JPH118619A - Electronic certificate publication method and system therefor - Google Patents

Abstract

PROBLEM TO BE SOLVED: To issue a certificate at a low cost and to enhance the security at the issue. SOLUTION: In the electronic certificate publication method, an authentication station issues an electronic certificate via a network to a person to be authenticated who receives an issued certificate. The authentication station receives a document to be certificated in which a digital signature is made by using a key certificated by an electronic certificate and the name of the document to be certificated on request of issue from a client 20 based on the electronic certificate of a public key having already been issued by an authentication station 10 and on a public key of the person to be authenticated in the electronic certificate to authenticate whether or not the digital signature by the person to be authenticated is valid. When the digital signature is authenticated to be valid, the document is collated with a list containing electronic certrificates to be issued. In the case that the cetrificate requested by the authenticated person is able to be issued, the sent electronic cetrificate is authenticated, and when the authentication of the cetrificate is valid, the electronic cetrificate authenticating the public key of the authenticated person is issued.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an electronic certificate issuance and system performed on an open network using a public key cryptosystem, and more particularly to an electronic certificate issuance method and system capable of issuing a certificate at low cost. It is about technology that is effective to apply.

[0002]

2. Description of the Related Art In recent years, electronic commerce is performed on an open network such as the Internet. However, when electronic commerce is performed using the Internet, the security of data exchange such as personal information becomes a problem. I have.

That is, crimes such as data leakage, tampering, and impersonation of a delivery source can be performed relatively easily.

Conventionally, secure data exchange has been realized by using an encryption method such as a common key encryption method or a public key encryption method.

Here, the common key cryptosystem is a cryptosystem in which the key used for encryption and the key used for decryption are the same, and the encryption / decryption speed is high. It is suitable for

[0006] On the other hand, the public key cryptosystem comprises a pair of a key (private key) that is not shown to others and a corresponding key (public key) that is disclosed to others. The ciphertext created using this method cannot be decrypted without using the other key of the pair, and it is difficult to infer the other key from one key. It is suitable for communicating with an unspecified number of people.

[0007] In addition, by using an electronic certificate (hereinafter, referred to as a certificate) issued by a trusted third party called a certificate authority, the identity of a communication partner is proved, and A method for preventing impersonation has been proposed.

[0008] The procedure by which this certificate authority issues a certificate is as follows.

First, the person to be authenticated sends an issuance request message to the certificate authority, and obtains the certificate of the certificate authority from the certificate authority. The subject who has received the certificate of the certificate authority verifies the certificate. If the certificate has been issued by a higher-level certificate authority, obtaining the certificate of the higher-level certificate authority is repeated. The final decision is made by verifying the certificate of the highest trusted certificate authority. If the verification is successful, the information and the registration form request message are sent to the certificate authority so that the type of certificate for which the application for issuance is known can be understood. Here, the registration form is a form for filling in matters necessary for issuing a certificate.

[0010] Upon receiving this message, the certificate authority determines the type of certificate, attaches a digital signature to a registration form in which items necessary for issuing the certificate are entered, and sends the registration form.

Here, the digital signature is, specifically,
Using a special function called a hash function, a message to be signed is converted into a value called a hash value of a fixed length, and the hash value is encrypted with the message creator's private key. It is to be. Since the hash value is uniquely determined, tampering of the message can be confirmed by checking whether the hash of the received message matches the result of decrypting the received digital signature with the public key.

The subject who has received the registration form with the digital signature confirms the signature. When the signature is confirmed, the subject generates a registration key of the subject, that is, a public key and a secret key. It encrypts personal information, such as an account number, which is the basis for the fact, and sends it to the certificate authority.

The certificate authority decrypts the transmitted message and confirms personal information that is the basis of the identity of the registrant by inquiring the organization relating to the information. For example, when an account number is used as personal information, an inquiry is made to a bank. If the information is correct as a result of the inquiry, a certificate of the public key of the subject is created, and this certificate is sent to the subject.

