[go: up one dir, main page]

CN119814321A - Certificate acquisition system and certificate acquisition method - Google Patents

Certificate acquisition system and certificate acquisition method Download PDF

Info

Publication number
CN119814321A
CN119814321A CN202411874960.0A CN202411874960A CN119814321A CN 119814321 A CN119814321 A CN 119814321A CN 202411874960 A CN202411874960 A CN 202411874960A CN 119814321 A CN119814321 A CN 119814321A
Authority
CN
China
Prior art keywords
certificate
registration
encryption
signature
private key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411874960.0A
Other languages
Chinese (zh)
Inventor
侯雨桐
孟媛媛
刘春娜
张宇驰
李晓
何腾翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN202411874960.0A priority Critical patent/CN119814321A/en
Publication of CN119814321A publication Critical patent/CN119814321A/en
Pending legal-status Critical Current

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本申请实施例提供了一种证书获取系统及证书获取方法,该证书获取系统包括:用户端、注册端和证书颁发端,用户端,用于生成证书注册请求,并将证书注册请求发送给注册端;注册端,用于对证书注册请求进行解析,获得证书注册参数,并将证书注册参数和制证请求发送给证书颁发端;证书颁发端,用于根据证书注册参数和制证请求,生成签名证书和加密证书,并将签名证书和加密证书发送给注册端,注册端将签名证书和加密证书发送给用户端,使用户端导入签名证书和加密证书。本申请实施例提供的证书获取系统可以使用户获取签名证书和加密证书,提高用户的证书获取体验。

The embodiment of the present application provides a certificate acquisition system and a certificate acquisition method, the certificate acquisition system includes: a user end, a registration end and a certificate issuing end, the user end is used to generate a certificate registration request and send the certificate registration request to the registration end; the registration end is used to parse the certificate registration request, obtain the certificate registration parameters, and send the certificate registration parameters and the certificate request to the certificate issuing end; the certificate issuing end is used to generate a signature certificate and an encryption certificate according to the certificate registration parameters and the certificate request, and send the signature certificate and the encryption certificate to the registration end, the registration end sends the signature certificate and the encryption certificate to the user end, so that the user end imports the signature certificate and the encryption certificate. The certificate acquisition system provided by the embodiment of the present application can enable users to obtain signature certificates and encryption certificates, and improve the user's certificate acquisition experience.

Description

Certificate acquisition system and certificate acquisition method
Technical Field
The embodiment of the application relates to the technical field of information security, in particular to a certificate acquisition system and a certificate acquisition method.
Background
With the development of artificial intelligence, big data, cloud computing and other technologies, digital certificates are widely applied to various electronic transaction, data encryption and identity authentication systems, reliable identity authentication means are provided for users and systems, and management of the digital certificates is an important link for ensuring network communication security.
Currently, the acquisition and storage of digital certificates is typically implemented by public key infrastructure (Public Key Infrastructure, PKI).
However, in the process of acquiring and storing digital certificates, multiple interactions between PKI systems are generally involved in the prior art, so that the efficiency of acquiring the certificates is low, users are required to operate in multiple systems, and the experience of acquiring the certificates of the users is poor.
Disclosure of Invention
In view of the above, an embodiment of the present application provides a certificate acquisition system and a certificate acquisition method to at least partially solve the above-mentioned problems.
According to a first aspect of the embodiment of the application, a certificate acquisition system is provided, which comprises a user side, a registration side and a certificate issuing side, wherein the user side is used for generating a certificate registration request and sending the certificate registration request to the registration side, the registration side is used for analyzing the certificate registration request to obtain a certificate registration parameter and sending the certificate registration parameter and the certificate issuing side, and the certificate issuing side is used for generating a signature certificate and an encryption certificate according to the certificate registration parameter and the certificate issuing side and sending the signature certificate and the encryption certificate to the registration side, and the registration side is used for sending the signature certificate and the encryption certificate to the user side so that the user side can import the signature certificate and the encryption certificate.
In one possible implementation manner, the user side is configured to obtain the certificate registration information input by the user from the registration side, and generate the certificate registration request according to the certificate registration information.
In one possible implementation manner, the system further comprises a secret key end and a certificate issuing end, wherein the certificate issuing end is used for verifying the certification request, if the certification request passes the verification, the secret key end is called to generate a public and private key pair, and the certificate issuing end generates the signature certificate and the encryption certificate according to the public and private key pair and the certificate registration parameter.
In one possible implementation manner, the system further comprises a hardware security module and the key end is used for calling the hardware security module to generate the public and private key pair.
In one possible implementation manner, the key end is configured to obtain a symmetric key generated by the hardware security module, and encrypt a private key in the public-private key pair by using the symmetric key.
In one possible implementation manner, the key end is configured to obtain a temporary public key in the certificate registration parameter, and encrypt the symmetric key with the temporary public key.
In one possible implementation manner, the registration end is configured to receive the signature certificate, the encryption certificate and the encrypted private key sent by the certificate issuing end, verify the signature certificate, the encryption certificate and the encrypted private key, and if the verification is passed, send the signature certificate, the encryption certificate and the encrypted private key to the user end.
In one possible implementation manner, the client is configured to receive the signature certificate, the encryption certificate and the encrypted private key, decrypt the encrypted symmetric key through a temporary private key, decrypt the private key according to the symmetric key, and store the signature certificate, the encryption certificate and the decrypted private key, where the temporary public key and the temporary private key are generated when the client generates a certificate registration request.
In one possible implementation, the user side, the registration side, and the certificate authority communicate through HTTPS.
According to a second aspect of the embodiment of the application, a certificate acquisition method is provided, which comprises the steps of generating a certificate registration request, analyzing the certificate registration request to obtain a certificate registration parameter, generating a signature certificate and an encryption certificate according to the certificate registration parameter and the certificate preparation request, and importing and storing the signature certificate and the encryption certificate.
The certificate acquisition system comprises a user side, a registration side and a certificate issuing side, wherein the user side can generate a certificate registration request and send the certificate registration request to the registration side, the registration side can analyze the certificate registration request to obtain a certificate registration parameter and send the certificate registration parameter and the certificate issuing request to the certificate issuing side, the certificate issuing side can generate a signature certificate and an encryption certificate according to the certificate registration parameter and the certificate issuing request and send the signature certificate and the encryption certificate to the registration side, and the registration side sends the signature certificate and the encryption certificate to the user side, so that the user side can import the signature certificate and the encryption certificate, the acquisition and the storage of the signature certificate and the encryption certificate can be realized.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the embodiments of the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a schematic diagram of a certificate acquisition system provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of another certificate acquisition system provided in an embodiment of the present application;
FIG. 3 is a schematic diagram of yet another certificate acquisition system provided by an embodiment of the present application;
Fig. 4 is a flowchart of a certificate acquisition method according to an embodiment of the present application.
Detailed Description
In order to better understand the technical solutions in the embodiments of the present application, the following description will clearly and completely describe the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which are derived by a person skilled in the art based on the embodiments of the present application, shall fall within the scope of protection of the embodiments of the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the application. The term "if" as used herein may be interpreted as "at..once" or "when..once" or "in response to a determination", depending on the context.
As mentioned above, with the development of artificial intelligence, big data, cloud computing and other technologies, digital certificates are widely applied to various electronic transaction, data encryption and identity authentication systems, so as to provide reliable identity authentication means for users and systems, and management of digital certificates is an important link for ensuring network communication security. Currently, the acquisition and storage of digital certificates is typically implemented by PKI. However, in the process of acquiring and storing digital certificates, multiple interactions between PKI systems are generally involved in the prior art, so that the efficiency of acquiring the certificates is low, users are required to operate in multiple systems, and the experience of acquiring the certificates of the users is poor.
The embodiment of the application provides a certificate acquisition system, which comprises a user side, a registration side and a certificate issuing side, wherein the user side can generate a certificate registration request and send the certificate registration request to the registration side, the registration side can analyze the certificate registration request to obtain certificate registration parameters and send the certificate registration parameters and the certificate issuing request to the certificate issuing side, the certificate issuing side can generate a signature certificate and an encryption certificate according to the certificate registration parameters and the certificate issuing request and send the signature certificate and the encryption certificate to the registration side, and the registration side sends the signature certificate and the encryption certificate to the user side, so that the user side can introduce the signature certificate and the encryption certificate, the acquisition and the storage of the signature certificate and the encryption certificate can be realized.
The certificate acquisition system provided by the application is described below by way of examples.
Fig. 1 is a schematic diagram of a certificate acquisition system according to an embodiment of the present application, and as shown in fig. 1, the certificate acquisition system 100 includes a user terminal 101, a registration terminal 102, and a certificate issuing terminal 103.
The client 101 may generate a certificate registration request and send the certificate registration request to the registrar 102.
The client 101 may generate a certificate registration request, for example, a Public key encryption standard #10 (Public-Key Cryptography Standards #10, P10) certificate request, specifically, the certificate registration parameters in the certificate registration request include certificate registration information and a temporary Public key generated according to the certificate registration information, the client 101 sends the generated certificate registration request to the registrar 102, in an example, the client 101 may be a USB key (UKey), the registrar 102 may be a digital certificate authority (Registration Authority, RA) system, the UKey may generate a P10 certificate request therein, and send the P10 certificate request to the RA system.
The registration end 102 may parse the certificate registration request to obtain the certificate registration parameter, and send the certificate registration parameter and the certificate request to the certificate issuing end 103.
The registration end 102 may receive the certificate registration request sent by the user end 101, and verify the received certificate registration request, for example, verify whether the code of the certificate request conforms to a specified format, verify whether the certificate request is complete, and whether the certificate request is truly valid, if the verification is passed, the registration end 102 analyzes the received certificate registration request to obtain a certificate registration parameter in the certificate registration request, according to the certificate registration parameter, the registration end 102 generates a certificate making request, and sends the certificate registration parameter and the certificate making request to the certificate issuing end 103, in an example, the certificate issuing end 103 may be a digital certificate authority (CERTIFICATE AUTHORITY, CA) system, the RA system receives the P10 certificate request sent by the UKey, verifies the P10 certificate request, if the verification is passed, analyzes the P10 certificate request to obtain the certificate registration parameter in the P10 certificate request, and according to the certificate registration parameter, the RA system generates the certificate making request and sends the certificate making request to the CA system.
The certificate issuing end 103 may generate a signature certificate and an encryption certificate according to the certificate registration parameter and the certificate making request, and send the signature certificate and the encryption certificate to the registering end 102, where the registering end 102 sends the signature certificate and the encryption certificate to the user end 101, so that the user end 101 imports the signature certificate and the encryption certificate.
The certificate issuing end 103 may receive the certificate registration parameter and the certificate making request sent by the registration end 102, generate a signature certificate and an encryption certificate according to the received certificate registration parameter and the certificate making request, and send the signature certificate and the encryption certificate to the registration end 102, the registration end 102 may receive the signature certificate and the encryption certificate sent by the certificate issuing end 103, and send the signature certificate and the encryption certificate to the user end, so that the user end imports the signature certificate and the encryption certificate, and in an example, the CA system receives the certificate registration parameter and the certificate making request sent by the RA system, generates the signature certificate and the encryption certificate, and sends the signature certificate and the encryption certificate to the RA system, and the RA system sends the received signature certificate and the encryption certificate to the uke, so that the uke imports the signature certificate and the encryption certificate.
In the embodiment of the application, the certificate acquisition system 100 comprises a user terminal 101, a registration terminal 102 and a certificate issuing terminal 103, wherein the user terminal 101 can generate a certificate registration request and send the certificate registration request to the registration terminal 102, the registration terminal 102 can analyze the certificate registration request to obtain a certificate registration parameter and send the certificate registration parameter and the certificate issuing request to the certificate issuing terminal 103, the certificate issuing terminal 103 can generate a signature certificate and an encryption certificate according to the certificate registration parameter and the certificate issuing request and send the signature certificate and the encryption certificate to the registration terminal 102, and the registration terminal 102 sends the signature certificate and the encryption certificate to the user terminal 101, so that the user terminal 101 can import the signature certificate and the encryption certificate to acquire and store the signature certificate.
In a possible implementation manner, the user terminal 101 may further obtain certificate registration information input by the user from the registration terminal 102, and generate a certificate registration request according to the certificate registration information.
The user logs in the registration terminal 102 system through the computing device and activates the user terminal 101, wherein the computing device can be a computer, a smart phone or the like, the user terminal 101 can acquire certificate registration information input by the user at the registration terminal 102 system interface, the certificate registration information comprises a certificate theme, a certificate template, a certificate validity period and the like, the user terminal 101 generates a certificate registration request according to the certificate registration information input by the user at the registration terminal 102 system interface, and the user terminal 101 also generates a new certificate container for storing a certificate generated according to the certificate registration request.
In an example, a user opens a login interface of an RA system through a notebook computer, inputs an account number and a password, responds to successful login of the user, prompts the user to insert a UKey, selects the UKey on the interface of the RA system after the user inserts the UKey on the notebook computer, inputs the UKey password for identity verification, and can access the function of the Ukey if the identity verification is passed. The user selects to create a new certificate container and fills in certificate registration information on the interface of the RA system, and the RA system generates a P10 certificate request in the UKey according to the certificate registration information input by the user on the interface of the RA system.
In the embodiment of the application, the user terminal 101 acquires the certificate registration information input by the user from the registration terminal 102, generates the certificate registration request according to the certificate registration information, and the certificate registration request can be used for acquiring the signature certificate and the encryption certificate.
Fig. 2 is a schematic diagram of another certificate acquisition system provided in an embodiment of the present application, as shown in fig. 2, the certificate acquisition system 100 further includes a key end 104, a certificate issuing end 103 may further verify a certificate making request, if the certificate making request passes the verification, the key end 104 is called to generate a public-private key pair, and the certificate issuing end 103 generates a signature certificate and an encryption certificate according to the public-private key pair and a certificate registration parameter.
The certificate issuing end 103 receives the certificate registration parameters and the certificate making request sent by the registration end 102, and verifies the received certificate making request, for example, verifies whether the certificate making request accords with industry regulations and legal regulations, verifies whether information in the certificate making request is truly valid, and the like, if the certificate making request passes the authentication, the certificate issuing end 103 sends a request for generating a public-private key pair and a temporary public key in the certificate registration parameters to the secret key end 104, wherein the request for generating the public-private key pair comprises the information of the temporary public key in the certificate registration parameters, the secret key end 104 generates the public-private key pair according to the request for generating the public-private key pair and sends the public-private key pair to the certificate issuing end 103, and the certificate issuing end 103 generates a signature certificate and an encryption certificate according to the public-private key pair sent by the secret key end 104 and the certificate registration parameters sent by the registration end 102.
In an example, the key end 104 may be a key management (KEY MANAGEMENT, KM) system, where the CA system receives the certificate registration parameter and the certificate making request sent by the RA system, verifies the certificate making request, and if verification passes, invokes the KM system to generate a public-private key pair, and the CA system generates a signature certificate and an encryption certificate according to the public-private key pair and the certificate registration parameter.
In the embodiment of the present application, the certificate acquisition system 100 further includes a key end 104, the certificate issuing end 103 verifies the certificate making request, if the certificate making request passes the verification, the key end 104 is called to generate a public-private key pair, the certificate issuing end 103 generates a signature certificate and an encryption certificate according to the public-private key pair and the certificate registration parameter, so that the generation of the signature certificate and the encryption certificate is realized, the validity and the legality of the generated signature certificate and encryption certificate can be ensured by verifying the certificate making request by the certificate issuing end 103, and the security of the generated signature certificate and encryption certificate can be ensured by calling the key end 104 to generate the public-private key pair.
Fig. 3 is a schematic diagram of another certificate acquisition system according to an embodiment of the present application, where, as shown in fig. 3, the certificate acquisition system 100 further includes a hardware security module 105, and the key end 104 may also call the hardware security module 105 to generate a public-private key pair.
The key end 104 receives a request for generating a public-private key pair sent by the certificate issuing end 103, analyzes the request for generating the public-private key pair, obtains temporary public key information, sends the temporary public key information to the hardware security module 105, and the hardware security module 105 generates a corresponding public-private key pair according to the temporary public key information and sends the corresponding public-private key pair to the key end 104.
In the embodiment of the present application, the certificate acquisition system 100 further includes a hardware security module 105, and the key end 104 invokes the hardware security module 105 to generate a public-private key pair, so that security of the generated signature certificate and encryption certificate can be ensured, and the processing speed of the system can be improved by using the hardware security module to generate the public-private key pair, thereby improving the efficiency of certificate acquisition.
In one possible implementation, the key side 104 may also obtain a symmetric key generated by the hardware security module 105, and encrypt the private key in the public-private key pair with the symmetric key.
After the key end 104 invokes the hardware security module 105 to generate a corresponding public-private key pair, a symmetric key may be obtained from the hardware security module 105, and the private key in the public-private key pair is encrypted by using the symmetric key, and in an example, the KM system obtains a symmetric key generated by the cryptographic engine, and encrypts the private key in the public-private key pair by using the symmetric key.
In the embodiment of the application, the key end 104 acquires the symmetric key generated by the hardware security module 105, and encrypts the private key in the public-private key pair through the symmetric key, so that the security of the private key in the transmission process can be ensured, and the security of the generated signature certificate and the generated encryption certificate is ensured.
In one possible implementation, the key-locker 104 may also obtain the temporary public key in the certificate enrollment parameter and encrypt the symmetric key with the temporary public key.
The key side 104 receives the temporary public key transmitted from the certificate authority 103, encrypts the symmetric key acquired from the hardware security module 105 by the temporary public key, and in an example, the KM system receives the temporary public key transmitted from the CA system and encrypts the symmetric key by the temporary public key.
In the embodiment of the application, the key end 104 acquires the temporary public key in the certificate registration parameter, and encrypts the symmetric key through the temporary public key, so that the security of the private key encrypted through the symmetric key in the transmission process can be ensured, and the security of the generated signature certificate and the generated encryption certificate is ensured.
In one possible implementation, the registration end 102 may further receive the signature certificate, the encryption certificate and the encrypted private key sent by the certificate authority 103, verify the signature certificate, the encryption certificate and the encrypted private key, and if the verification is passed, send the signature certificate, the encryption certificate and the encrypted private key to the user end 101.
After the certificate issuing end 103 generates the signature certificate and the encrypted certificate, the generated signature certificate and the encrypted private key are sent to the registration end 102, the registration end 102 verifies the signature certificate, the encrypted certificate and the encrypted private key sent by the certificate issuing end 103 after receiving the signature certificate, the encrypted certificate and the encrypted private key sent by the certificate issuing end 103, for example, verifies whether the signature certificate and the encrypted certificate are issued by the trusted certificate issuing end 103, verifies whether encryption of the private key meets the security standard or not, and sends the signature certificate, the encrypted certificate and the encrypted private key to the user end 101 if the verification is passed, and in one example, the RA system receives the signature certificate, the encrypted certificate and the encrypted private key sent by the CA system and verifies the signature certificate, the encrypted certificate and the encrypted private key, and sends the signature certificate, the encrypted certificate and the encrypted private key to the Ukey if the verification is passed.
In the embodiment of the present application, the registration end 102 receives the signature certificate, the encryption certificate and the encrypted private key sent by the certificate issuing end 103, verifies the signature certificate, the encryption certificate and the encrypted private key, and if the verification is passed, sends the signature certificate, the encryption certificate and the encrypted private key to the user end 101, so that the registration end 102 can receive the signature certificate, the encryption certificate and the encrypted private key sent by the certificate issuing end 103 and send the signature certificate, the encryption certificate and the encrypted private key to the user end 101, thereby realizing the acquisition of the certificate and the private key by the user end 101, and the registration end 102 verifies the signature certificate, the encryption certificate and the encrypted private key, so as to ensure that the certificate and the private key acquired by the user end 101 are effective and safe.
In one possible implementation manner, the client 101 may further receive the signature certificate, the encryption certificate and the encrypted private key, decrypt the encrypted symmetric key with the temporary private key, decrypt the private key according to the symmetric key, and store the signature certificate, the encryption certificate and the decrypted private key, where the temporary public key and the temporary private key are generated when the client 101 generates the certificate registration request.
When the user terminal 101 generates the certificate registration request, a temporary public key and a temporary private key are generated, the temporary public key is contained in the certificate registration request and is used for generating a public private key pair and encrypting the private key, and the temporary private key is stored in the user terminal 101 and is used for decrypting the symmetric key encrypted by the temporary public key. After receiving the signature certificate, the encryption certificate and the encrypted private key sent by the registration end 102, the user end 101 decrypts the symmetric key encrypted by the temporary private key stored by the user end 101, decrypts the private key encrypted by the symmetric key by using the decrypted symmetric key, obtains the decrypted private key, verifies whether the signature certificate and the encryption certificate are complete and valid or not through the decrypted private key, if the verification is passed, stores the signature certificate, the encryption certificate and the decrypted private key in a certificate container of the user end 101, and the user end 101 can encrypt the signature certificate, the encryption certificate and the decrypted private key stored in the certificate container to prevent unauthorized access and tampering.
In one example, the UKey may receive the signed certificate, the encrypted certificate, and the encrypted private key, decrypt the encrypted symmetric key in the UKey with the temporary private key, decrypt the private key according to the symmetric key, store the signed certificate, the encrypted certificate, and the decrypted private key in a certificate container in the UKey, and encrypt the signed certificate, the encrypted certificate, and the decrypted private key stored in the certificate container.
In the embodiment of the present application, the user terminal 101 receives the signature certificate, the encryption certificate and the encrypted private key, decrypts the encrypted symmetric key through the temporary private key, decrypts the private key according to the symmetric key, and stores the signature certificate, the encryption certificate and the decrypted private key, so that the signature certificate, the encryption certificate and the private key can be obtained and stored, and the temporary public key and the temporary private key are used for encryption and decryption, thereby ensuring the security of the signature certificate and the encryption certificate.
In one possible implementation, the client 101, the registrar 102, and the certificate authority 103 communicate via a hypertext transfer security protocol (Hypertext Transfer Protocol Secure, HTTPS).
The user terminal 101 sends a certificate registration request to the registration terminal 102 through HTTPS, the registration terminal 102 receives the certificate registration request sent by the user terminal 101 through HTTPS and sends the certificate registration parameter and the certificate making request to the certificate issuing terminal 103 through HTTPS, the certificate issuing terminal 103 receives the certificate registration parameter and the certificate making request sent by the registration terminal 102 through HTTPS and sends the signature certificate, the encryption certificate and the encrypted private key to the registration terminal 102 through HTTPS, the registration terminal 102 receives the signature certificate, the encryption certificate and the encrypted private key sent by the certificate issuing terminal 103 through HTTPS and sends the signature certificate, the encryption certificate and the encrypted private key to the user terminal 101 through HTTPS, and the user terminal 101 receives the signature certificate, the encryption certificate and the encrypted private key through HTTPS.
In an example, the UKey sends a P10 certificate request to the RA system through HTTPS, the RA system receives the P10 certificate request sent by the UKey through HTTPS, and sends the certificate registration parameters and the certification request to the CA system through HTTPS, the CA system receives the certificate registration parameters and the certification request sent by the RA system through HTTPS, and sends the signature certificate, the encryption certificate and the encrypted private key to the RA system through HTTPS, and the RA system receives the signature certificate, the encryption certificate and the encrypted private key sent by the CA system through HTTPS, and sends the signature certificate, the encryption certificate and the encrypted private key sent by the RA system through HTTPS.
In the embodiment of the application, the user terminal 101, the registration terminal 102 and the certificate issuing terminal 103 can avoid the signature certificate, the encryption certificate and the encrypted private key from being tampered and stolen in the transmission process through HTTPS communication, thereby ensuring the security of the acquired and stored signature certificate and encryption certificate.
Fig. 4 is a flowchart of a certificate acquisition method according to an embodiment of the present application, and as shown in fig. 4, the data transmission method includes the following steps 401 to 404:
step 401, generating a certificate registration request.
And acquiring the certificate registration information, and generating a certificate registration request according to the certificate registration information.
And step 402, analyzing the certificate registration request to obtain the certificate registration parameters.
And acquiring a certificate registration request, and analyzing the acquired certificate registration request to acquire a certificate registration parameter.
Step 403, generating a signature certificate and an encryption certificate according to the certificate registration parameter and the certificate making request.
And acquiring a certificate making request, and generating a signature certificate and an encryption certificate according to the certificate registration parameters and the certificate registration request.
Step 404, importing and storing the signature certificate and the encryption certificate.
And acquiring the generated signature certificate and encryption certificate, and importing and storing the signature certificate and the encryption certificate.
It should be noted that, specific execution steps of the certificate acquisition method provided in the embodiment of the present application may refer to the description of the certificate acquisition system in any one of the above embodiments, and are not repeated herein.
In the embodiment of the application, the certificate registration request is generated, the certificate registration request is analyzed to obtain the certificate registration parameters, the signature certificate and the encryption certificate are generated according to the certificate registration parameters and the certificate preparation request, the signature certificate and the encryption certificate are imported and stored, the acquisition and storage of the signature certificate and the encryption certificate can be realized, and compared with the prior art, the efficiency of acquiring the certificate can be improved, and the whole process of acquiring and storing the certificate can be completed only by operating the generation of the certificate registration request by a user, so that the certificate acquisition experience of the user can be improved.
Those of ordinary skill in the art will appreciate that the elements and method steps of the examples described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or as a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the embodiments of the present application.
The above embodiments are only for illustrating the embodiments of the present application, but not for limiting the embodiments of the present application, and various changes and modifications may be made by one skilled in the relevant art without departing from the spirit and scope of the embodiments of the present application, so that all equivalent technical solutions also fall within the scope of the embodiments of the present application, and the scope of the embodiments of the present application should be defined by the claims.

Claims (10)

1.一种证书获取系统,其特征在于,包括:用户端、注册端和证书颁发端;1. A certificate acquisition system, characterized in that it includes: a user end, a registration end and a certificate issuing end; 所述用户端,用于生成证书注册请求,并将所述证书注册请求发送给所述注册端;The user terminal is used to generate a certificate registration request and send the certificate registration request to the registration terminal; 所述注册端,用于对所述证书注册请求进行解析,获得证书注册参数,并将所述证书注册参数和制证请求发送给所述证书颁发端;The registration end is used to parse the certificate registration request, obtain certificate registration parameters, and send the certificate registration parameters and the certificate request to the certificate issuing end; 所述证书颁发端,用于根据所述证书注册参数和所述制证请求,生成签名证书和加密证书,并将所述签名证书和所述加密证书发送给所述注册端,所述注册端将所述签名证书和所述加密证书发送给所述用户端,使所述用户端导入所述签名证书和所述加密证书。The certificate issuing end is used to generate a signature certificate and an encryption certificate according to the certificate registration parameters and the certificate production request, and send the signature certificate and the encryption certificate to the registration end. The registration end sends the signature certificate and the encryption certificate to the user end, so that the user end imports the signature certificate and the encryption certificate. 2.根据权利要求1所述的系统,其特征在于,2. The system according to claim 1, characterized in that 所述用户端,用于获取用户从所述注册端输入的证书注册信息,根据所述证书注册信息,生成所述证书注册请求。The user terminal is used to obtain the certificate registration information input by the user from the registration terminal, and generate the certificate registration request according to the certificate registration information. 3.根据权利要求1所述的系统,其特征在于,所述系统还包括:密钥端;3. The system according to claim 1, characterized in that the system further comprises: a key terminal; 所述证书颁发端,用于对所述制证请求进行验证,若所述制证请求验证通过,则调用所述密钥端生成公私钥对,所述证书颁发端根据所述公私钥对和所述证书注册参数生成所述签名证书和加密证书。The certificate issuing end is used to verify the certificate request. If the certificate request is verified, the key end is called to generate a public-private key pair. The certificate issuing end generates the signature certificate and encryption certificate according to the public-private key pair and the certificate registration parameters. 4.根据权利要求3所述的系统,其特征在于,所述系统还包括:硬件安全模块;4. The system according to claim 3, characterized in that the system further comprises: a hardware security module; 所述密钥端,用于调用所述硬件安全模块生成所述公私钥对。The key end is used to call the hardware security module to generate the public-private key pair. 5.根据权利要求4所述的系统,其特征在于,5. The system according to claim 4, characterized in that 所述密钥端,用于获取所述硬件安全模块生成的对称密钥,通过所述对称密钥对所述公私钥对中的私钥进行加密。The key end is used to obtain the symmetric key generated by the hardware security module, and encrypt the private key in the public-private key pair by using the symmetric key. 6.根据权利要求5所述的系统,其特征在于,6. The system according to claim 5, characterized in that 所述密钥端,用于获取所述证书注册参数中的临时公钥,并通过所述临时公钥对所述对称密钥进行加密。The key end is used to obtain the temporary public key in the certificate registration parameters and encrypt the symmetric key by using the temporary public key. 7.根据权利要求6所述的系统,其特征在于,7. The system according to claim 6, characterized in that 所述注册端,用于接收所述证书颁发端发送的所述签名证书、所述加密证书和加密后的私钥,并对所述签名证书、所述加密证书和加密后的私钥进行验证,若验证通过,则将所述签名证书、所述加密证书和加密后的私钥发送给所述用户端。The registration end is used to receive the signature certificate, the encryption certificate and the encrypted private key sent by the certificate issuing end, and verify the signature certificate, the encryption certificate and the encrypted private key. If the verification is successful, the signature certificate, the encryption certificate and the encrypted private key are sent to the user end. 8.根据权利要求7所述的系统,其特征在于,8. The system according to claim 7, characterized in that 所述用户端,用于接收所述签名证书、所述加密证书和加密后的私钥,并通过临时私钥对所述加密后的对称密钥进行解密,并根据所述对称密钥对所述私钥进行解密,将所述签名证书、所述加密证书和解密后的私钥存储,其中,所述用户端生成证书注册请求时生成所述临时公钥和所述临时私钥。The user end is used to receive the signature certificate, the encryption certificate and the encrypted private key, decrypt the encrypted symmetric key through a temporary private key, decrypt the private key according to the symmetric key, and store the signature certificate, the encryption certificate and the decrypted private key, wherein the temporary public key and the temporary private key are generated when the user end generates a certificate registration request. 9.根据权利要求1-8中任一所述的系统,其特征在于,所述用户端、所述注册端和所述证书颁发端通过HTTPS通信。9. The system according to any one of claims 1 to 8, characterized in that the user end, the registration end and the certificate issuing end communicate via HTTPS. 10.一种证书获取方法,其特征在于,包括:10. A method for obtaining a certificate, comprising: 生成证书注册请求;Generate a certificate enrollment request; 对所述证书注册请求进行解析,获得证书注册参数;Parsing the certificate registration request to obtain certificate registration parameters; 根据所述证书注册参数和制证请求,生成签名证书和加密证书;Generate a signature certificate and an encryption certificate according to the certificate registration parameters and the certificate production request; 将所述签名证书和加密证书导入并存储。The signing certificate and encryption certificate are imported and stored.
CN202411874960.0A 2024-12-18 2024-12-18 Certificate acquisition system and certificate acquisition method Pending CN119814321A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411874960.0A CN119814321A (en) 2024-12-18 2024-12-18 Certificate acquisition system and certificate acquisition method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411874960.0A CN119814321A (en) 2024-12-18 2024-12-18 Certificate acquisition system and certificate acquisition method

Publications (1)

Publication Number Publication Date
CN119814321A true CN119814321A (en) 2025-04-11

Family

ID=95255434

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411874960.0A Pending CN119814321A (en) 2024-12-18 2024-12-18 Certificate acquisition system and certificate acquisition method

Country Status (1)

Country Link
CN (1) CN119814321A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102883321A (en) * 2012-09-21 2013-01-16 哈尔滨工业大学深圳研究生院 Digital signature authentication method facing mobile widget
CN111865919A (en) * 2020-06-16 2020-10-30 郑州信大捷安信息技术股份有限公司 Digital certificate application method and system based on V2X
CN113647079A (en) * 2019-04-05 2021-11-12 西门子股份公司 Method for issuing a cryptographically protected authenticity certificate for a user
CN118540135A (en) * 2024-05-30 2024-08-23 博大视野(厦门)科技有限公司 System component communication method and storage medium applied to port network security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102883321A (en) * 2012-09-21 2013-01-16 哈尔滨工业大学深圳研究生院 Digital signature authentication method facing mobile widget
CN113647079A (en) * 2019-04-05 2021-11-12 西门子股份公司 Method for issuing a cryptographically protected authenticity certificate for a user
CN111865919A (en) * 2020-06-16 2020-10-30 郑州信大捷安信息技术股份有限公司 Digital certificate application method and system based on V2X
CN118540135A (en) * 2024-05-30 2024-08-23 博大视野(厦门)科技有限公司 System component communication method and storage medium applied to port network security

Similar Documents

Publication Publication Date Title
CN111083131B (en) A method for lightweight identity authentication of power Internet of things sensing terminal
EP1714422B1 (en) Establishing a secure context for communicating messages between computer systems
US8340283B2 (en) Method and system for a PKI-based delegation process
US7366905B2 (en) Method and system for user generated keys and certificates
US8417941B2 (en) Apparatus and method to prevent man in the middle attack
CN112039918B (en) Internet of things credible authentication method based on identification cryptographic algorithm
CN109728909A (en) Identity identifying method and system based on USBKey
CN116233832A (en) Verification information sending method and device
WO2021036183A1 (en) Method and apparatus for carrying out secure multi-party computation by means of certificate issuing
CN113346995B (en) Method and system for preventing falsification in mail transmission process based on quantum security key
WO2016177052A1 (en) User authentication method and apparatus
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
US11777743B2 (en) Method for securely providing a personalized electronic identity on a terminal
EP2747377A2 (en) Trusted certificate authority to create certificates based on capabilities of processes
CN110958209A (en) Bidirectional authentication method, system and terminal based on shared secret key
CN114697040B (en) Electronic signature method and system based on symmetric key
CN112422289B (en) Method and system for offline security distribution of digital certificate of NB-IoT (NB-IoT) terminal equipment
CN117792802B (en) Identity verification and application access control method and system based on multi-system interaction
JP4255046B2 (en) Cryptographic communication path establishment method, program and program medium, and cryptographic communication system
JP2008234143A (en) Personal limited email opening system using biometrics, method thereof, and program therefor
CN114697038B (en) A quantum attack-resistant electronic signature method and system
KR20170130963A (en) Apparatus for authenticating user in association with user-identification-registration and local-authentication and method for using the same
CN119814321A (en) Certificate acquisition system and certificate acquisition method
CN117424694A (en) Block chain-based company certificate management method and device and electronic equipment
CN115987593A (en) Terminal network layer and application layer trusted access method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination