification path of the present embodiment, in the normal case, the certification path is generated in the same certification authority apparatus (when the key is updated in the same certification authority apparatus), and the certification path is generated between different certification authorities. Since it is easy to understand by comparing and, first, a normal case will be described with reference to FIGS. 2A and 2B, respectively. Thereafter, FIG. 2C illustrates generation of an authentication path according to the present embodiment.

  First, FIG. 2A shows a case where the key is updated by the same certificate authority apparatus, which is normally performed. In FIG. 2A, RootCA indicates a root certificate authority, [RootCA Cert.] Indicates a root certificate authority certificate, [Link Cert.] Indicates a link certificate, and [EE Cert.] Indicates an end entity certificate (EE certificate). Yes. Here, the root certificate authority certificate is a certificate authority certificate. The link certificate is a certificate issued when the key is updated. An end entity certificate is a certificate issued to a user or the like who requests the certificate.

  The issuer name (IssureName) and issuer name (subject name, SubjectName) in the root certificate authority certificate and link certificate are the same (A1). In this way, when the issuer name and the issuer name are the same or in the case of link certification, the authentication pass is not counted. A value indicating the hierarchy of the certification path, pathLenConstraint, is 0.

  Next, FIG. 2B shows a case where an authentication domain is configured with different certificate authorities. In FIG. 2B, RootCA indicates a root certificate authority, [RootCA Cert.] Indicates a root authentication certificate, [Cross Cert.] Indicates a mutual authentication certificate, and [EE Cert.] Indicates an end entity certificate. Here, the mutual authentication certificate is a certificate issued to each other's certificate authority when two different certificate authorities authenticate each other. For example, for a mutual authentication certificate issued by RootCA1 to RootCA2, the issuer name and the issuer name are different. When the issuer name (IssureName) and the issuer name (SubjectName) do not match in this way, they are regarded as separate certificate authorities, and the certification path is counted. In the case of FIG. 2B, the pathLenConstraint in the end entity is 2.

  As shown in FIG. 2B, when a certification path is generated with a different certification authority, since the issuer name and the issuer name of the certificate are usually different, pathLenConstraint is 2, which is regarded as another certification authority. . However, in the first embodiment, since different certificate authority devices need to be regarded as the same certificate authority, the following processing is performed.

  FIG. 2C shows generation of an authentication path according to the first embodiment. 2C, [source certificate authority Cert.] Is the source certificate authority certificate, [target certificate authority Cert.] Is the destination certificate authority certificate, and [Link / Cross Cert. 2] is the forward mutual certificate. , [Link / Cross Cert. 1] indicates the reverse mutual authentication certificate, and [EE Cert.] Indicates the end entity certificate. Although the certificate authority equipment is different, a mutual authentication certificate (forward mutual authentication certificate, reverse mutual authentication) in which the issuer name (IsuureName) and the issuer name (SubjectName) are matched to be the same as the link certificate. Issue a certificate. As a result, pathLenConstraint = 0 and an authentication path is generated in which the transfer destination certificate authority and the transfer source certificate authority are recognized as the same certificate authority. As described above, in the first embodiment, the migration source certification authority and the migration destination certification authority are recognized as the same certification authority by the certification path generation function (forward direction) 21 and the certification path generation function (reverse direction) 22 shown in FIG. A certification path is generated.

Next, with reference to FIG. 3, FIG. 4, and FIG. 5, the migration process in the first embodiment will be described step by step.
As described above, the transition of the certificate authority apparatus according to the first embodiment is performed by changing the certificate serial number and the like so that it appears as if the same certificate authority apparatus renewed the key using only the issued certificate. This is realized by linking devices. That is, it is necessary to operate the certificate authority device like the key update in the same certificate authority device shown in the left table of FIG. Below, the process of five steps ((A) to (E)) performed by the transfer destination certificate authority apparatus 1 will be described. (Note that the certificate authority certificate serial number is not only added in ascending order but also in the certificate authority apparatus randomly assigned, but in the following description, the ascending order will be described as an example. In this case, the first embodiment can be applied.)
(A) Source CA certificate (serial number: 1 in the right table of FIG. 3)
The migration source certificate authority certificate is a certificate authority certificate issued by the migration source certificate authority apparatus 2. The correct migration source certificate authority certificate is imported into the migration destination certificate authority apparatus 1 using the migration source certificate receiving function 18 of FIG. More specifically, processing is performed as follows. First, the thumbprint of the migration source certificate is compared with the thumbprint published by the migration source CA, and it is confirmed that there is no mistake. Next, the profile of the migration source CA certificate is extracted and applied to the profile of the migration destination CA certificate. Then, the certificate profile and the certificate are stored in the certificate authority repository 14.

(A) EE certificate (serial numbers in the right table of FIG. 3: 2 to n)
All certificates (EE certificate, end entity certificate) issued by the migration source CA 2 to the user who requested the certificate issuance using the migration source certificate receiving function 18 of FIG. Import to the migration destination certificate authority apparatus 1. More specifically, processing is performed as follows. First, EE certificates are continuously read from a storage location (such as a specified folder) where all the certificates are stored, and these certificates are signed by the source certificate authority device 2 that was imported in (a). The signature is verified to see if it has been received, and processing is performed so that inappropriate certificates are not mixed. The certificate profile is extracted and stored in the certificate authority repository 14 together with the EE certificate.

(C) Migration destination CA certificate (serial number in the right table of FIG. 3: n + 1)
Using the certificate authority certificate migration issue function 20 in FIG. 1, the migration destination certificate authority certificate is issued by the migration destination certificate authority apparatus 1 using the serial number of the dummy certificate issued by the migration source certificate authority apparatus 2. Issue. More specifically, the processing is as follows. First, the transfer destination certificate authority apparatus 1 receives the dummy certificate and confirms by signature verification that the dummy certificate has been issued by the transfer source certificate authority apparatus 2. Next, the serial number is extracted from the profile of the dummy certificate and set in the certificate serial number counter 15. The profile of the migration source CA certificate acquired in (a) is set in the certificate profile template 16. Then, based on the certificate serial number counter 15 and the certificate profile template 16, a migration destination certificate authority certificate is issued.

(D) Link certificate (serial number in the right table of FIG. 3: n + 2)
Using the certification path generation function (forward direction) 21 in FIG. 1, the source certification authority apparatus 2 is made to issue a forward mutual authentication certificate. More specifically, the processing is as follows. First, based on the forward mutual authentication certificate issuance application created by the transfer destination certificate authority apparatus 1, a forward mutual authentication certificate is issued by the transfer source certificate authority apparatus 2. Then, the transfer destination certificate authority device 1 takes in the forward mutual authentication certificate after confirming by signature verification that the transfer source certificate authority device 2 has issued it. The transfer destination certificate authority apparatus 1 extracts the serial number of the forward mutual authentication certificate and sets the extracted serial number in the certificate serial number counter 15. A dummy certificate is issued based on the certificate serial number counter 15 and a record is added to the certificate authority issuance information managed by the certificate authority repository 14. Then, the certificate data storage field in the added record is overwritten with the binary data of the forward mutual authentication certificate issued by the source certificate authority device 2. Thus, since the forward mutual authentication certificate is issued to be the same as the link certificate as described above, this is the same as holding the link certificate in the migration destination certificate authority apparatus 1.

(E) Link certificate (serial number in the right table of FIG. 3: n + 3)
Using the certification path generation function (reverse direction) 22 in FIG. 1, a reverse mutual authentication certificate issuance application is received from the source certificate authority device 2, and the reverse direction mutual authentication certificate is received by the destination certificate authority device 1. Issue a certificate. As described above, the reverse mutual authentication certificate is issued to be the same as the link certificate.

  After the above five steps (a) to (e), the migration source certificate authority device 2 immediately stops and is discarded, and the migration destination certificate authority device 1 starts normal operation (right of FIG. 3). Table serial number: n + 4 ~).

Now, in FIG. 3, it has been explained that the serial number and profile of the certificate are linked between certificate authority apparatuses. Next, referring to FIG. 4, the serial number of the source CRL and the revocation status of the certificate are shown. Next, the cooperation between the migration source / destination certificate authority apparatuses will be described. In the first embodiment, the revocation information of the transfer source certificate authority apparatus is taken into the transfer destination certificate authority apparatus so that the validity of the certificate does not contradict between the two certificate authority apparatuses. At that time, the operation of the certificate authority apparatus has the following three stages (a) to (c). The following processes (a) to (c) are processed by the receiving function 19 of the migration source CRL in FIG. (Note that the CRL serial number is not only added in ascending order but also in the certificate authority apparatus randomly assigned, but in the following description, the ascending order will be described as an example. The first embodiment is applicable.)
(A) Operation period at the source CA (serial number of CRL: 1 to n-1 in the right table of FIG. 4)
The correct CRL of the migration source certificate authority device 2 is imported to the migration destination certificate authority device 1. More specifically, the processing is as follows. The CRL is continuously read from the storage location where the CRL is stored (such as a designated folder), and whether or not these CRLs are signed by the migration source certificate authority 2 is verified. Process so as not to mix. Then, the revocation list is extracted from the CRL profile, the serial number of the certificate to be revoked is extracted, and the certificate revocation is recorded for the record that matches the serial number in the certificate authority issuance information managed in the certificate authority repository 14. Register as information.

(A) Operation period at the source CA (CRL serial number: n in the right table of FIG. 4)
The latest CRL is taken in the same manner as (a). Further, the latest CRL serial number is extracted and set in the CRL serial number counter 17.

(C) Operation period at the transfer destination CA (CRL serial numbers in the right table of FIG. 4: n + 1 to 1)
After the processes (a) and (b), the source CA device 2 immediately stops and is discarded, the normal operation is started in the destination CA device 1, and the CRL serial is issued when issuing the CRL. CRL is issued after adding 1 to the value of the number counter 17.

  As described above, with reference to FIG. 3 and FIG. 4, the operation at the time of shifting to the certificate authority apparatus in the first embodiment has been described. FIG. 5 schematically summarizes the entire flow. (1) to (10) and (a) to (u) in FIG. 5 correspond to (1) to (10) and (a) to (u) described in FIGS. 3 and 4, respectively. Although the description is duplicated, the following is a brief description.

First, (1) to (10) in FIG. 5 will be described.
In (1) of FIG. 5, the certificate authority certificate [Old RootCA Cert.] Of the migration source certificate authority device 2 is imported into the migration destination certificate authority device 1. At this time, the migration source certificate receiving function 18 uses the thumbprint verification function 51 to perform the thumbprint verification of the migration source CA certificate. Also, the profile of the migration source certificate authority certificate is extracted and applied to the profile of the migration destination certificate authority. Then, the certificate profile and the certificate are stored in the certificate authority repository 14 and a record is registered in the certificate authority issuance information managed by the certificate authority repository 14.

  In (2) of FIG. 5, all certificates (EE certificate, end entity certificate) [Old EE Cert.] Issued by the migration source CA device 2 to the user who requested the certificate issuance Import the certificate authority device 1. At this time, the transfer source certificate receiving function 18 uses the signature verification function 52 to verify whether all the certificates have been signed by the transfer source certificate authority apparatus 2. Then, a certificate profile is extracted and stored in the certificate authority repository 14, and a record corresponding to each certificate is added to the certificate authority issuance information managed by the certificate authority repository 14.

In (3) of FIG. 5, the migration source CA device 2 issues a dummy certificate [dummy certificate].
In (4) of FIG. 5, the certificate authority certificate issuing function 20 of the transfer destination certificate authority apparatus 1 verifies the signature of the dummy certificate issued by the transfer source certificate authority apparatus 2 using the signature verification function 52. The serial number of the dummy certificate is extracted, and the serial number is set in the certificate serial number counter 15. Then, the migration destination CA certificate [New RootCA Cert.] Is issued with the same profile as that of the migration source CA certificate acquired in FIG. In addition, a record as an issuance record is added to the certificate authority issuance information managed by the certificate authority repository 14.
In (5) of FIG. 5, the transfer destination certificate authority apparatus 1 creates a forward mutual authentication certificate issuance application.
In (6) of FIG. 5, the source certificate authority apparatus 2 issues a forward mutual authentication certificate [Link / Cross Cert.2].

