TWI815750B - Automatic domain verification system, certificate issuance method and computer-readable medium - Google Patents

Automatic domain verification system, certificate issuance method and computer-readable medium Download PDF

Info

Publication number
TWI815750B
TWI815750B TW111147628A TW111147628A TWI815750B TW I815750 B TWI815750 B TW I815750B TW 111147628 A TW111147628 A TW 111147628A TW 111147628 A TW111147628 A TW 111147628A TW I815750 B TWI815750 B TW I815750B
Authority
TW
Taiwan
Prior art keywords
verification
domain
certificate
information
domain name
Prior art date
Application number
TW111147628A
Other languages
Chinese (zh)
Other versions
TW202425574A (en
Inventor
楊宗翰
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW111147628A priority Critical patent/TWI815750B/en
Application granted granted Critical
Publication of TWI815750B publication Critical patent/TWI815750B/en
Publication of TW202425574A publication Critical patent/TW202425574A/en

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

An automatic domain verification system, a certificate issuance method and a computer-readable medium are provided, which perform the automatic verification of the ownership or the right of control of the domain name after receiving a certificate application without manual interaction with the contact window of the applicant, so as to avoid information security problems or certificate mis-issue due to human error.

Description

自動網域驗證系統、憑證簽發方法與電腦可讀媒體 Automatic domain verification system, certificate issuance method and computer-readable media

本發明係有關網域驗證技術,且特別係有關一種自動網域驗證系統及其相應之憑證簽發方法與電腦可讀媒體。 The present invention relates to network domain verification technology, and in particular, to an automatic network domain verification system and its corresponding certificate issuance method and computer-readable media.

隨著多元雲端服務之應用日益普及,網路安全持續被各方所重視。當前信賴機制普遍維繫在網路公開金鑰基礎建設(Web Public Key Infrastructure,Web PKI)之架構下。在此架構下,網頁伺服器導入PKI的需求已為常態,其中,網頁伺服器為對外提供服務,需要設定安全通訊協定(Secure Sockets Layer,SSL)/傳輸層安全協議(Transport Layer Security,TLS)憑證於其組態設定中,也因此網頁伺服器需要向合法憑證中心申請SSL憑證。 As the application of multiple cloud services becomes increasingly popular, network security continues to be valued by all parties. Current trust mechanisms are generally maintained under the framework of Web Public Key Infrastructure (Web PKI). Under this architecture, the need for web servers to import PKI has become normal. In order to provide external services, web servers need to set up Secure Sockets Layer (SSL)/Transport Layer Security (TLS). The certificate is in its configuration settings, so the web server needs to apply for an SSL certificate from a legal certificate center.

然而,在憑證核發流程中,可能由於註冊中心的憑證註冊審驗人員或特定網域驗證方法之驗證窗口的人為疏失,而產出誤發憑證。再者,若該誤發憑證被任何人公開揭露,將進一步影響到憑證中心本身的合法性、申請加入各主流瀏覽器根憑證計畫之符合性、以及定期執行之外部稽核結果。 However, during the certificate issuance process, erroneous certificates may be issued due to human error by the certificate registration verification personnel of the registration center or the verification window of the specific domain verification method. Furthermore, if the erroneous certificate is publicly disclosed by anyone, it will further affect the legitimacy of the certificate center itself, the compliance of the application to join the root certificate program of major browsers, and the results of regularly performed external audits.

以現況而言,SSL憑證用戶較常選用的網域驗證方法包括透過電子郵件給網域名稱聯絡人、透過構建的電子郵件給網域名稱聯絡人、網域名稱系統(Domain Name System,DNS)之變更、驗證申請者為網域名稱聯絡人、寄電子郵件給網域名稱系統之憑證簽發機構授權(Certification Authority Authorization,CAA)的網域名稱聯絡人、寄電子郵件給DNS文本(TXT)紀錄的網域名稱聯絡人、對特定網頁內容的約定變更等。然而上述方法皆需人為確認,此時若有人員異動且交接工作不完善,將造成不便。再者,該人員本身進行確認時,有可能發生蓄意或非蓄意操作,而導致該筆紀錄發生非預期之錯誤,因此,容易於憑證簽發工作流程中產出誤發憑證。 At present, the domain verification methods commonly used by SSL certificate users include emailing the domain name contact person, sending the domain name contact person via a constructed email, and Domain Name System (DNS). To change, verify that the applicant is the domain name contact person, send an email to the domain name contact person of the Certification Authority Authorization (CAA) of the domain name system, send an email to the DNS text (TXT) record Domain name contact person, agreed changes to specific web page content, etc. However, the above methods all require manual confirmation. At this time, if there are changes in personnel and the handover is incomplete, it will cause inconvenience. Furthermore, the personnel may perform intentional or unintentional operations when performing the confirmation, which may lead to unexpected errors in the record. Therefore, it is easy to produce erroneous vouchers in the voucher issuance workflow.

為解決上述問題,本發明提供一種自動網域驗證系統,包括:註冊中心模組,用於接收為網頁伺服器所提交之憑證申請檔及身分證明資料;網域驗證模組,用於根據該憑證申請檔及該身分證明資料進行自動網域驗證,其中,該自動網域驗證包括該網頁伺服器之網域名稱註冊資訊、網域名稱系統憑證簽發機構授權紀錄及/或網域名稱系統文本紀錄之驗證;以及憑證中心模組,用於在該自動網域驗證成功後,根據該憑證申請檔簽發用於該網頁伺服器之終端實體憑證。 In order to solve the above problems, the present invention provides an automatic domain verification system, including: a registration center module for receiving the certificate application file and identity certification information submitted for the web server; a domain verification module for Automatic domain verification is performed based on the certificate application file and the identification information. The automatic domain verification includes the domain name registration information of the web server, the domain name system certificate issuing authority record and/or the domain name system text. Record verification; and the certificate center module is used to issue the terminal entity certificate for the web server based on the certificate application file after the automatic domain verification is successful.

本發明另提供一種憑證簽發方法,包括:接收為網頁伺服器所提交之憑證申請檔及身分證明資料;根據該憑證申請檔及該身分證明資料進行自動網域驗證,其中,該自動網域驗證包括該網頁伺服器之網域名稱註冊資訊、網域名稱系統憑證簽發機構授權紀錄及/或網域名稱系統文本紀錄之驗證;以及在 該自動網域驗證成功後,根據該憑證申請檔簽發用於該網頁伺服器之終端實體憑證。 The present invention also provides a certificate issuance method, including: receiving a certificate application file and identity certification information submitted by a web server; performing automatic domain verification based on the certificate application file and the identity certification information, wherein the automatic network domain verification Including the verification of the domain name registration information of the web server, the authorization record of the domain name system certificate issuing authority and/or the domain name system text record; and in After the automatic domain verification is successful, a terminal entity certificate for the web server is issued based on the certificate application file.

本發明又提供一種電腦可讀媒體,應用於電腦、伺服器、或電子裝置中,係儲存有指令,以執行上述之憑證簽發方法。 The present invention also provides a computer-readable medium, which is used in computers, servers, or electronic devices and stores instructions to execute the above-mentioned certificate issuance method.