The above procedure is performed, for example, by using SET (Secure
Electronic Transaction Specification, Draft for t
esting, June 17, 1996, MasterCard, VISA).

[0015]

SUMMARY OF THE INVENTION As a result of studying the above prior art, the present inventor has found the following problems.

A conventional method of confirming the identity of a registrant when issuing a certificate is to send an account number from a subject to a certificate authority, and the certificate authority checks with the bank whether the account number is correct. It is done by that.

This method has a problem in that the cost is increased because the confirmation of the account number is requested to an organization (bank) different from the certificate authority when issuing the certificate.

There is also a problem that personal information that is not directly related to a certificate, though encrypted, passes through an open network.

An object of the present invention is to provide a technology capable of reducing the cost of personal authentication and the cost of issuing a certificate by using a certificate already obtained by the subject as the basis for personal authentication. Is to provide.

Another object of the present invention is to transmit personal information (for example, an account number) having privacy and security problems when a certificate issuance request is made based on a certificate that has already been issued. By doing so,
An object of the present invention is to provide a technology capable of increasing the overall security strength.

The above and other objects and novel features of the present invention will become apparent from the description of the present specification and the accompanying drawings.

[0022]

SUMMARY OF THE INVENTION Among the inventions disclosed in the present application, the outline of a representative one will be briefly described.
It is as follows.

An electronic certificate issuance method in which a certificate authority issues an electronic certificate to a subject who is to be issued a certificate via a network, the electronic certificate of a public key already issued by a certain certificate authority. Certificate and the digital key of the subject in the digital certificate and the certificate name requesting the issuance of the digital certificate are input. Verify whether the digital signature is valid, and if it can be verified, check with the list of certificates that can be issued with the digital certificate, and issue the certificate requested by the subject. If possible, the transmitted electronic certificate is verified, and if verified, an electronic certificate authenticating the public key of the subject is issued.

An electronic certificate issuance system in which a client of a subject who is to be issued an electronic certificate and a server of a certification authority that issues the digital certificate to the subject are connected via a network. Wherein the client of the person to be authenticated, with respect to the electronic certificate of the public key already issued by a certain certificate authority and the public key of the person to be authenticated in the electronic certificate, with the key certified by the electronic certificate. Digital signature, issuance request means for sending to the server of the certificate authority to issue another digital certificate issuance request means, and means for storing the digital certificate transmitted from the certificate authority, the certificate authority Server, issuance certificate list that summarizes other digital certificates that can be issued from each digital certificate, a signature verification unit that verifies whether the digital signature of the subject is valid, The signature verification Means, when the signature is verified to be valid, a certificate matching means for checking the transmitted electronic certificate against the issuable certificate list, and the certificate matching means, When the requested request digital certificate can be issued, the transmission digital certificate is verified by the digital certificate verification means for verifying the transmission digital certificate from the subject and the digital certificate verification means. Means for issuing a request digital certificate that authenticates the public key of the subject.

[0025]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing the configuration of a certificate issuing system according to an embodiment of the present invention. In the present embodiment, a case where a new electronic certificate is obtained based on a credit card that has already been obtained will be described as an example.

The certificate issuing system according to the present embodiment has the configuration shown in FIG.
As shown in FIG. 1, a certificate authority 10 that issues an electronic certificate (hereinafter, abbreviated as a certificate), a client 20 of a person to be authenticated (hereinafter, abbreviated as a cardholder) who requests a certificate,
Internet3, a network for electronic commerce
0.

The above-described certificate authority 10 includes a certificate authority server 110 that performs actual processing and a card holder client 2
0 through the Internet 30 and relays the input to the certificate authority server 110, and the result is sent to the certificate authority server 110.
And a certificate authority Web server 120 that transmits the certificate to the client 20 of the card holder.

The certificate authority server 110 includes a communication device 112 for communicating with the certificate authority web server 120 and a display 113.
, A keyboard 114, a storage device 115 for storing a certificate database, a certificate name database, a signature key and an exchange key of a certificate authority, and a control device 111 for controlling all of them.

The certificate authority Web server 120 stores a communication device 122 for communicating with the certificate authority server 110, a communication device 123 connected to the Internet, a display 124, a keyboard 125, and Web server software. It comprises a storage device 126 and a control device 121 for controlling all of them.

In the client 20 of the card holder, a storage device 211 for storing a certificate database, a signature key of the card holder, a common key, etc., a communication device 212 for connecting to the Internet, a display 213, and a keyboard 21
4 and a control device 210 for controlling all of them.

FIG. 2 is a diagram for explaining the configuration of the certificate authority 10 in detail.

As shown in FIG. 2, in the storage device 115 of the certificate authority server 110 of the certificate authority 10, a certificate database 11540, a certificate name database 11530, a signature key public key PBCPSG (11511), and a signature key private key PVCCPSG ( 1
1512) and its certificate 11513, a signature key 11510 of the certificate authority, and a key exchange key public key PBCPEX (1152).
1), a key exchange key 11520 including a key exchange key private key PVCPEX (11522) and its certificate 11523 are stored.

The certificate database 11540 includes a public key 11543 and an object (owner) 115 of the public key.
42, a database having the certificate 11541 as a record. The certificate name database 11530 uses a certificate name 11532, a certificate name set 11533 that is a condition necessary for issuing the certificate, and uses the certificate. This is a database having the brand 11531 as a record.

The control device 111 is connected to the certificate authority Web server 120 through the communication device 112, and stores the certificate 11541 stored in the certificate database 11540 and the certificate name stored in the certificate name database 11530 as necessary. The set 11533, the signature key public key 11511 of the certificate authority 10 and the signature key private key 11512 are transmitted to the certificate authority web server 120.

Controller 12 of Certificate Authority Web Server 120
1 loads the Web server software 12610 of the certificate authority Web server 120 from the storage device 126 and executes it.

The Web server software 12610 is
A program that performs communication based on http (Hypertext Transport Protocol).

FIG. 3 shows the client 20 of the cardholder.
FIG. 4 is a diagram for explaining in detail.

The storage device 211 of the client of the cardholder 20 stores Web browser software 21110
, Signature key private key 21160, and certificate database 2
1140 and the signature key public key PBCHSG 'of the cardholder 20
(21120) and the signature key private key PVCHSG ′ (2113)
0) and respective common keys # 1 to # 3 (21171 to 2171)
1173) and a signature key public key list 21180 are stored.

The certificate database 21150 is a database having a signature key public key name 21153, a partner (brand name) 21152 that can use the certificate, and a certificate 21151 as records.

Next, an outline of a certificate issuing process in each control device of the certificate issuing system of the present embodiment will be described with reference to FIG. 4, and then details of each step will be described with reference to the respective drawings. .

The card holder requests the certificate authority 10 to issue a certificate through the Web browser software 21110 (step 401).

Upon receiving the certificate issuance request from the cardholder client 20, the certificate authority 10 generates a certificate issuance request response and sends it to the cardholder client 20. At this time, the public key of the certificate authority is sent to the card holder (step 402).

The card holder receives the certificate issuance request response from the certificate authority 10, verifies the certificate of the certificate authority 10, and transmits a registration form request to the certificate authority 10 (step 403).

Upon receiving the registration form request from the cardholder client 20, the certificate authority 10 generates a registration form and sends it to the cardholder client 20 (step 404).

The card holder fills in a registration form and sends a certificate request to the certificate authority 10. At this time, the cardholder sends the cardholder's public key
(Step 405).

The certificate authority 10 verifies the certificate included in the registration form sent from the client 20 of the card holder (step 406).

The certificate authority 10 issues a certificate according to the verification result of step 406 and sends it to the client 20 of the card holder (step 407).

The card holder's client 20 verifies and stores the issued certificate (step 40).
8).

Details of step 402 will be described with reference to FIG.

Step 402 is first performed by the certificate authority server 1
10 generates and signs a response message to the certificate issuance application message (step 501).

The certificate authority 10 has public keys PBCPEX (11521) and PBCP of the key exchange key and the signature key of the certificate authority 10, respectively.
SG (11511) and each certificate CertPBCPEX (1
1523), CertPBCPSG (11513), and step 5
The response message with the signature created in step 01 is sent to the client 20 of the card holder (step 502).

Next, step 403 will be described in detail with reference to FIG.

In step 403, first, the client 20 of the card holder transmits the certificate CertPBCPEX (1152).
3) The validity of CertPBCPSG (11513) was determined by SET (Secu
re Electronic Transaction Specification, Draftfor
testing, June 17, 1996, MasterCard, VISA, BookII,
PartII Certificate Management, Ch.1, Sec.3, Certif
Verification is performed in the same manner as icate Chain Validation (step 601). The verification of the validity is, for example, checking whether or not the certificate has expired.

As a result of the verification, if it is not valid, the process is interrupted, and if it is valid, the process is continued (step 602).

The card holder takes in the registration form selection information through the keyboard 214 (step 60).
3). Here, the registration form selection information is information necessary for a consumer to select a certificate to be issued. For example, a card company name (brand name) that can use the certificate is used.

The client 20 of the card holder sends a registration form request message and a common key (# 1) SymK # 1.
Is created (step 604).

The client 20 of the card holder encrypts the registration form request message with the common key SymK # 1, and also registers the registration form selection information and the common key SymK # 1 with the key exchange key public key PBCPEX (11521) of the certificate authority. (Step 605).

The card holder 20 transmits the message created in Step 605 to the certificate authority 10 (Step 6).
06).

Next, step 404 will be described in detail with reference to FIG.

Step 404 is as follows.
With the key exchange key private key PVCPEX1 (1522) of the certificate authority 10,
The registration form selection information and the common key SymK # 1 are decrypted (step 701). Subsequently, the registration form request is decrypted using the common key SymK # 1 (step 702), and the certificate required for issuing a certificate is obtained from the registration form selection information. The title set is determined, and a registration form is created (step 703). As a method of determining the certificate name set, for example, (1) a search is performed from the certificate name database of the certificate authority using the brand name described in the registration form selection information as a key, and (2) the brand is included in the registration form selection information. Not only the name,
For example, include the required certificate name set.

Then, the certificate authority 10 signs the registration form created in step 703 with the signature key private key PVCPSG (11512) of the certificate authority 10 (step 70).
4) Attach the certificate CertPBCPSG (11513) of the certificate authority 10 to the registration form with signature created in step 704, and transmit the certificate to the client 20 of the card holder (step 705). As described above, based on the certificate name database, by transmitting a list of other certificates that can be issued with the transmission electronic certificate or a certificate set required for issuing the certificate to the client of the card holder, In addition, the time and effort required for issuing a certificate can be reduced.

Next, step 405 will be described in detail with reference to FIG.

In step 405, as shown in FIG. 8, first, the card holder client 20 verifies the validity of the received certificate CertPBCPSG by the same means as SET (step 801).

As a result of the verification, if it is not valid, the process is interrupted. If it is valid, the process is continued (step 802), and the signature key public key PBCHSG '(21120) and the private key PVCHSG' (21160) of the card holder are obtained. To generate the storage device 2
11 (step 803), and fill in the necessary information in the received registration form and use it as a registration item (step 804).

Thereafter, the client 20 of the card owner
Searches for a certificate from the certificate database 21140 according to the received certificate name set and creates a certificate set (step 805).

Here, the certificate set is a group of one or more certificates, for example, a list structure.

The card holder obtains the signature key public key 2 of the card holder from the plurality of certificates constituting the certificate set.
Take out 1120 and list cardholder signature key public key
PBCHSGL (21180) is set (step 806).

Thereafter, the client 20 of the card holder
Are common key SymK # 2 (21172), common key SymK # 3
(21173) is generated and stored in the storage device 211 (step 807), and a certificate request message including the registered items is created (step 808).

The card holder 20 receives the certificate request message and the card holder's signature key public key PBCHSG '(211).
20), a signature is attached to the common key SymK # 2 (21172) with the signature key public key PBCHSG "" of the card owner (step 809). Here, PBCHSG "" is any one public key included in the card holder signature key public key list PBCHSGL (21180). This PBCHSG "" may be selected, for example, by selecting the first public key of PBCHSGL. In this step 809, PBCH
Using an SG allows the use of unauthorized certificates, so it is essential to use PBCHSG "". In addition,
With existing SETs, PBCHSG may be used because identity verification is performed using account numbers and the like. The public key PBCHSG 'to be registered may be the same as PBCHSG "".

The client 20 of the card holder encrypts the result of step 809 with the common key SymK # 3 (21173) (step 810), and then converts the certificate set and the common key SymK # 3 (21173) into Encrypt with the key exchange key public key PBCPEX (11521) of the certificate authority (step 81)
1) The one created in steps 810 and 811 is transmitted to the certificate authority 10 (step 812).

Next, step 406 will be described in detail with reference to FIG.

In step 406, as shown in FIG. 9, the certificate authority 10 first uses the certificate exchange key private key PVCPEX (11522) for the message received from the cardholder client 20. , Certificate set and common key Sy
mK # 3 (21173) is decrypted (step 90)
1).

Thereafter, the certificate authority 10 converts the part encrypted in step 810 shown in FIG. 8 into the common key SymK # 3 (2
1173) (step 902), the signature of the card owner is verified using the card owner's signature key public key PBCHSG "" (step 903). If so, the process is continued (step 904).

Next, step 408 will be described in detail with reference to FIG.

In step 407, as shown in FIG.
First, the certificate authority 10 disassembles the certificate set (step 10).
01), each certificate is verified, and a certificate value is calculated (step 1002).

After that, the certificate authority 10 extracts the name of the certificate to be issued from the certificate request message, and searches the certificate name database 11530 for a certificate name set 11533 necessary for issuing the certificate (step 100).
3) Substitute the certificate value of step 1002 into the certificate name set 11533 of step 1001, and calculate the certificate set value (step 1004). The certificate value here takes the value "t" if the certificate is valid, and "f" otherwise. In addition, a certificate name set includes a plurality of certificate names CN.
1, ... CNn connected by logical operators (∧, ∨, ¬).

For example, (C1∧C2) ∨ (¬C3) is a certificate name set, and the value of the certificate name set is obtained by substituting the value of each certificate into the “certificate name” of the certificate name set. , The result of the logical operation. The following logical rules are used for calculation (logical operation).

A, B, and C represent expressions in which zero or more t and f are combined with ∧, ∨, ¬. The coupling decreases in the order of 順, ∧, ∨.

(1) t ∧t → t (2) t ∧f → f (3) f ∧t → f (4) f ∧f → f (5) t ∨t → t (6) t ∨f → t (7) f ∨t → t (8) f ∨f → f (9) ¬t → f (10) ¬f → t (11) A ∧B ∧C → (A ∧B) ∧C (12) A∨B∨C → (A∨B) ∨C Thereafter, the certificate authority 10 checks other conditions. Here, the "other conditions" are conditions other than the validity of the certificate, and for example, confirm the cardholder himself / herself, such as "I am a member of a friend's association" or "I am 35 years old or older" Is what you do. The certificate authority 10 checks these conditions online or offline. As a result, if the conditions are met, the condition value is set to "t", and if not, the condition value is set to "f" (step 1005). ). This allows
The certificate can be more reliably verified.

Thereafter, the certificate authority 10 executes step 100
4. As a result of step 1005, the certificate set value / condition value is calculated in accordance with the above-described logical rule. If the result is "f", the process is interrupted. If the result is "t", the process is continued. (Step 1006).

If the certificate set value is “t”, the certificate authority 10 issues the requested certificate to the card holder, so that the card holder's signature key public key PBCHS
Certificate signed by the certificate authority 10 for G '(21120)
Create CertPBCHSG '(21140) (step 100)
7) A certificate request response message is created, signed, and encrypted with the common key SymK # 2 (21172) (step 1).
008), the certificate CertPBCHSG '(21140), the encrypted certificate request response message with the signature created in step 1008, and the certificate of the certificate authority 10.
CertPBCPSG (11513) is transmitted to the cardholder 20 (step 1009).

Next, step 409 will be described in detail with reference to FIG.

Step 409 is as shown in FIG.
First, the card holder client 20 checks the validity of the certificate CertPBCPSG (21113) received from the certificate authority,
As described above, verification is performed in the same manner as for SET (step 11).
01).

As a result of the verification, if it is not valid, the process is interrupted, and if it is valid, the process is continued (step 1102).
The common key Sym # 2 (21172) is extracted from the storage device 211, the certificate response message is decrypted with the common key Sym # 2 (21172) (step 1103), and the certificate response message is obtained with the signature key public key PBCPSG (11511) of the certificate authority 10. The signature is verified (step 1104). If the signature is not confirmed, the processing is interrupted. If the signature is confirmed, the processing is continued (step 11).
05).

Then, the client 20 of the card holder
Saves the issued certificate CertPBCHSG '(21140) in the storage device 211 (step 1106).

Therefore, as described above, a digital signature is applied to the certificate of the public key already issued by a certain certificate authority and the public key of the card holder in the certificate using the key already certified by the certificate. The certificate and the name of the certificate requesting issuance are input, and the digital signature of the card holder is verified whether it is valid. If it is verified, the certificate is compared with the certificate name database. If the certificate requested by the cardholder can be issued, verify the transmitted certificate, and if successful, issue a certificate authenticating the cardholder's public key. Allows the use of electronically sendable and reliable previously obtained certificates as the basis for verifying the identity of the cardholder, sending the account number from the cardholder to the certificate authority, But that mouth Since the number is no longer necessary or to check whether correct to the bank, it is possible to issue the certificate at a low cost.

Further, since there is no need to send personal information relating to privacy, it is possible to increase the overall security strength.

Each control device of the certificate issuing system that performs the above-described certificate issuing process may be realized by a computer-executable program, and the program at that time may be a floppy disk, CD / ROM, The storage medium such as a mask ROM is provided to general users. In this case, in addition to these processes, the program may be provided to the user in combination with another program such as a GUI program.

As an alternative means provided by the above-mentioned storage medium, it may be provided through a network such as the Internet for a fee.

As described above, the invention made by the present inventor is:
Although specifically described based on the embodiment, the present invention
It is needless to say that the present invention is not limited to the above-described embodiment, but can be variously modified without departing from the scope of the invention.

[0092]

The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows.

As a basis for confirming the identity of the cardholder, it is possible to use a previously acquired certificate which can be sent electronically and is reliable, and sends an account number from the cardholder to the certificate authority, Will no longer need to check with the bank to see if the account number is correct, so it is possible to issue certificates at low cost.

Further, since there is no need to send personal information relating to privacy, it is possible to increase the overall security strength.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of an electronic certificate issuing system according to an embodiment of the present invention.

FIG. 2 is a diagram for explaining a configuration of a certificate authority in detail.

FIG. 3 is a diagram for explaining a client of a card holder in detail.

FIG. 4 is a flowchart for explaining an outline of a certificate issuing process in each control device of the certificate issuing system of the embodiment.

FIG. 5 is a flowchart illustrating a process in which a certificate authority creates a message in response to a certificate request message from a cardholder and transmits the message to the cardholder.

FIG. 6 is a flowchart showing a process in which a card holder receives a certificate request response message from a certificate authority and transmits a registration form request message to the certificate authority.

FIG. 7 is a flowchart illustrating a process in which a certificate authority generates a registration form and transmits the registration form to a cardholder.

FIG. 8 is a flowchart showing a process in which a card holder fills out a registration form and sends a certificate request to a certificate authority.

FIG. 9 is a flowchart illustrating a process in which a certificate authority verifies a card holder's certificate set.

FIG. 10 is a flowchart showing a process in which a certificate authority issues a certificate according to a result of verification and transmits the certificate to a card holder.

FIG. 11 is a flowchart showing a process in which a card holder verifies and saves a certificate issued by a certificate authority.

[Explanation of symbols]

10 Certificate Authority, 20 Client, 30 Internet, 110 Certificate Authority Server, 111 Controller, 11
2 ... communication device, 113 ... display, 114 ... keyboard,
115: storage device, 120: certificate authority Web server, 12
1 ... control device, 122 ... communication device, 123 ... communication device,
124 display, 125 keyboard, 126 storage device, 210 control device, 211 storage device, 212 communication device, 213 display device, 214 keyboard.

 ──────────────────────────────────────────────────続 き Continuing from the front page (72) Yoshiaki Kawaren 2-2-2 Kagahara, Tsuzuki-ku, Yokohama-shi, Kanagawa Prefecture Inside the Business System Development Center, Hitachi, Ltd. (72) Kazuo Matsunaga Totsuka-cho, Totsuka-ku, Yokohama-shi, Kanagawa 5030 Address Hitachi Software Works, Ltd.

Claims (5)

[Claims] 1. An electronic certificate issuance method in which a certificate authority issues an electronic certificate to a subject who is to be issued a certificate via a network, the method comprising the steps of: The digital certificate and the public key of the subject in the digital certificate are digitally signed with a key certified by the digital certificate, and a certificate name requesting issuance is input. Verifies whether the digital signature of the subject is valid, and if it can be verified, compares the digital signature with a list of certificates that can be issued with the digital certificate, and issues a certificate requested by the subject. If the electronic certificate can be issued, the transmitted electronic certificate is verified, and if verified, an electronic certificate authenticating the public key of the subject is issued. Method. 2. The electronic certificate issuing method according to claim 1, wherein the electronic certificate of the public key already issued by the certificate authority and the public key of the subject in the electronic certificate are issued. Confirmation information for identifying a subject who has been registered in a certificate authority in advance together with the requested certificate name is input after being digitally signed with a key certified by the electronic certificate, and the digital signature of the subject is received. Verify whether it is valid, and after verifying that it is valid, verify the verification information of the subject, and verify it with a list of certificates that can be issued with the digital certificate when verification is successful A certificate issuance method. 3. An electronic certificate issuing system in which a client of a subject to be issued an electronic certificate and a server of a certification authority that issues the digital certificate to the subject are connected via a network. The client of the subject is authenticated by a key certified by the digital certificate with respect to the digital certificate of the public key already issued by a certain certification authority and the public key of the subject in the digital certificate. Digital signature, issuance requesting means for transmitting to the server of the certificate authority to issue another electronic certificate, and means for storing the electronic certificate transmitted from the certificate authority, the certificate authority Server, issuance certificate list that summarizes other digital certificates that can be issued from each digital certificate, a signature verification unit that verifies whether the digital signature of the subject is valid, The signature verification hand When the signature can be verified to be valid, the certificate verification means for verifying the transmitted electronic certificate against the issuable certificate list, and the certificate verification means, When the requested electronic certificate can be issued, the electronic certificate verification unit for verifying the transmission electronic certificate from the subject and the electronic certificate verification unit verify the transmission electronic certificate. Means for issuing a request digital certificate authenticating the public key of the subject. 4. The electronic certificate issuing system according to claim 3, wherein the issuance requesting means of the client of the authenticated person transmits confirmation information for identifying the authenticated person registered in a certificate authority in advance to the electronic certificate. An electronic device, comprising: means for transmitting a digital signature with a key certified by a certificate, wherein the server of the certificate authority includes a verification information verification means for verifying verification information of the subject. Certificate issuing system. 5. The electronic certificate issuing system according to claim 3, wherein the server of the certificate authority is configured to issue another electronic certificate that can be issued with a transmission electronic certificate based on the issuable certificate list. An electronic certificate issuing system, comprising: means for transmitting a list of certificates or an electronic certificate required for issuing the request electronic certificate to the client of the subject.