  In (7) of FIG. 5, the certification path generation function (forward direction) 21 uses the signature verification function 52 to verify the signature of the forward mutual authentication certificate, and then captures the serial number of the forward mutual authentication certificate. The extracted serial number is set in the certificate serial number counter 15.

  In (8) of FIG. 5, a dummy certificate [dummy certificate] is issued based on the certificate serial number counter 15 and a record is added to the certificate authority issuance information managed in the certificate authority repository 14. . Then, the binary data of the forward mutual authentication certificate issued by the migration source CA device 2 is overwritten in the certificate data storage field in the added record.

In (9) of FIG. 5, the source certificate authority apparatus 2 creates an application for issuing a reverse mutual authentication certificate.
In (10) of FIG. 5, the certification path generation function (reverse direction) 22 captures the reverse mutual authentication certificate issuance application form after performing the thumbprint verification using the thumbprint verification function 51, and transfers the destination certificate authority apparatus 1. Issue reverse mutual authentication certificate [Link / Cross Cert.1]. Then, a record is added to the certificate authority issuance information managed in the certificate authority repository 14.

Next, (a) to (u) will be described.
In FIG. 5A, the transfer source CRL receiving function 19 uses the signature verification function 52 to verify the signature of the CRL issued by the transfer source certificate authority 2 so that inappropriate CRLs are not mixed. Then, the revocation list is extracted from the CRL profile, the serial number of the certificate to be revoked is extracted, and the certificate revocation is recorded for the record that matches the serial number in the certificate authority issuance information managed in the certificate authority repository 14. Register as information.

In FIG. 5 (i), the latest CRL is issued by the migration source certificate authority 2.
In (u) of FIG. 5, the CRL is imported to the migration destination certificate authority 1 in the same manner as in (a) of FIG. 5, but the CRL serial number is further extracted, and the CRL serial number is stored in the CRL serial number counter 17. Set.

As described above, the outline of the configuration and operation of the first embodiment has been described with reference to FIGS. 1 to 5, and the flow of the entire process will be described below with reference to the flowcharts.
First, FIG. 6 shows an overall processing flow of the first embodiment.

  First, in step S1, certificate authority assets are transferred. In the migration source CA device 2, normal operation is stopped, and the CA certificate, all issued certificates (end entity certificates) and their numbers, the latest CRL or issue in the migration source CA device 2 are issued. Preparation for migration is performed by recording other data such as CRLs on a storage medium, for example. Then, the data in the storage medium is imported into the certification authority repository 14 of the migration destination certification authority apparatus 1 by reading it out with an information processing apparatus constituting the migration destination certification authority apparatus. This step S1 corresponds to the processes (1), (2) and (A), (I), (U) in FIG.

  Here, the process of storing (importing) the certificate and the revocation information of the source certificate authority device 2 in the certificate authority repository 14 of the destination certificate authority device 1 in step S1 will be described in more detail with reference to FIG. FIG. 7 shows the configuration of the certificate authority issuance information managed by the certificate authority repository 14. Each record of certificate authority issuance information includes certificate serial number, certificate type, certificate issuer name (subject name, SubjectName), certificate issuer name, and validity period (start date / time, expiration date / time) Certificate data, and further includes the date and time of revocation of each certificate and the reason for revocation.

  When the CA certificate is transferred in step S1, the CA certificate (der / cer file) taken in by the transfer source certificate receiving function 18 is first stored in the CA repository 14. At this time, the serial number, type, issuer name, issuer name, validity period, and certificate data of the certificate are stored in the part indicated by I in FIG. Next, the transfer source certificate receiving function 18 fetches all certificates (EE certificate, end entity certificate) issued by the transfer source certificate authority apparatus 2 for the user who requested the certificate issuance, and performs authentication. Store in the station repository 14. At this time, as in the case of the certificate authority certificate for each certificate, the serial number, type, issuer name, issuer name, validity period, and certificate data of the certificate are shown in the part indicated by II in FIG. Store each one. Next, the latest CRL issued by the migration source is fetched by the receiving function 19 of the migration source CRL. At this time, the serial number of the certificate to be revoked is extracted from the CRL, and the date and time of revocation and the reason for revocation are registered for the record that matches the serial number of the certificate in the already-registered CA issued information (III in FIG. 7). . In addition to the latest CRL, a CRL that has already been issued may be imported. In such a case, as with the latest CRL, the serial number of the revoked certificate is extracted, and the certificate authority issuance information already registered is extracted. The revocation date and reason for revocation are registered for the record that matches the certificate serial number (IV in FIG. 7).

  Returning to FIG. Next, in step S2, a migration destination CA certificate is issued. This step S2 corresponds to (3) and (4) in FIG. First, the transfer source certificate authority apparatus 2 issues a dummy certificate, which is fetched by the certificate authority certificate transfer issue function 20, and issues the transfer destination certificate authority certificate with the serial number. At this time, a record of the serial number (n + 1) is added to the certificate authority issuance information managed by the certificate authority repository 14 as a record of issuing the transfer destination certificate authority certificate (record (ii) in FIG. 7). .

  Next, in step S3 of FIG. 6, a forward authentication path is generated. This step S3 corresponds to (5), (6), (7), (8) in FIG. First, a transfer application for issuance of a forward mutual authentication certificate is created in the transfer destination certificate authority device 1, and a forward mutual authentication certificate is issued in the certification path generation function (forward) 21 of the transfer source certificate authority device 2. I do. The transfer destination certificate authority apparatus 1 issues a dummy certificate in advance with this serial number in order not to issue a certificate with the same serial number as this forward mutual authentication certificate in the future. As a dummy certificate issuance record, a record of the serial number (n + 2) is added to the certificate authority issuance information managed by the certificate authority repository 14 (record (iii) in FIG. 7). In the added record, the certificate data field overwrites the certificate data of the forward mutual authentication certificate issued by the source certificate authority device 2 (the data of the certificate itself, binary data) ( (* 2) in Figure 7. As a result, the forward mutual authentication certificate issued by the transfer source certificate authority device 2 is held in the transfer destination certificate authority device 1.

  Next, in step S4 of FIG. 6, an authentication path in the reverse direction is generated. This step S4 corresponds to (9) and (10) in FIG. First, an application for issuance of a reverse mutual authentication certificate is created by the migration source certificate authority device 2, and a reverse mutual authentication certificate is issued by the certification path generation function (reverse direction) 22 of the migration destination certificate authority device 1. I do. As this issuance record, a record of serial number (n + 3) is added to the certificate authority issuance information managed by the certificate authority repository 14 (record (iv) in FIG. 7).

After that, in step S5 of FIG. 6, the system of the migration source certificate authority apparatus 2 is promptly discarded so that no certificate or CRL is issued.
In step S6 in FIG. 6, normal operation is resumed. That is, the transfer destination certificate authority apparatus 1 revokes the certificate already issued by the transfer source certificate authority apparatus 2 and issues a CRL, and also issues a new certificate, and resumes normal operation. When a new certificate is issued, records after the serial number (n + 4) are sequentially added to the certificate authority repository 14 ((vi) in FIG. 7).

As described above, the overall processing flow in the first embodiment has been described with reference to FIG. 6, but each step will be described in detail below.
First, FIG. 8 shows a detailed flow of step S1 of FIG.

  In step S80 of FIG. 8, in the transfer destination certificate authority apparatus 1, certificate information and the like of the transfer source certificate authority apparatus 2 are input using a CA (Certificate Authority) initial setting wizard. The CA initial setting wizard is a software tool used when a certificate authority apparatus is newly constructed. In the first embodiment, this tool is used in an expanded form. Examples of this screen are shown in FIGS. 9A to 9C.

  FIG. 9A is an example of a screen for selecting whether to construct a new certificate authority device or to shift the certificate authority device in the CA initial setting wizard. In the first embodiment, “migration” is selected in order to perform the migration operation of the certificate authority device. FIG. 9B is an example of a screen for specifying the certificate information of the migration source certificate authority device 2. It is assumed that data such as a certificate recorded and taken out from the migration source certificate authority device 2 on a storage medium or the like is temporarily copied to a local hard disk or the like of the information processing apparatus constituting the migration destination certificate authority device 1. In FIG. 9B, the location of the migration source CA certificate (c: \ OldCaCert.cer), the thumbprint of the migration source CA certificate, the total number of certificates issued (100,000), and all migration source certificates The folder (c: \ OldCerts) where is stored is specified. FIG. 9C is an example of a screen for designating revocation information of the migration source certificate authority device 2. A folder (c: \ OldCRL) in which the CRL of the migration source certificate authority apparatus 2 is stored and the latest CRL (c: \ LastCrl.crl) issued by the migration source certificate authority apparatus 2 are specified.

As described above, in step S80 of FIG. 8, information related to the certificate of the migration source certificate authority device 2 is input to the migration destination certificate authority device 1 as shown in FIGS. 9A to 9C.
Next, in step S81 of FIG. 8, when the transfer source certificate receiving function 18 reads the transfer source certificate authority certificate as a trust point (trust point) and confirms that it is correct compared with the thumbprint, the certificate authority Register in the repository 14.

  Further, in step S82 in FIG. 8, the transfer source certificate receiving function 18 performs all certificates (EE certificate, end entity) issued by the transfer source certificate authority device 2 to the user who requested the certificate issuance. Certificate). In step S83, it can be confirmed by signature verification that the read certificate has been issued by the migration source CA device 2, and whether the total number of certificates matches the number of certificates issued on the screen. to decide. In step S83, if it cannot be confirmed by signature verification that it has been issued by the migration source certificate authority apparatus 2, or if the total number of certificates does not match the number of issued certificates (error), the process proceeds to step S89. If the asset transfer has failed, the process is terminated. If no error has occurred in step S83, the process proceeds to step S84, and the certificate is registered in the certificate authority repository 14.

Here, registration of the certificate in the certificate authority repository 14 performed in step S81 and step S84 will be described with reference to FIG.
FIG. 10 shows an example of a certificate format. The certificate includes version information (version), serial number (serialNumber), signature algorithm information (signature.algorithmIdentifier), issuing certificate authority name (issureName), validity start date (notBefore) and expiration date (notAfter) Issuer name (subjectName), subject key identifier (subjectKeyIdentifire), and certificate authority key identifier (authorityKeyIdentifire). The transfer source certificate receiving function 18 of the transfer destination certificate authority apparatus 1 reads and analyzes each certificate, and each certificate information is managed by the certificate authority repository 14 as indicated by arrows in FIG. Records are added to the certificate authority issued information. That is, the certificate serial number (serialNumber) is the serial number of the certificate authority issuance information, the certificate issuance authority name (issureName) is the issuer name of the certificate authority issuance information, and the certificate validity period start date and time (notBefore ) For the certificate authority issue information validity period start date and time, the certificate validity period expiration date (notAfter) for the certificate authority issue information validity period expiration date, and the certificate issuer name (subjectName) for the certificate authority issue information The binary data of the certificate itself is registered in the corresponding column as certificate data of certificate authority issue information.

  Returning to the description of FIG. 8, in step S85, the transfer source CRL receiving function 19 reads the CRL of the transfer source certificate authority device 2 from the storage folder. In step S86, it is confirmed by signature verification whether or not the read CRL is issued by the migration source certificate authority apparatus 2. If it is not confirmed in step S86 that the read CRL has been issued by the transfer source certificate authority 2 (error), the process proceeds to step S89, and the process ends as an asset transfer failure. If it is confirmed in step S86 that the read CRL has been issued by the migration source certificate authority apparatus 2, the process proceeds to step S87. In step S87, the revocation list is extracted from the CRL, the serial number of the certificate to be revoked is extracted, and for the record that matches the serial number in the certificate authority issuance information managed in the certificate authority repository 14, the certificate Register revocation date and reason for revocation as revocation information.

Here, with reference to FIG. 10 again, the registration of the revocation information performed in step S87 will be described.
FIG. 10 shows an example of the CRL format. The CRL includes version information (version), signature algorithm information (signature.algorithmIdentifier), issuing certificate authority name (issureName), this CRL issuance date and time (thisUpdate), next CRL issuance date and time (NextUpdate), and the serial number of the certificate to be revoked. Issued including a set of discard date / time pairs (RevokedCertificates), reason for revocation, and CRL optional fields (CRLExtentions). The receiving function 19 of the source CRL reads the CRL, extracts the serial number (userCertificate) of the revoked certificate from the set of revoked certificate serial number and revocation date (RevokedCertificates), and extracts the certificate authority repository The date of revocation of CA (revocationDate) and the reason for revocation (CRLreason) of CRL is registered for the one that matches the serial number registered in the 14 certificate authority issued information.

  Returning to the description of FIG. 8, after step S87, in step S88, for the latest CRL, the number obtained by adding 1 to the serial number is set to the initial value (next CRL of the CRL serial number counter 17 of the transfer destination certification authority 1). As the CRL serial number at the time of issuance). As the CRL serial number, a value stored as cRLNumber in the CRL optional field of the CRL format shown in FIG. 10 is used.

  The processing in step S1 in FIG. 6 has been described in detail, but as can be understood from the above description, steps S81 to S84 in FIG. 8 are processing executed by the migration source certificate receiving function 18, and FIG. Steps S85 to S88 are processes executed by the receiving function 19 of the migration source CRL.

  Next, FIG. 11 shows a detailed flow of the process in step S2 of FIG. The process of issuing the transfer destination certificate authority certificate is a process executed by the certificate authority certificate transfer issue function 20.

  First, in step S111 of FIG. 11, the migration destination certificate authority apparatus 1 uses the CA initial setting wizard to ensure that the “random number seed” value necessary for generating the key pair of the migration destination certificate authority certificate is unique. create. The method that can ensure the uniqueness is, for example, a method of drawing by mouse operation and generating a seed value from the coordinate value of the locus. An example of the screen at this time is shown in FIG. 12A.

  Next, in step S112 of FIG. 11, a key pair (public key and private key) is generated with the “key length” specified by the CA initial setting wizard using the created seed value. FIG. 12B shows a screen example of the CA initial setting wizard for designating the key length at this time. In FIG. 12B, the key length is designated as 4096 bits.

  In step S113 of FIG. 11, the source CA certificate is read from the CA repository 14 and decoded, and the profile is set as the initial value of the destination CA certificate (set in the certificate profile template 16).

  Next, in step S114 of FIG. 11, a dummy certificate is read from the location (c: \ OldDummy.cer) specified by the CA initial setting wizard as shown in the screen example of FIG. 12C. It is confirmed by signature verification that the certificate authority apparatus 2 has issued it. If it is not confirmed in S114 that the dummy certificate has been issued by the migration source CA device 2 (error), the process proceeds to S118, and the process ends as a migration source CA certificate issuance failure. When it is confirmed in S114 that the dummy certificate has been issued by the source certificate authority device 2 (OK), the process proceeds to S115.

  In step S115 of FIG. 11, the serial number of the dummy certificate is set in the certificate serial number counter 15 and is changed as the serial number of the certificate profile template.

  Next, in step S116 of FIG. 11, as shown in the screen example of FIG. 12D, the key pair, validity period, public key algorithm, and signature algorithm input by the CA initial setting wizard are reflected in the certificate profile template. .

  Then, in step S117 of FIG. 11, a migration destination CA certificate is issued based on the information set in the certificate profile template 16. At this time, a corresponding record is added to the certificate authority issuance information managed in the certificate authority repository 14 as a certificate issuance record.

  The processing in step S2 in FIG. 6 has been described in detail above. Next, the processing in step S3 in FIG. 6 will be described in detail. The process of generating the authentication path (forward direction) is a process executed by the authentication path generation function (forward direction) 21.

  FIG. 13 shows a detailed flow of step S3 of FIG. First, in step S131, as shown in the example of the screen in FIG. 14A, the CA initial setting wizard is used to set the forward mutual authentication certificate issuance application form (signature algorithm: sha1withRSAEncryption, application file name: c: \ NewCaCrossCerReq.txt) and create a forward mutual authentication certificate issuance application.

  In step S132 of FIG. 13, the issue application created by the transfer destination certificate authority device 1 is provided to the administrator of the transfer source certificate authority device 2, and issued by the transfer source certificate authority device 2 based on the issue application form. The administrator of the destination certificate authority apparatus 1 receives the forward-direction mutual authentication certificate that has been sent. An example of the forward mutual authentication certificate is shown in FIG. FIG. 15 shows only the data indicating the characteristics of the forward mutual authentication certificate in the general authentication certificate format. The forward mutual authentication certificate issued here is version = V3, serialNmuber = n + 2, signature algorithm = sha1withRSAEncription, issuing certificate authority name (IssuerName) = A1, expiration date = 2009/1/2/0: 00 -2010/1/1/0: 00, Issuer name (SubjectName) = A1, Subject key identifier = A, Certificate Authority key identifier = a. Issuer name (IsuuerName), Issuer name ( A forward mutual authentication certificate with the same subject name (SubjectName) is issued.

  In step S133 in FIG. 13, the administrator specifies the storage location of the forward mutual authentication certificate (c: \ NewCaCrossCertReq.p7c) in the CA initial setting wizard as shown in the screen example in FIG. The station apparatus 1 reads the forward mutual authentication certificate.

  Then, in step S134 of FIG. 13, it is confirmed by signature verification whether the certificate is a forward mutual authentication certificate issued by the migration source certificate authority apparatus 2. If it is determined in step S134 that the forward mutual authentication certificate is not issued by the migration source certificate authority apparatus 2 (error), the process proceeds to step S137, and the process ends as a certification path generation failure. If it is determined in step S134 that the forward mutual authentication certificate has been issued by the migration source certificate authority apparatus 2 (OK), the process proceeds to step S135.

  In step S135 of FIG. 13, the serial number of the forward mutual authentication certificate is extracted, set in the certificate serial number counter 15, and a dummy certificate is issued with this serial number. A record corresponding to the issue is added to the certificate authority issuance information managed by the certificate authority repository 14.

  In step S136 of FIG. 13, the binary data of the forward mutual authentication certificate issued by the source CA device 2 is added to the certificate data field (see FIG. 7) in the record added to the CA repository 14 in step S135. Is overwritten.