本發明根據憑證中心(Certificate Authority,CA)與瀏覽器論壇(Browser Forum)最新版本之網域所有權驗證規範,於憑證簽發工作流程中,當收到SSL憑證用戶之憑證申請需求時,進行網域名稱之擁有權或控制權的自動化驗證,以有效避免上述導致資安問題或誤發憑證等之人為風險。 This invention is based on the latest version of the domain ownership verification specifications of the Certificate Authority (CA) and the Browser Forum (Browser Forum). In the certificate issuance workflow, when receiving the certificate application request from the SSL certificate user, the network domain Automated verification of name ownership or control to effectively avoid the above-mentioned human risks that lead to information security issues or mis-issuance of certificates.

1:自動網域驗證系統 1: Automatic domain verification system

11:憑證中心模組 11:Certificate Center Module

12:註冊中心模組 12: Registration center module

13:驗證中心模組 13: Verification center module

14:網域驗證模組 14:Domain verification module

21:SSL憑證用戶 21:SSL certificate user

22:註冊中心審驗人員 22:Registration center verification staff

31:TLS網頁伺服器 31:TLS web server

32:網域名稱伺服器 32:Domain Name Server

33:全球網域名稱查詢系統 33:Global domain name query system

41:憑證中心資料庫 41:Certificate Center Database

42:驗證中心資料庫 42: Verification center database

3:憑證簽發方法 3: Voucher issuance method

S31,S32,S33-a,S33-b,S33-c,S34-a,S34-b,S35-a,S35-b:步驟 S31, S32, S33-a, S33-b, S33-c, S34-a, S34-b, S35-a, S35-b: steps

圖1為本發明一實施例的一種自動網域驗證系統的架構與應用環境示意圖。 Figure 1 is a schematic diagram of the architecture and application environment of an automatic domain verification system according to an embodiment of the present invention.

圖2為本發明一實施例的一種憑證簽發方法的示意流程圖。 Figure 2 is a schematic flow chart of a voucher issuance method according to an embodiment of the present invention.

圖1為本發明一實施例的自動網域驗證系統1的架構與應用環境示意圖。自動網域驗證系統1包括憑證中心模組11、註冊中心模組12、驗證中心模組13和網域驗證模組14。 Figure 1 is a schematic diagram of the architecture and application environment of the automatic domain verification system 1 according to an embodiment of the present invention. The automatic domain verification system 1 includes a certificate center module 11 , a registration center module 12 , a verification center module 13 and a domain verification module 14 .

在一實施例中,憑證中心模組11係與註冊中心模組12和驗證中心模組13通訊連接;註冊中心模組12係與憑證中心模組11、驗證中心模組13及網域驗證模組14通訊連接;驗證中心模組13係與憑證中心模組11、註冊中 心模組12及網域驗證模組14通訊連接;網域驗證模組14係與註冊中心模組12和驗證中心模組13通訊連接。 In one embodiment, the certificate center module 11 is communicatively connected with the registration center module 12 and the verification center module 13; the registration center module 12 is connected with the certificate center module 11, the verification center module 13 and the domain verification module. Group 14 communication connection; Verification Center Module 13 and Credential Center Module 11, registering The network domain verification module 14 is connected to the registration center module 12 and the verification center module 13 through communication.

在一實施例中,憑證中心模組11、註冊中心模組12、驗證中心模組13以及網域驗證模組14可為軟體、韌體或硬體。若上述模組為軟體或韌體,則可包括處理單元、處理器、電腦或伺服器可執行或讀取之程式指令與資料,且可安裝於同一硬體裝置或分布於不同的複數硬體裝置;若上述模組為硬體,則可為包括記憶體及具有資料處理與運算能力之處理單元或處理器的電腦、伺服器、或其他電子裝置。 In an embodiment, the certificate center module 11, the registration center module 12, the verification center module 13 and the domain verification module 14 can be software, firmware or hardware. If the above module is software or firmware, it may include program instructions and data that can be executed or read by a processing unit, processor, computer or server, and may be installed on the same hardware device or distributed on multiple different hardware devices. Device; if the above module is hardware, it can be a computer, server, or other electronic device including memory and a processing unit or processor with data processing and computing capabilities.

自動網域驗證系統係基於網域申請相關資訊之變更實施,以達到網域名稱之擁有權或控制權的自動化驗證之目標。在本實施例中,自動網域驗證系統1所接收的憑證服務申請之憑證格式鎖定於Web PKI背景下之SSL憑證,但不侷限於特定SSL憑證類別,目前的SSL憑證包含組織驗證(Organization Validated,OV)SSL憑證、個人驗證(Individual Validation,IV)SSL憑證、網域驗證(Domain Validation,DV)SSL憑證和延伸驗證(Extended Validation,EV)SSL憑證等類別。 The automatic domain verification system is implemented based on changes in domain application-related information to achieve the goal of automated verification of ownership or control of domain names. In this embodiment, the certificate format of the certificate service application received by the automatic domain verification system 1 is locked to the SSL certificate in the context of Web PKI, but is not limited to a specific SSL certificate category. The current SSL certificate includes Organization Validated , OV) SSL certificate, Personal Validation (Individual Validation, IV) SSL certificate, Domain Validation (DV) SSL certificate and Extended Validation (EV) SSL certificate and other categories.

憑證中心模組11用於自註冊中心模組12接收經註冊中心模組12驗證後之SSL憑證服務申請封包,以於執行該SSL憑證服務申請封包之憑證申請流程後,回傳SSL憑證至註冊中心模組12。憑證中心模組11的主要功能包含憑證申請、憑證廢止、憑證展期、憑證變更等。另外,在憑證服務處理流程中,相關簽章驗證、憑證格式確認和憑證狀態驗證等驗證服務申請封包將提交給驗證中心模組13。 The certificate center module 11 is used to receive the SSL certificate service application packet verified by the registration center module 12 from the registration center module 12, so as to return the SSL certificate to the registration after executing the certificate application process of the SSL certificate service application packet. Center Module 12. The main functions of the voucher center module 11 include voucher application, voucher revocation, voucher extension, voucher change, etc. In addition, during the voucher service processing process, relevant verification service application packets such as signature verification, certificate format confirmation, and certificate status verification will be submitted to the verification center module 13.

於一實施例中,憑證中心模組11可簽發線上憑證狀態協定(Online Certificate Status Protocol,OCSP)回應訊息及憑證廢止清冊(Certificate Revocation List,CRL),用以公告核發正式憑證之狀態資訊。 In one embodiment, the certificate center module 11 can issue an Online Certificate Status Protocol (OCSP) response message and a Certificate Revocation List (CRL) to announce the status information of the issuance of the official certificate.

註冊中心模組12用於接收來自SSL憑證用戶21之SSL憑證服務申請封包,以於執行憑證用戶之身分識別與鑑別驗證程序後,若申請流程成功無誤,將回傳SSL憑證至SSL憑證用戶21。 The registration center module 12 is used to receive the SSL certificate service application packet from the SSL certificate user 21, and after executing the identity recognition and authentication verification process of the certificate user, if the application process is successful, it will return the SSL certificate to the SSL certificate user 21. .

註冊中心模組12的主要功能包含憑證主體身分驗證、憑證服務申請封包格式及內容驗證等。當相關驗證完成後,則會將憑證服務申請封包提交給憑證中心模組11。另外,憑證服務處理流程中的相關簽章驗證、憑證格式確認和憑證狀態驗證等驗證服務申請封包將提交給驗證中心模組13。 The main functions of the registration center module 12 include certificate subject identity verification, certificate service application packet format and content verification, etc. When the relevant verification is completed, the certificate service application packet will be submitted to the certificate center module 11. In addition, the verification service application packets related to signature verification, certificate format confirmation, and certificate status verification in the certificate service processing process will be submitted to the verification center module 13.

於一實施例中,註冊中心模組12執行之憑證主體身分驗證依照不同憑證中心訂定之憑證實務作業基準進行,且會依照憑證保證等級不同而執行不同程度之身分鑑別機制。 In one embodiment, the certificate subject identity verification performed by the registration center module 12 is performed in accordance with the certificate service operating standards set by different certificate centers, and different levels of identity authentication mechanisms are implemented according to different certificate assurance levels.

驗證中心模組13用於接收來自憑證中心模組11、註冊中心模組12和網域驗證模組14之相關簽章驗證、憑證格式確認、和憑證狀態驗證等驗證服務申請封包,以於經判定、執行所請求之驗證服務後,回傳驗證服務處理結果至請求驗證服務之模組。另外,驗證中心模組13亦會驗證及紀錄來自網域驗證模組14之網域驗證結果封包,以完成SSL憑證申請單與網域驗證結果之綁定。 The verification center module 13 is used to receive verification service application packets such as relevant signature verification, certificate format confirmation, and certificate status verification from the certificate center module 11, the registration center module 12, and the domain verification module 14, so as to process After determining and executing the requested verification service, the verification service processing result is returned to the module that requested the verification service. In addition, the verification center module 13 will also verify and record the domain verification result packet from the domain verification module 14 to complete the binding of the SSL certificate application form and the domain verification result.

於一實施例中,依照不同憑證類別,驗證中心模組13將套用不同的憑證格式確認模式。 In one embodiment, according to different certificate types, the verification center module 13 will apply different certificate format confirmation modes.

網域驗證模組14用於接收來自註冊中心模組12之網域驗證服務申請封包,並提供多元網域驗證服務,且符合憑證中心與瀏覽器論壇允許使用之 各種網域所有權驗證方法,例如驗證申請者為網域名稱聯絡人、對特定網頁內容的約定變更、網域名稱系統之變更等網域驗證服務。經判定、執行所請求之網域驗證服務後,網域驗證模組14提交網域驗證服務處理結果至驗證中心模組13。 The domain verification module 14 is used to receive the domain verification service application packet from the registration center module 12, and provides multiple domain verification services, and complies with the requirements allowed by the certificate center and the browser forum. Various domain ownership verification methods, such as verifying that the applicant is the domain name contact person, agreed changes to specific web page content, changes to the domain name system, and other domain verification services. After determining and executing the requested domain verification service, the domain verification module 14 submits the domain verification service processing result to the verification center module 13 .

於一實施例中,網域驗證模組14提供網域名稱之擁有權或控制權的自動化驗證服務,以避免驗證窗口之人為介入,而導致誤發憑證。 In one embodiment, the domain verification module 14 provides an automated verification service of ownership or control of a domain name to avoid manual intervention in the verification window, which may lead to erroneous issuance of certificates.

如圖1所示,自動網域驗證系統1的使用者可包括SSL憑證用戶21及註冊中心審驗人員22。SSL憑證用戶21可為個人或組織;在外部介接自動網域驗證系統1的系統、伺服器與資料庫包括TLS網頁伺服器31、網域名稱伺服器32、全球網域名稱查詢系統33、憑證中心資料庫41及/或驗證中心資料庫42。 As shown in Figure 1, users of the automatic domain verification system 1 may include SSL certificate users 21 and registration center verification personnel 22. The SSL certificate user 21 can be an individual or an organization; the systems, servers and databases externally connected to the automatic domain verification system 1 include a TLS web server 31, a domain name server 32, a global domain name query system 33, Certificate center database 41 and/or verification center database 42.

在一實施例中,SSL憑證用戶21及註冊中心審驗人員22通訊連接註冊中心模組12;憑證中心資料庫41通訊連接憑證中心模組11,驗證中心資料庫42與驗證中心模組13通訊連接;另外,TLS網頁伺服器31、網域名稱伺服器32和全球網域名稱查詢系統33均通訊連接網域驗證模組14。 In one embodiment, the SSL certificate user 21 and the registration center verification personnel 22 are connected to the registration center module 12 through communication; the certificate center database 41 is connected through communication to the certificate center module 11; and the verification center database 42 is connected through communication to the verification center module 13. ; In addition, the TLS web server 31, the domain name server 32 and the global domain name query system 33 are all communicatively connected to the domain verification module 14.

圖2為本發明一實施例的自動網域驗證系統1所執行的憑證簽發方法3的示意流程圖。 FIG. 2 is a schematic flow chart of the certificate issuance method 3 executed by the automatic domain verification system 1 according to an embodiment of the present invention.

首先,SSL憑證用戶21為了要使其TLS網頁伺服器31能對外提供服務,需要設定SSL憑證於TLS網頁伺服器31的組態設定中。 First, in order for the SSL certificate user 21 to enable its TLS web server 31 to provide external services, the SSL certificate user 21 needs to set the SSL certificate in the configuration settings of the TLS web server 31 .

因此,為了獲得SSL憑證,在步驟S31,SSL憑證用戶21使用其手機或電腦等電子裝置連接至自動網域驗證系統1的註冊中心模組12的網頁界面,以請求憑證服務。透過該網頁界面,SSL憑證用戶21同意用戶約定條款後,將憑證申請檔及身分證明資料(例如SSL憑證用戶21的身分證掃描檔等證明文 件)包含在SSL憑證服務申請封包中,再透過安全管道傳送給註冊中心模組12,並指定憑證中心模組11為授權簽發單位。該憑證申請檔係SSL憑證用戶21以自行產製的金鑰(即SSL憑證用戶21的私鑰)簽章產生,且該憑證申請檔包含SSL憑證用戶21的身分資訊與TLS網頁伺服器31的網域名稱。 Therefore, in order to obtain the SSL certificate, in step S31, the SSL certificate user 21 uses electronic devices such as mobile phones or computers to connect to the web interface of the registration center module 12 of the automatic domain verification system 1 to request certificate services. Through the web interface, after the SSL certificate user 21 agrees to the terms agreed by the user, he submits the certificate application file and identity proof information (such as the scanned ID card of the SSL certificate user 21 and other certification documents). file) is included in the SSL certificate service application packet, and then sent to the registration center module 12 through a secure channel, and the certificate center module 11 is designated as the authorized issuing unit. The certificate application file is signed by the SSL certificate user 21 with a self-produced key (that is, the private key of the SSL certificate user 21), and the certificate application file includes the identity information of the SSL certificate user 21 and the TLS web server 31 Domain name.

步驟S32係憑證主體身分識別及鑑別。在本實施例中,「憑證主體」係指SSL憑證用戶21。此步驟依照憑證實務作業基準之規範,進行SSL憑證用戶21之身分識別與鑑別驗證程序,主要包含憑證主體身分驗證、憑證服務申請封包格式及內容驗證等,其中,憑證主體身分驗證係由註冊中心審驗人員22以人工驗證SSL憑證用戶21所提交之憑證申請檔及身分證明資料,而憑證服務申請封包格式及內容驗證則由註冊中心模組12自動執行。此外,註冊中心模組12會根據憑證申請檔產生一個相應的SSL憑證申請單。 Step S32 is the identification and authentication of the certificate subject. In this embodiment, the "certificate subject" refers to the SSL certificate user 21. This step performs the identity recognition and authentication verification process of the SSL certificate user 21 in accordance with the specifications of the certificate service operating standards, which mainly includes certificate subject identity verification, certificate service application packet format and content verification, etc. Among them, the certificate subject identity verification is performed by the registration center The verification personnel 22 manually verify the certificate application file and identity verification information submitted by the SSL certificate user 21, and the verification of the certificate service application packet format and content is automatically performed by the registration center module 12. In addition, the registration center module 12 will generate a corresponding SSL certificate application form based on the certificate application file.

憑證主體身分驗證流程依照申請之SSL憑證種類而異,將分別對應不同的身分認證保證等級。此外,憑證申請流程中包含的簽章驗證、憑證格式確認、和憑證狀態驗證等驗證服務申請封包將由註冊中心模組12提交給驗證中心模組13。當相關身分識別與鑑別驗證程序確認無誤後,註冊中心模組12會產生網域驗證服務申請封包,且將網域驗證服務申請封包以註冊中心模組12的私鑰簽章後提交給網域驗證模組14。 The certificate subject identity verification process varies according to the type of SSL certificate applied for, and will correspond to different identity authentication assurance levels. In addition, the verification service application packets included in the certificate application process, such as signature verification, certificate format confirmation, and certificate status verification, will be submitted by the registration center module 12 to the verification center module 13. When the relevant identity recognition and authentication verification procedures are confirmed to be correct, the registration center module 12 will generate a domain verification service application packet, and submit the domain verification service application packet to the domain after signing it with the private key of the registration center module 12 Verification Module 14.

步驟S33係執行自動化網域驗證。此步驟包含下列三種驗證機制(或稱為三個子步驟):驗證網域名稱註冊資訊S33-a(此機制係驗證及綁定網域代管資訊於全球網域名稱查詢系統33之回傳資訊)、驗證網域名稱系統憑證簽發機構授權紀錄S33-b(此機制係驗證及綁定網域代管資訊於網域名稱系統憑證簽發機構授權紀錄)、以及驗證網域名稱系統TXT紀錄S33-c(此機制係驗證 及綁定網域代管資訊於網域名稱系統TXT紀錄)。以上三種驗證機制可在網域驗證模組14的不同執行緒(thread)下同時執行。若有任何一種驗證機制成功通過,則其他兩種驗證機制可以中止,而不需繼續執行,且流程可進入S34-b之網域驗證成功的情況。若以上三種驗證機制均失敗,則流程進入S34-a之網域驗證失敗的情況。上述三種驗證機制分別說明如下: Step S33 is to perform automated domain verification. This step includes the following three verification mechanisms (or three sub-steps): Verify domain name registration information S33-a (This mechanism is to verify and bind domain hosting information to the return information of the global domain name query system 33 ), verify domain name system certificate issuing authority authorization record S33-b (this mechanism is to verify and bind domain hosting information to domain name system certificate issuing authority authorization record), and verify domain name system TXT record S33- c (This mechanism is for verification And bind the domain hosting information to the domain name system TXT record). The above three verification mechanisms can be executed simultaneously under different execution threads of the domain verification module 14. If any verification mechanism successfully passes, the other two verification mechanisms can be suspended without continuing, and the process can enter the S34-b domain verification success situation. If the above three verification mechanisms fail, the process will enter the S34-a domain verification failure situation. The above three verification mechanisms are explained as follows:

驗證網域名稱註冊資訊S33-a:網域驗證模組14使用註冊中心模組12之公鑰驗章網域驗證服務申請封包,以確認SSL憑證用戶21之身分識別與鑑別驗證程序已由註冊中心模組12處理完成。此時,SSL憑證申請單的狀態將轉換為網域待驗證。接著,網域驗證模組14使用SSL憑證用戶21所提交的TLS網頁伺服器31的網域名稱,向全球網域名稱查詢系統33查詢TLS網頁伺服器31的網域名稱註冊者信箱資訊,網域驗證模組14會比對該網域名稱註冊者信箱資訊與SSL憑證用戶21的身分證明資料中的技術聯絡人信箱資訊是否一致,比對結果將綁定於SSL憑證申請單。此時,網域驗證模組14再分別向網域名稱伺服器32及全球網域名稱查詢系統33查詢TLS網頁伺服器31的網域代管單位資訊。詳言之,全球網域名稱查詢系統33所回傳的網域代管單位資訊即該網域代管單位自身的網域。網域驗證模組14會將該網域輸入網域名稱伺服器32,以查詢該網域所對應的網址,例如網際網路協定位址(IP address)。若能透過網域名稱伺服器32查詢到該網址,表示該網域代管單位資訊為合規網域。另外,網域驗證模組14會檢查該網域代管單位是否為受信任單位。若該網域代管單位被紀錄在自動網域驗證系統1的信賴清單中,則該網域代管單位為受信任單位。若該網域代管單位資訊為合規網域,且該網域代管單位為受信任單位,則網域驗證模組14自動判斷TLS網頁伺服器31的網域之所有權合規,即該網域代管單位 資訊之驗證成功。若前述之TLS網頁伺服器31的網域名稱註冊者信箱資訊與SSL憑證用戶21的技術聯絡人信箱資訊一致,且該網域代管單位資訊之驗證成功,則網域驗證模組14自動判斷驗證機制S33-a已成功通過,而無需再經由網域名稱註冊者信箱所指定之驗證窗口進行手動驗證。網域驗證機制S33-a成功通過後,該筆SSL憑證申請單之狀態將進入已驗證待接受。然後,該筆網域驗證結果相關資訊進一步綁定於SSL憑證申請單,網域驗證模組14以自己的私鑰將SSL憑證申請單(含狀態資訊,且此時之狀態為已驗證待接受)、網域名稱註冊者信箱資訊、網域驗證機制S33-a的驗證結果進一步綁定並簽章後提交給驗證中心模組13。驗證中心模組13經驗章無誤後,將該筆綁定結果寫入驗證中心資料庫42。即使驗證機制S33-a的結果為失敗,網域驗證模組14仍會產生該筆綁定結果,且驗證中心模組13仍會在驗章無誤後將該筆綁定結果寫入驗證中心資料庫42,下文的其他兩種驗證機制S33-b與S33-c失敗時亦同。之後,若該SSL憑證申請單須進行批次重新驗證,則可沿用先前寫入驗證中心資料庫42的該筆綁定結果,且從該筆綁定結果中之SSL憑證申請單的狀態所對應之階段繼續處理,而不必重新開始。 Verify domain name registration information S33-a: The domain verification module 14 uses the public key of the registration center module 12 to verify the domain verification service application packet to confirm that the identity recognition and authentication verification process of the SSL certificate user 21 has been registered The central module 12 processing is completed. At this time, the status of the SSL certificate application form will be converted to domain pending verification. Next, the domain verification module 14 uses the domain name of the TLS web server 31 submitted by the SSL certificate user 21 to query the global domain name query system 33 for the domain name registrant mailbox information of the TLS web server 31. The domain verification module 14 will compare whether the domain name registrant's mailbox information is consistent with the technical contact's mailbox information in the identity certification information of the SSL certificate user 21, and the comparison result will be bound to the SSL certificate application form. At this time, the domain verification module 14 queries the domain name server 32 and the global domain name query system 33 respectively for the domain hosting unit information of the TLS web server 31. Specifically, the domain hosting unit information returned by the global domain name query system 33 is the domain of the domain hosting unit itself. The domain verification module 14 will input the domain into the domain name server 32 to query the URL corresponding to the domain, such as an Internet Protocol address (IP address). If the URL can be queried through the domain name server 32, it means that the domain hosting unit information is a compliant domain. In addition, the domain verification module 14 will check whether the domain hosting organization is a trusted organization. If the domain hosting unit is recorded in the trust list of the automatic domain verification system 1, the domain hosting unit is a trusted unit. If the domain hosting unit information is a compliant domain and the domain hosting unit is a trusted unit, the domain verification module 14 automatically determines that the ownership of the domain of the TLS web server 31 is compliant, that is, the domain hosting unit is a compliant domain. Domain hosting organization Verification of information successful. If the domain name registrant mailbox information of the aforementioned TLS web server 31 is consistent with the technical contact mailbox information of the SSL certificate user 21, and the verification of the domain hosting unit information is successful, the domain verification module 14 automatically determines Verification mechanism S33-a has been successfully passed, eliminating the need for manual verification through the verification window specified by the domain name registrant's mailbox. After the domain verification mechanism S33-a is successfully passed, the status of the SSL certificate application form will enter Verified and Pending Acceptance. Then, the information related to the domain verification result is further bound to the SSL certificate application form. The domain verification module 14 uses its own private key to send the SSL certificate application form (including status information, and the status at this time is verified and pending acceptance. ), the domain name registrant's mailbox information, and the verification results of the domain verification mechanism S33-a are further bound and signed before being submitted to the verification center module 13. After the verification center module 13 experience chapter is correct, the binding result is written into the verification center database 42. Even if the result of the verification mechanism S33-a is failed, the domain verification module 14 will still generate the binding result, and the verification center module 13 will still write the binding result into the verification center data after verifying that the seal is correct. Library 42, the same applies when the other two verification mechanisms S33-b and S33-c below fail. After that, if the SSL certificate application form needs to be re-verified in batches, the binding result previously written into the verification center database 42 can be used, and the status of the SSL certificate application form in the binding result can be used. continue processing without having to start over.

驗證網域名稱系統憑證簽發機構授權紀錄S33-b:網域驗證模組14使用註冊中心模組12之公鑰驗章網域驗證服務申請封包,以確認SSL憑證用戶21之身分識別與鑑別驗證程序已由註冊中心模組12處理完成。此時,SSL憑證申請單的狀態將轉換為網域待驗證。接著,網域驗證模組14使用SSL憑證用戶21所提交的TLS網頁伺服器31的網域名稱,並使用網域資訊搜索工具,查詢TLS網頁伺服器31之網域設定資訊,再從所得之網域設定資訊過濾出憑證簽發機構授權紀錄片段之設定資訊後,找出其中的憑證簽發機構授權聯絡人信箱 資訊,網域驗證模組14會比對該憑證簽發機構授權聯絡人信箱資訊與SSL憑證用戶21的身分證明資料中的技術聯絡人信箱資訊是否一致,比對結果將綁定於SSL憑證申請單。此時,網域驗證模組14再自動判斷TLS網頁伺服器31的網域之所有權是否合規,即TLS網頁伺服器31的網域代管單位資訊之驗證是否成功(其細節如同前述之驗證機制S33-a)。若前述之憑證簽發機構授權聯絡人信箱資訊與SSL憑證用戶21的技術聯絡人信箱資訊一致,且該網域代管單位資訊之驗證成功,則網域驗證模組14自動判斷驗證機制S33-b已成功通過,而無需再經由憑證簽發機構授權聯絡人信箱指定之驗證窗口進行手動驗證。網域驗證機制S33-b成功通過後,該筆SSL憑證申請單之狀態將進入已驗證待接受。然後,該筆網域驗證結果相關資訊進一步綁定於SSL憑證申請單,網域驗證模組14以自己的私鑰將SSL憑證申請單(含狀態資訊,且此時之狀態為已驗證待接受)、憑證簽發機構授權聯絡人信箱資訊、網域驗證機制S33-b的驗證結果進一步綁定並簽章後提交給驗證中心模組13,驗證中心模組13經驗章無誤後,將該筆綁定結果寫入驗證中心資料庫42。 Verify the authorization record of the domain name system certificate issuing authority S33-b: The domain verification module 14 uses the public key of the registration center module 12 to verify the domain verification service application packet to confirm the identity and authentication of the SSL certificate user 21 The procedure has been completed by the registration center module 12. At this time, the status of the SSL certificate application form will be converted to domain pending verification. Next, the domain verification module 14 uses the domain name of the TLS web server 31 submitted by the SSL certificate user 21, and uses the domain information search tool to query the domain setting information of the TLS web server 31, and then obtains the domain name from the TLS web server 31. After filtering out the domain setting information of the documentary segment authorized by the certificate issuing organization, find the authorized contact email of the certificate issuing organization. Information, the domain verification module 14 will compare whether the email address of the authorized contact person of the certificate issuing organization is consistent with the technical contact email information in the identity certificate information of the SSL certificate user 21. The comparison result will be bound to the SSL certificate application form. . At this time, the domain verification module 14 automatically determines whether the ownership of the domain of the TLS web server 31 is compliant, that is, whether the verification of the domain hosting unit information of the TLS web server 31 is successful (the details are the same as the aforementioned verification Mechanism S33-a). If the aforementioned authorized contact mailbox information of the certificate issuing authority is consistent with the technical contact mailbox information of the SSL certificate user 21, and the verification of the domain hosting unit information is successful, the domain verification module 14 automatically determines the verification mechanism S33-b. has been successfully passed, without the need for manual verification through the verification window specified by the email address of the authorized contact person of the certificate issuing authority. After the domain verification mechanism S33-b is successfully passed, the status of the SSL certificate application form will enter Verified and Pending Acceptance. Then, the information related to the domain verification result is further bound to the SSL certificate application form. The domain verification module 14 uses its own private key to send the SSL certificate application form (including status information, and the status at this time is verified and pending acceptance. ), the email address information of the authorized contact person of the certificate issuing agency, and the verification result of the domain verification mechanism S33-b are further bound and signed before being submitted to the verification center module 13. After the experience stamp of the verification center module 13 is correct, the verification result will be bound The determination result is written into the verification center database 42.

驗證網域名稱系統TXT紀錄S33-c:網域驗證模組14使用註冊中心模組12之公鑰驗章網域驗證服務申請封包,以確認SSL憑證用戶21之身分識別與鑑別驗證程序已由註冊中心模組12處理完成。此時,SSL憑證申請單的狀態將轉換為網域待驗證。接著,網域驗證模組14使用SSL憑證用戶21所提交的TLS網頁伺服器31的網域名稱,並使用網域資訊搜索工具,查詢TLS網頁伺服器31之網域設定資訊,以限定搜尋驗證資訊方式過濾後,可從中取得網域名稱系統TXT紀錄片段之設定資訊,然後再找出其中的網域名稱系統TXT紀錄聯絡人信箱資訊,網域驗證模組14會比對該網域名稱系統TXT紀錄聯絡人 信箱資訊與SSL憑證用戶21的身分證明資料中的技術聯絡人信箱資訊是否一致,比對結果將綁定於SSL憑證申請單。此時,網域驗證模組14再自動判斷TLS網頁伺服器31的網域之所有權是否合規,即TLS網頁伺服器31的網域代管單位資訊之驗證是否成功(其細節如同前述之驗證機制S33-a)。若前述之網域名稱系統TXT紀錄聯絡人信箱資訊與SSL憑證用戶21的技術聯絡人信箱資訊一致,且該網域代管單位資訊之驗證成功,則網域驗證模組14自動判斷驗證機制S33-c已成功通過,而無需再經由網域名稱系統TXT紀錄聯絡人信箱指定之驗證窗口進行手動驗證。網域驗證機制S33-c成功通過後,該筆SSL憑證申請單之狀態將進入已驗證待接受。然後,該筆網域驗證結果相關資訊進一步綁定於SSL憑證申請單,網域驗證模組14以自己的私鑰將SSL憑證申請單(含狀態資訊,且此時之狀態為已驗證待接受)、網域名稱系統TXT紀錄聯絡人信箱資訊、網域驗證機制S33-c的驗證結果進一步綁定並簽章後提交給驗證中心模組13,驗證中心模組13經驗章無誤後,將該筆綁定結果寫入驗證中心資料庫42。 Verify the domain name system TXT record S33-c: The domain verification module 14 uses the public key of the registration center module 12 to verify the domain verification service application packet to confirm that the identity identification and authentication verification process of the SSL certificate user 21 has been completed by Registration center module 12 processing is completed. At this time, the status of the SSL certificate application form will be converted to domain pending verification. Next, the domain verification module 14 uses the domain name of the TLS web server 31 submitted by the SSL certificate user 21, and uses the domain information search tool to query the domain setting information of the TLS web server 31 to limit the search verification. After the information is filtered, the setting information of the domain name system TXT documentary segment can be obtained, and then the domain name system TXT record contact mailbox information can be found. The domain verification module 14 will compare it with the domain name system TXT record contact person Whether the mailbox information is consistent with the technical contact person's mailbox information in the identification information of the SSL certificate user 21, the comparison result will be bound to the SSL certificate application form. At this time, the domain verification module 14 automatically determines whether the ownership of the domain of the TLS web server 31 is compliant, that is, whether the verification of the domain hosting unit information of the TLS web server 31 is successful (the details are the same as the aforementioned verification Mechanism S33-a). If the aforementioned domain name system TXT record contact mailbox information is consistent with the technical contact mailbox information of the SSL certificate user 21, and the verification of the domain hosting unit information is successful, the domain verification module 14 automatically determines the verification mechanism S33 -c has been successfully passed, and there is no need to manually verify through the verification window specified by the domain name system TXT record contact mailbox. After the domain verification mechanism S33-c is successfully passed, the status of the SSL certificate application form will enter Verified and Pending Acceptance. Then, the information related to the domain verification result is further bound to the SSL certificate application form. The domain verification module 14 uses its own private key to send the SSL certificate application form (including status information, and the status at this time is verified and pending acceptance. ), the domain name system TXT record contact mailbox information, and the verification results of the domain verification mechanism S33-c are further bound and signed and submitted to the verification center module 13. After the verification center module 13 experience stamp is correct, the The pen binding result is written into the verification center database 42 .

步驟S34由網域驗證模組14執行,分為網域驗證失敗S34-a與網域驗證成功S34-b兩種情況,或兩個子步驟。如情況為網域驗證失敗S34-a,即全球網域名稱查詢系統33回傳資訊驗證(S33-a)、網域名稱系統憑證簽發機構授權紀錄驗證(S33-b)、或網域名稱系統TXT紀錄驗證(S33-c)中的信箱資訊比對結果為不一致,或網域代管單位資訊驗證失敗(即該網域代管單位資訊並非合規網域,或該網域代管單位並非受信任單位),則該筆SSL憑證申請單將依照排程設定時間區段啟動批次重新驗證,若重新驗證失敗次數達到限定數量後仍然失敗,則流程將導至步驟S35-a以起始憑證廢止流程。如情況為網域驗證成功S34- b,即S33-a、S33-b與S33-c這三種網域驗證機制中,至少有一種網域驗證機制成功通過,則流程將導至步驟S35-b以起始憑證接受流程。 Step S34 is executed by the domain verification module 14, and is divided into two situations, namely domain verification failure S34-a and domain verification success S34-b, or two sub-steps. If the situation is domain verification failure S34-a, that is, global domain name query system 33 return information verification (S33-a), domain name system certificate issuing authority authorization record verification (S33-b), or domain name system The mailbox information comparison result in TXT record verification (S33-c) is inconsistent, or the domain hosting unit information verification fails (that is, the domain hosting unit information is not a compliant domain, or the domain hosting unit is not Trusted organization), the SSL certificate application form will start batch re-verification according to the scheduled time period. If the number of failed re-verifications still fails after reaching the limited number, the process will lead to step S35-a to start. Voucher revocation process. If the situation is domain verification successful S34- b, that is, if at least one of the three domain verification mechanisms S33-a, S33-b and S33-c successfully passes, the process will lead to step S35-b to start the certificate acceptance process.

步驟S35分為起始憑證廢止流程S35-a與起始憑證接受流程S35-b兩個子步驟。步驟S35-a係啟用憑證廢止流程,在該憑證廢止流程,驗證中心模組13將通知憑證中心模組11廢止該筆SSL憑證申請單之預簽憑證,且不允許保留該筆SSL憑證申請單之個資資訊。若該筆SSL憑證申請單無預簽憑證,則可省略步驟S35-a。 Step S35 is divided into two sub-steps: the initial voucher revocation process S35-a and the initial voucher acceptance process S35-b. Step S35-a is to enable the certificate revocation process. In this certificate revocation process, the verification center module 13 will notify the certificate center module 11 to revoke the pre-signed certificate of the SSL certificate application form, and is not allowed to retain the SSL certificate application form. personal information. If the SSL certificate application does not have a pre-signed certificate, step S35-a can be omitted.

步驟S35-b係起始憑證接受流程。首先,網域驗證模組14將通知憑證中心模組11,然後,憑證中心模組11根據SSL憑證用戶21在步驟S31提交的憑證申請檔,並使用憑證中心模組11之私鑰,簽發終端實體憑證(即SSL憑證用戶21在步驟S31所申請之SSL憑證),然後將該終端實體憑證回傳給註冊中心模組12。註冊中心模組12收到該終端實體憑證後,將使用憑證中心模組11之公鑰驗證該憑證內的憑證中心模組11的簽章和憑證串鍊。驗證通過後,註冊中心模組12起始憑證接受流程,以供SSL憑證用戶21下載該終端實體憑證且進行最終確認,例如確認該終端實體憑證的種類、格式或該終端實體憑證中的身分資訊均正確無誤,確認無誤後,可結束此次的憑證簽發方法3的流程。憑證簽發結果將由憑證中心模組11存入憑證中心資料庫41。此外,憑證中心模組11可提供線上憑證狀態協定查詢服務,以供SSL憑證用戶21查詢憑證狀態相關資訊。 Step S35-b is the initial voucher acceptance process. First, the domain verification module 14 will notify the certificate center module 11. Then, the certificate center module 11 issues the terminal based on the certificate application file submitted by the SSL certificate user 21 in step S31 and uses the private key of the certificate center module 11. The entity certificate (that is, the SSL certificate applied for by the SSL certificate user 21 in step S31) is then returned to the registration center module 12. After receiving the terminal entity certificate, the registration center module 12 will use the public key of the certificate center module 11 to verify the signature and certificate chain of the certificate center module 11 in the certificate. After passing the verification, the registration center module 12 starts the certificate acceptance process for the SSL certificate user 21 to download the terminal entity certificate and perform final confirmation, such as confirming the type and format of the terminal entity certificate or the identity information in the terminal entity certificate. All are correct. After confirmation, the process of voucher issuance method 3 can be ended. The certificate issuance result will be stored in the certificate center database 41 by the certificate center module 11. In addition, the certificate center module 11 can provide an online certificate status protocol query service for SSL certificate users 21 to query certificate status related information.

本發明另提供一種電腦可讀媒體,例如記憶體、軟碟、硬碟或光碟。該電腦可讀媒體可應用於電腦、伺服器、電子裝置或圖1所示之自動網域驗證系統1中,且儲存有指令,以執行圖2所示之憑證簽發方法3。 The invention also provides a computer-readable medium, such as a memory, a floppy disk, a hard disk or an optical disk. The computer-readable medium can be applied to a computer, a server, an electronic device, or the automatic domain verification system 1 shown in Figure 1, and stores instructions to execute the certificate issuance method 3 shown in Figure 2.

本發明係在接收到憑證申請後,自動進行網域名稱之擁有權或控制權的自動化驗證,而不必與申請方的聯絡窗口進行人工互動,可避免人為疏失而導致資安問題或誤發憑證。此外,本發明無須大幅更動現有之憑證服務申請流程,即可完成上述目的和功效。 This invention automatically performs automated verification of the ownership or control of a network domain name after receiving a certificate application without having to manually interact with the applicant's contact window. This can avoid human errors that may lead to information security issues or mis-issuance of certificates. . In addition, the present invention can achieve the above purposes and effects without significantly changing the existing certificate service application process.

上述實施形態僅例示性說明本發明之原理及其功效,而非用於限制本發明。任何在本技術領域具有通常知識者均可在不違背本發明之精神及範疇下,對上述實施形態進行修飾與改變。因此,本發明之權利保護範圍,應如後述之申請專利範圍所列。 The above embodiments are only illustrative to illustrate the principles and effects of the present invention, but are not intended to limit the present invention. Anyone with ordinary knowledge in this technical field can modify and change the above embodiments without departing from the spirit and scope of the present invention. Therefore, the protection scope of the present invention should be as listed in the patent application scope described below.

3:憑證簽發方法 3: Voucher issuance method

S31,S32,S33-a,S33-b,S33-c,S34-a,S34-b,S35-a,S35-b:步驟 S31, S32, S33-a, S33-b, S33-c, S34-a, S34-b, S35-a, S35-b: steps

Claims (10)

一種自動網域驗證系統,包括: An automated domain verification system that includes: 註冊中心模組,用於接收為網頁伺服器所提交之憑證申請檔及身分證明資料; The registration center module is used to receive certificate application files and identity proof information submitted for the web server; 網域驗證模組,用於根據該憑證申請檔及該身分證明資料進行自動網域驗證,其中,該自動網域驗證包括該網頁伺服器之網域名稱註冊資訊、網域名稱系統憑證簽發機構授權紀錄及/或網域名稱系統文本紀錄之驗證;以及 The domain verification module is used to perform automatic domain verification based on the certificate application file and the identity certification information. The automatic domain verification includes the domain name registration information of the web server and the domain name system certificate issuing authority. Verification of authorization records and/or domain name system text records; and 憑證中心模組,用於在該自動網域驗證成功後,根據該憑證申請檔簽發用於該網頁伺服器之終端實體憑證。 The certificate center module is used to issue a terminal entity certificate for the web server based on the certificate application file after the automatic domain verification is successful. 如請求項1所述之自動網域驗證系統,其中,若該網域名稱註冊資訊、該網域名稱系統憑證簽發機構授權紀錄及/或該網域名稱系統文本紀錄中之至少一者通過驗證,則該網域驗證模組判定該自動網域驗證為成功。 The automatic domain verification system as described in request item 1, wherein if at least one of the domain name registration information, the domain name system certificate issuing authority record and/or the domain name system text record passes verification , then the domain verification module determines that the automatic domain verification is successful. 如請求項1所述之自動網域驗證系統,其中,該網域名稱註冊資訊之驗證包括: The automatic domain verification system as described in request item 1, wherein the verification of the domain name registration information includes: 使用該憑證申請檔所包含之該網頁伺服器的網域名稱,查詢該網頁伺服器之網域名稱註冊者資訊;以及 Use the domain name of the web server included in the certificate application file to query the domain name registrant information of the web server; and 比對該網域名稱註冊者資訊與該身分證明資料中之技術聯絡人資訊以將該網域名稱註冊者資訊與該比對之結果綁定於該終端實體憑證之申請單。 Compare the domain name registrant information with the technical contact information in the identity certification information to bind the domain name registrant information and the result of the comparison to the application form of the terminal entity certificate. 如請求項1所述之自動網域驗證系統,其中,該網域名稱系統憑證簽發機構授權紀錄之驗證包括: The automatic domain verification system as described in request item 1, wherein the verification of the domain name system certificate issuing authority's authorization record includes: 使用該憑證申請檔所包含之該網頁伺服器的網域名稱,查詢該網頁伺服器之網域設定資訊中的憑證簽發機構授權聯絡人資訊;以及 Use the domain name of the web server included in the certificate application file to query the authorized contact information of the certificate issuing authority in the domain setting information of the web server; and 比對該憑證簽發機構授權聯絡人資訊與該身分證明資料中之技術聯絡人資訊以將該憑證簽發機構授權聯絡人資訊與該比對之結果綁定於該終端實體憑證之申請單。 Compare the authorized contact person information of the certificate issuing institution with the technical contact information in the identity certification information to bind the authorized contact person information of the certificate issuing institution and the result of the comparison to the application form of the terminal entity certificate. 如請求項1所述之自動網域驗證系統,其中,該網域名稱系統文本紀錄之驗證包括: The automatic domain verification system as described in request 1, wherein the verification of the domain name system text record includes: 使用該憑證申請檔所包含之該網頁伺服器的網域名稱,查詢該網頁伺服器之網域設定資訊中的網域名稱系統文本紀錄聯絡人資訊;以及 Use the domain name of the web server included in the certificate application file to query the domain name system text record contact information in the domain configuration information of the web server; and 比對該網域名稱系統文本紀錄聯絡人資訊與該身分證明資料中之技術聯絡人資訊以將該網域名稱系統文本紀錄聯絡人資訊與該比對之結果綁定於該終端實體憑證之申請單。 Compare the domain name system textual record contact information with the technical contact information in the identification information to bind the domain name system textual record contact information and the result of the comparison to the application for the terminal entity certificate single. 如請求項1所述之自動網域驗證系統,其中,該自動網域驗證復包括: The automatic domain verification system as described in request item 1, wherein the automatic domain verification includes: 向全球網域名稱查詢系統查詢該網頁伺服器之網域代管單位的資訊; Query the global domain name query system for information about the domain hosting unit of the web server; 判斷該資訊是否為合規網域;以及 Determine whether the information is a compliant domain; and 判斷該網域代管單位是否為受信任單位。 Determine whether the domain hosting organization is a trusted organization. 如請求項1所述之自動網域驗證系統,其中,該網域驗證模組復用於將該終端實體憑證之申請單、通過該自動網域驗證之技術聯絡人資訊、以及該自動網域驗證之結果綁定後,用私鑰簽章以產生一綁定結果,且該自動網域驗證系統復包括: The automatic domain verification system as described in request item 1, wherein the domain verification module is reused to combine the application form of the terminal entity certificate, the technical contact information that has passed the automatic domain verification, and the automatic domain After the verification result is bound, it is signed with the private key to generate a binding result, and the automatic domain verification system includes: 驗證中心模組,用於對該綁定結果驗章,且於驗章無誤後,將該綁定結果寫入資料庫。 The verification center module is used to verify the binding result, and after the seal verification is correct, write the binding result into the database. 如請求項7所述之自動網域驗證系統,其中,該網域驗證模組復用於在該網域名稱註冊資訊、該網域名稱系統憑證簽發機構授權紀錄、或該網域名稱系統文本紀錄之驗證失敗時,依照排程設定時間區段,以根據該資料庫中之該綁定結果中的該申請單之狀態資訊,進行該自動網域驗證之重新驗證。 The automatic domain verification system as described in request item 7, wherein the domain verification module is reused in the domain name registration information, the domain name system certificate issuing authority authorization record, or the domain name system text When the recorded verification fails, the time period is set according to the schedule to perform re-verification of the automatic domain verification based on the status information of the application form in the binding result in the database. 一種憑證簽發方法,包括: A method of issuing certificates, including: 接收為網頁伺服器所提交之憑證申請檔及身分證明資料; Receive certificate application files and identity proof information submitted for the web server; 根據該憑證申請檔及該身分證明資料進行自動網域驗證,其中,該自動網域驗證包括該網頁伺服器之網域名稱註冊資訊、網域名稱系統憑證簽發機構授權紀錄及/或網域名稱系統文本紀錄之驗證;以及 Automatic domain verification is performed based on the certificate application file and the identity certificate information. The automatic domain verification includes the domain name registration information of the web server, the domain name system certificate issuing agency authorization record and/or the domain name. Verification of system text records; and 在該自動網域驗證成功後,根據該憑證申請檔簽發用於該網頁伺服器之終端實體憑證。 After the automatic domain verification is successful, a terminal entity certificate for the web server is issued based on the certificate application file. 一種電腦可讀媒體,應用於電腦、伺服器、或電子裝置中,係儲存有指令,以執行如請求項9所述之憑證簽發方法。 A computer-readable medium, used in computers, servers, or electronic devices, stores instructions to execute the certificate issuance method described in claim 9.
TW111147628A 2022-12-12 2022-12-12 Automatic domain verification system, certificate issuance method and computer-readable medium TWI815750B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111147628A TWI815750B (en) 2022-12-12 2022-12-12 Automatic domain verification system, certificate issuance method and computer-readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111147628A TWI815750B (en) 2022-12-12 2022-12-12 Automatic domain verification system, certificate issuance method and computer-readable medium

Publications (2)

Publication Number Publication Date
TWI815750B true TWI815750B (en) 2023-09-11
TW202425574A TW202425574A (en) 2024-06-16

Family

ID=88966204

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111147628A TWI815750B (en) 2022-12-12 2022-12-12 Automatic domain verification system, certificate issuance method and computer-readable medium

Country Status (1)

Country Link
TW (1) TWI815750B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1471673A (en) * 2000-11-01 2004-01-28 ˹������ķ˹��COM��˾ Domain Name acquisition and management system and method
US7562212B2 (en) * 2001-10-12 2009-07-14 Geotrust, Inc. Methods and systems for automated authentication, processing and issuance of digital certificates
TWI786981B (en) * 2021-12-07 2022-12-11 中華電信股份有限公司 System and mehtod of precertificate management and computer readable medium thererof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1471673A (en) * 2000-11-01 2004-01-28 ˹������ķ˹��COM��˾ Domain Name acquisition and management system and method
US7562212B2 (en) * 2001-10-12 2009-07-14 Geotrust, Inc. Methods and systems for automated authentication, processing and issuance of digital certificates
TWI786981B (en) * 2021-12-07 2022-12-11 中華電信股份有限公司 System and mehtod of precertificate management and computer readable medium thererof

Also Published As

Publication number Publication date
TW202425574A (en) 2024-06-16

Similar Documents

Publication Publication Date Title
WO2020143470A1 (en) Method for issuing digital certificate, digital certificate issuing center, and medium
JP5147713B2 (en) Collaborative non-repudiation message exchange in a network environment
EP3966997B1 (en) Methods and devices for public key management using a blockchain
CN111316267B (en) Authentication using delegated identity
US8683196B2 (en) Token renewal
US8893242B2 (en) System and method for pool-based identity generation and use for service access
JP2010531516A (en) Device provisioning and domain join emulation over insecure networks
US10404477B1 (en) Synchronization of personal digital certificates
US11362844B1 (en) Security device and methods for end-to-end verifiable elections
WO2009138028A1 (en) User generated content registering method, apparatus and system
TWI786981B (en) System and mehtod of precertificate management and computer readable medium thererof
CN117390693A (en) Platform and method for mutual recognition of electronic signatures
US9027107B2 (en) Information processing system, control method thereof, and storage medium thereof
JP2009003501A (en) Onetime password authentication system
TWI815750B (en) Automatic domain verification system, certificate issuance method and computer-readable medium
JP2024535330A (en) Secure signature method, device and system
TWI698113B (en) Identification method and systerm of electronic device
US12086110B1 (en) Systems and methods for data input, collection, and verification using distributed ledger technologies
TWI841232B (en) Automatic certificate application system, method and computer readable medium thereof
JP4882255B2 (en) Attribute certificate management apparatus and method
JP5054552B2 (en) Secondary content right management method and system, program, and computer-readable recording medium
US11477038B2 (en) Certificate transfer system and certificate transfer method
TW202433901A (en) Automatic certificate application system, method and computer readable medium thereof
TWI781071B (en) Method of verifying securities orders
TWI769028B (en) Method of verifying securities orders