  The processing in step S3 in FIG. 6 has been described in detail above. Next, the processing in step S4 in FIG. 6 will be described in detail. The process for generating the authentication path (reverse direction) is a process executed by the authentication path generation function (reverse direction) 22.

  FIG. 16 shows a detailed flow of step S4 of FIG. First, in step S161, an application for issuing a reverse mutual authentication certificate created by the migration source CA device 2 is received from the administrator of the migration source CA device 2. Then, as in the screen example shown in FIG. 17A, the storage location of the issuance application form (c: \ OldCaCrossCertReq.txt) is specified using the CA initial setting wizard, Read the issuance application form.

  Next, in S162 of FIG. 16, as in the example of the screen illustrated in FIG. 17B, the issuance of the reverse mutual authentication certificate is instructed, and the migration destination certificate authority apparatus 1 issues the reverse mutual authentication certificate. At this time, as a certificate issuance record, a corresponding record is added to the certificate authority issuance information managed in the certificate authority repository 14.

  An example of the reverse mutual authentication certificate is shown in FIG. FIG. 18 shows only the data indicating the characteristics of the reverse mutual authentication certificate in the general authentication certificate format. The reverse mutual authentication certificate issued here is version = V3, serialNmuber = n + 3, signature algorithm = sha1withRSAEncription, issuing certificate authority name (IssuerName) = A1, expiration date = 2009/1/3/0: 00 -2019/1/1/0: 00, Issuer name (SubjectName) = A1, Subject key identifier = a, CA key identifier = A, and issuer name (IsuuerName) and issuer name ( The subject name (SubjectName) is the same, and the issuer name and the issuer name of the forward mutual authentication certificate shown in FIG. 15 are also the same. In this way, both certificate authority devices issue a mutual authentication certificate in which the issuer name (IssureName) and issuer name (SubjectName) are the same in the source certificate authority device and the destination certificate authority device, An authentication path is generated in which both certificate authority devices are recognized as the same certificate authority device.

  The processing in step S4 in FIG. 6 has been described in detail above. Finally, step S5 in FIG. 6 will be described. In step S5, a message such as shown in FIG. 19 (“The migration process from the migration source certification authority to the migration destination certification authority is completed. The migration source certification authority is stopped and promptly displayed. Please discard the system. ”) Is displayed. As a result, the administrator discards the migration source certificate authority device 2. In step S6 of FIG. 6, normal operation of the certificate authority system is resumed.

As described above, the first embodiment has been described with reference to the drawings. FIG. 20 illustrates a hardware configuration of the information processing apparatus 200 that realizes the above-described certificate authority apparatus.
The information processing apparatus 200 includes a CPU 201, a memory 202, an input device 203, an output device 204, an external recording device 205, and a medium driving device 206, which are connected via a bus 208.

  The memory 202 includes, for example, a ROM (Read Only Memory), a RAM (Random Access Memory), and the like, and stores programs and data for realizing the certificate authority device.

The CPU 201 uses the memory 202 to configure a certificate authority device by executing a program that realizes the flow shown in FIGS. 6, 8, 11, 13, 16, and the like.
The input device 203 is, for example, a keyboard, a pointing device, a touch panel, etc., and is used for inputting information. The output device 204 is, for example, a display or a printer.

  The external storage device 205 is, for example, a magnetic disk device, an optical disk device, a magneto-optical disk device, or the like. Programs and data are stored in the external storage device 205, and are loaded onto the memory 202 and used as necessary. The external storage device 205 includes the certificate authority repository 14 of the certificate authority device. Further, the portable recording medium 207 in which the data of the certificate authority repository of the migration source certificate authority apparatus 2 is recorded is read by the medium drive device 206 of the migration destination certificate authority apparatus 1 and the data is temporarily stored in the external storage device 205. After that, the certificate authority issuance information is stored after the administrator inputs the settings.

  The medium driving device 206 drives the portable recording medium 207 and accesses the recorded contents. As a portable recording medium 207, any computer-readable recording such as a memory card, memory stick, flexible disk, CR-ROM (Compact Disc Read Only Memory), optical disk, magneto-optical disk, DVD (Digital Versatile Disk), etc. A medium is used.

  In the above, Example 1 was demonstrated in detail. It is rare that a company that operates a certificate authority and independently develops certificate authority device products. Many of them purchase certificate authority device products sold by vendors and operate certificate authorities. . However, as long as it is a product provided by a private company, the same product will be provided 10 to 20 years ahead, and it is not always possible to continue the transition as the same CA device every time a hardware replacement is made. Therefore, by installing the above-described migration function in the certification authority device product that exists at the time of migration, the certification authority device can always be migrated. In the above-described embodiment, the migration source certificate authority apparatus product can be realized by adding a migration function to the migration destination certification authority apparatus product without any modification or disclosure of internal specifications. This can be realized even when the interface of the certificate authority device product is not disclosed. Until now, when replacing a separate CA, the new CA and the old CA must be operated for a long period of time. There is an effect that the burden is reduced in the future.

  As described above, it goes without saying that the present invention is not limited to the description in the above embodiments. In the above example, when a mutual authentication certificate is issued between the migration source CA device and the migration destination CA device, an application was made from the migration destination CA device, but conversely, an application was made from the migration source CA device It doesn't matter. Further, although the configuration of FIG. 7 is shown as the configuration of the certificate authority repository of the transfer destination certificate authority device, any configuration is possible as long as the certificate authority device can perform the above-described operation, and the configuration is limited to this configuration. Not. As described above, various modifications can be made without departing from the spirit of the present invention.

The following additional notes are further disclosed with respect to the embodiment including the above examples.
(Appendix 1)
A method for transferring assets of a transfer source certificate authority device to a transfer destination certificate authority device between certificate authority devices having different certificate management repository configurations,
The migration destination certificate authority apparatus reads and analyzes the certificate authority certificate and end entity certificate issued by the migration source certificate authority apparatus to create certificate authority issuance information, which is further issued by the migration source certificate authority apparatus. Read and parse the latest revoked certificate list, add revocation information to the certificate authority-issued information,
The migration source authentication station apparatus and the migration destination authentication station apparatus, the issuer name and the issuer name is the same certificate, the key of the source authentication station old Ikagi, the target certificate authority the key issues the mutual authentication certificate with the new key,
A certificate authority apparatus migration method characterized by the above.
(Appendix 2)
In order to transfer the assets of the source certificate authority device between certificate authority devices with different certificate management repository configurations, the information processing device constituting the destination certificate authority device is
The certificate authority certificate and end entity certificate issued by the migration source CA device are read and analyzed to create certificate authority issuance information unique to the migration destination CA device, which is issued by the migration source CA device An asset transfer means for reading and analyzing the latest list of revoked certificates and adding revocation information to the certificate authority-issued information;
Issuing a certificate authority certificate of the migration destination certificate authority device with the serial number of the dummy certificate issued by the migration source certificate authority device after the start of the migration work, and a record as an issue record in the certificate authority issue information A destination CA certificate issuing means to be added;
Create a forward cross-certificates issued application, the transition takes in a forward cross-certificates issued under the Certificate Authority, the record corresponding to the forward cross-certificates to the certificate authority issuing information A forward certification path generation means to be added;
Based on the reverse mutual authentication certificate issuance application created by the source certificate authority device , the reverse mutual authentication certificate corresponding to the forward mutual authentication certificate is issued, and in the certificate authority issuance information A reverse authentication path generating means for adding a record as an issuance record;
Certificate authority device migration program to make it function.
(Appendix 3)
The certificate authority issuance information includes a record including a storage column for storing a certificate serial number, a certificate type, a certificate issuer name, a certificate issuer name, a validity period, and certificate binary data. It is configured as a list,
The asset transfer means extracts the certificate serial number, certificate issuer name, certificate issuer name, and validity period from the read CA certificate and all end entity certificates, The certificate authority certificate and all end entity certificates are stored in the storage field of the corresponding certificate authority issuance information record respectively, and the certificate authority data and the certificate binary data of the certificate authority issuance information record are stored in the storage field. The certificate authority device migration program according to appendix 2, wherein the binary data of each of the certificates is stored as it is.
(Appendix 4)
The certificate authority issuance information record further includes a storage field for storing a certificate expiration date and reason for revocation,
The asset transfer means adds a revocation date and a revocation reason for a record in which the serial number of the certificate in the certificate authority issued information matches the serial number of the revoked certificate obtained from the revoked certificate list. The certificate authority device migration program according to supplementary note 3, characterized by:
(Appendix 5)
The forward mutual authentication certificate is a mutual authentication certificate issued from the source certificate authority device to the destination certificate authority device,
The reverse mutual authentication certificate is a mutual authentication certificate issued from the transfer destination certificate authority device to the transfer source certificate authority device,
Further, the forward mutual authentication certificate and the reverse mutual authentication certificate have the same issuer name and issuer name, and the old certificate key is updated from the old key to the new key by the same certificate authority device. The certificate corresponding to the link certificate issued using the old certificate key as the key of the migration source CA device and the new key as the key of the migration destination CA device The certificate authority device migration program according to supplementary note 2, characterized by:
(Appendix 6)
The forward certification path generation means issues a dummy certificate in accordance with taking in the forward mutual authentication certificate, and avoids duplication of the serial number of the certificate in the migration destination CA. The certificate authority device migration program according to any one of Supplementary Note 2 to Supplementary Note 5, which is a feature.
(Appendix 7)
The certificate authority device on the migration destination side when performing asset migration of the source certificate authority device between certificate authority devices with different certificate management repository configurations,
Transfer source certificate receiving means for reading and analyzing a certificate authority certificate and an end entity certificate issued by the transfer source certificate authority apparatus, and generating certificate authority issue information specific to the certificate authority apparatus on the transfer destination side When,
A source of revocation information receiving means for reading and analyzing a list of the latest revoked certificates issued by the source certificate authority apparatus and adding revocation information to the certificate authority issuance information;
Issue the certificate authority certificate of the certificate authority device on the migration destination side with the serial number of the dummy certificate issued by the source certificate authority device after the start of the migration work, and as an issue record in the certificate authority issue information A certificate authority certificate migration issuing means to add records,
Create a forward cross-certificates issued application, the transition takes in a forward cross-certificates issued under the Certificate Authority, the record corresponding to the forward cross-certificates to the certificate authority issuing information A forward certification path generation means to be added;
Based on the reverse mutual authentication certificate issuance application created by the source certificate authority device , the reverse mutual authentication certificate corresponding to the forward mutual authentication certificate is issued, and in the certificate authority issuance information A reverse authentication path generating means for adding a record as an issuance record;
A certificate authority apparatus comprising:
(Appendix 8)
The certificate authority issuance information includes a record including a storage column for storing a certificate serial number, a certificate type, a certificate issuer name, a certificate issuer name, a validity period, and certificate binary data. It is configured as a list,
The means for receiving the migration source certificate includes a certificate serial number, a certificate issuer name, a certificate issuer name, and a validity period from the read CA certificate and all end entity certificates. Each is extracted and stored in the storage field of the corresponding certificate authority issuance information record, and in the storage field for storing certificate binary data of the certificate authority issuance information record, the certificate authority certificate and all The certificate authority device according to appendix 7, wherein the binary data of each end entity certificate is stored as it is.
(Appendix 9)
The certificate authority issuance information record further includes a storage field for storing a certificate expiration date and reason for revocation,
The transfer source revocation information receiving means includes a revocation date and time for a record in which the serial number of the certificate in the CA issued information matches the serial number of the revoked certificate obtained from the revoked certificate list. 9. The certificate authority apparatus according to appendix 8, wherein a reason for revocation is added.
(Appendix 10)
The forward cross-certificates are mutually authenticated certificate issued addressed to the authentication station device of the migration destination side from the migration source authentication station,
The reverse mutual authentication certificate is a mutual authentication certificate issued from the migration-destination- side certificate authority device to the migration-source certificate authority device,
Further, the forward mutual authentication certificate and the reverse mutual authentication certificate have the same issuer name and issuer name, and the old certificate key is updated from the old key to the new key by the same certificate authority device. as issued is linked certificates to the migration source authentication station key the old key, the link certificate corresponding certificates issued the key of the migration destination side authentication station as the new key 8. The certificate authority apparatus according to appendix 7, wherein

DESCRIPTION OF SYMBOLS 1 Transfer destination certificate authority apparatus 2 Transfer source certificate authority apparatus 11 Transfer function 12 Certificate issuing function 13 CRL issuing function 14 Certificate authority repository (certificate management DB)
15 Certificate Serial Number Counter 16 Certificate Profile Template 17 CLR Serial Number Counter 18 Migration Source Certificate Receiving Function 19 Migration Source CRL Receiving Function 20 Certification Authority Certificate Migration Issuing Function 21 Certification Path Generation Function (Forward)
22 Certification path generation function (reverse direction)
51 Thumbprint Verification Function 52 Signature Verification Function 53 Profile Analysis Function 201 CPU
202 Memory 203 Input device 204 Output device 205 External storage device 206 Medium drive device 207 Portable recording medium 208 Bus 211 Certificate issuing function 212 CRL issuing function 213 Certificate serial number counter 214 Certificate profile template 215 CRL serial number counter 216 Thumbnail Verification function 217 Signature verification function 218 Profile analysis function 219 Certificate authority repository

Claims (7)

A method for transferring assets of a transfer source certificate authority device to a transfer destination certificate authority device between certificate authority devices having different certificate management repository configurations,
The migration destination certificate authority apparatus reads and analyzes the certificate authority certificate and end entity certificate issued by the migration source certificate authority apparatus to create certificate authority issuance information, which is further issued by the migration source certificate authority apparatus. Read and parse the latest revoked certificate list, add revocation information to the certificate authority-issued information,
The migration source authentication station apparatus and the migration destination authentication station apparatus, the issuer name and the issuer name is the same certificate, the key of the source authentication station old Ikagi, the target certificate authority the key issues the mutual authentication certificate and the new key,
A certificate authority apparatus migration method characterized by the above. In order to transfer the assets of the source certificate authority device between certificate authority devices with different certificate management repository configurations, the information processing device constituting the destination certificate authority device is
The certificate authority certificate and end entity certificate issued by the migration source CA device are read and analyzed to create certificate authority issuance information unique to the migration destination CA device, which is issued by the migration source CA device An asset transfer means for reading and analyzing the latest list of revoked certificates and adding revocation information to the certificate authority-issued information;
Issuing a certificate authority certificate of the migration destination certificate authority device with the serial number of the dummy certificate issued by the migration source certificate authority device after the start of the migration work, and a record as an issue record in the certificate authority issue information A destination CA certificate issuing means to be added;
Create a forward cross-certificates issued application, the transition takes in a forward cross-certificates issued under the Certificate Authority, the record corresponding to the forward cross-certificates to the certificate authority issuing information A forward certification path generation means to be added;
Based on the reverse mutual authentication certificate issuance application created by the source certificate authority device , the reverse mutual authentication certificate corresponding to the forward mutual authentication certificate is issued, and in the certificate authority issuance information A reverse authentication path generating means for adding a record as an issuance record;
Certificate authority device migration program to make it function. The certificate authority issuance information includes a record including a storage column for storing a certificate serial number, a certificate type, a certificate issuer name, a certificate issuer name, a validity period, and certificate binary data. It is configured as a list,
The asset transfer means extracts the certificate serial number, certificate issuer name, certificate issuer name, and validity period from the read CA certificate and all end entity certificates, The certificate authority certificate and all end entity certificates are stored in the storage field of the corresponding certificate authority issuance information record respectively, and the certificate authority data and the certificate binary data of the certificate authority issuance information record are stored in the storage field. The certificate authority device migration program according to claim 2, wherein the binary data of each of the certificates is stored as it is. The certificate authority issuance information record further includes a storage field for storing a certificate expiration date and reason for revocation,
The asset transfer means adds a revocation date and a revocation reason for a record in which the serial number of the certificate in the certificate authority issued information matches the serial number of the revoked certificate obtained from the revoked certificate list. The certificate authority device migration program according to claim 3, wherein: The forward mutual authentication certificate is a mutual authentication certificate issued from the source certificate authority device to the destination certificate authority device,
The reverse mutual authentication certificate is a mutual authentication certificate issued from the transfer destination certificate authority device to the transfer source certificate authority device,
Further, the forward mutual authentication certificate and the reverse mutual authentication certificate have the same issuer name and issuer name, and the old certificate key is updated from the old key to the new key by the same certificate authority device. The certificate corresponding to the link certificate issued using the old certificate key as the key of the migration source CA device and the new key as the key of the migration destination CA device The certificate authority device migration program according to claim 2, wherein:   The forward certification path generation means issues a dummy certificate in accordance with taking in the forward mutual authentication certificate, and avoids duplication of the serial number of the certificate in the migration destination CA. The certificate authority device migration program according to any one of claims 2 to 5, characterized in that: The certificate authority device on the migration destination side when performing asset migration of the source certificate authority device between certificate authority devices with different certificate management repository configurations,
Transfer source certificate receiving means for reading and analyzing a certificate authority certificate and an end entity certificate issued by the transfer source certificate authority apparatus, and generating certificate authority issue information specific to the certificate authority apparatus on the transfer destination side When,
A source of revocation information receiving means for reading and analyzing a list of the latest revoked certificates issued by the source certificate authority apparatus and adding revocation information to the certificate authority issuance information;
Issue the certificate authority certificate of the certificate authority device on the migration destination side with the serial number of the dummy certificate issued by the source certificate authority device after the start of the migration work, and as an issue record in the certificate authority issue information A certificate authority certificate migration issuing means to add records,
Create a forward cross-certificates issued application, the transition takes in a forward cross-certificates issued under the Certificate Authority, the record corresponding to the forward cross-certificates to the certificate authority issuing information A forward certification path generation means to be added;
Based on the reverse mutual authentication certificate issuance application created by the source certificate authority device , the reverse mutual authentication certificate corresponding to the forward mutual authentication certificate is issued, and in the certificate authority issuance information A reverse authentication path generating means for adding a record as an issuance record;
A certificate authority apparatus comprising: