TWI841232B - Automatic certificate application system, method and computer readable medium thereof - Google Patents
Automatic certificate application system, method and computer readable medium thereof Download PDFInfo
- Publication number
- TWI841232B TWI841232B TW112104626A TW112104626A TWI841232B TW I841232 B TWI841232 B TW I841232B TW 112104626 A TW112104626 A TW 112104626A TW 112104626 A TW112104626 A TW 112104626A TW I841232 B TWI841232 B TW I841232B
- Authority
- TW
- Taiwan
- Prior art keywords
- certificate
- domain verification
- verification
- domain
- account
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 238000012795 verification Methods 0.000 claims abstract description 314
- 238000012790 confirmation Methods 0.000 claims description 12
- 239000000284 extract Substances 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 34
- 230000015654 memory Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000007689 inspection Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 238000010200 validation analysis Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000007405 data analysis Methods 0.000 description 2
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
本發明係關於憑證申請之技術,尤指一種可限定網域驗證方法之自動憑證申請系統、方法及其電腦可讀媒介。 The present invention relates to the technology of certificate application, and more particularly to an automatic certificate application system, method and computer-readable medium capable of limiting domain verification.
在自動化網頁驗證之架構下,使用者須先向系統管理端購買安全通訊協定(Secure Sockets Layer;SSL)憑證,方能將該SSL憑證安裝於使用者之伺服器上,對於習知之自動化網頁驗證架構而言,建置SSL憑證之自動化憑證管理環境已然成為趨勢,惟,於習知之架構下並未針對網域驗證方法加以限定,因此,易發生有心人士經假冒而取得SSL憑證之問題。 Under the framework of automated web page authentication, users must first purchase a Secure Sockets Layer (SSL) certificate from the system management terminal before installing the SSL certificate on the user's server. For the known automated web page authentication framework, building an automated certificate management environment for SSL certificates has become a trend. However, under the known framework, there is no restriction on the domain authentication method. Therefore, it is easy for malicious people to obtain SSL certificates through counterfeiting.
鑑於上述問題,如何提供一種憑證之技術,特別是,可對網域驗證方法提供限定機制,以供查驗且使憑證之申請流程更加安全,此將成為目前本技術領域人員急欲追求之目標。 In view of the above problems, how to provide a certificate technology, especially to provide a restriction mechanism for the domain verification method for verification and make the certificate application process more secure, will become the goal that people in this technical field are eager to pursue.
為解決上述現有技術之問題,本發明係揭露一種自動憑證申請系統,係包括:憑證管理模組,係接收由網域驗證申請者所提出之自動化服務帳號以及網域驗證服務申請封包,以於對該自動化服務帳號進行確認及註冊後,將該網域驗證服務申請封包綁定於該自動化服務帳號以及初始化網域驗證單;網域驗證模組,係接收來自該憑證管理模組之該網域驗證服務申請封包,透過具有對應之物件識別碼以及與該網域驗證服務申請封包對應之網域驗證方法進行網域驗證,以於該網域驗證後,儲存網域驗證結果以及該物件識別碼並回傳至該憑證管理模組,以令該憑證管理模組綁定該物件識別碼、該網域驗證單以及該自動化服務帳號,且變更該網域驗證單之狀態為網域驗證完成;以及憑證中心模組,係用於依據該網域驗證單之綁定結果簽發憑證。 In order to solve the above problems of the prior art, the present invention discloses an automatic certificate application system, which includes: a certificate management module, which receives an automated service account and a domain verification service application package submitted by a domain verification applicant, and after confirming and registering the automated service account, binds the domain verification service application package to the automated service account and initializes the domain verification form; a domain verification module, which receives the domain verification service application package from the certificate management module, and transmits the domain verification service application package to the automated service account; The domain verification is performed by using a domain verification method corresponding to the object identification code and the domain verification service application package, and after the domain verification, the domain verification result and the object identification code are stored and returned to the certificate management module, so that the certificate management module binds the object identification code, the domain verification form and the automated service account, and changes the status of the domain verification form to domain verification completion; and the certificate center module is used to issue a certificate based on the binding result of the domain verification form.
於一實施例中,該憑證管理模組係以限定長度之亂數對該自動化服務帳號進行註冊。 In one embodiment, the certificate management module registers the automated service account with a random number of a limited length.
於另一實施例中,該網域驗證申請者於提出該自動化服務帳號以及該網域驗證服務申請封包之前,先產製帳號金鑰對,將該自動化服務帳號以及該網域驗證服務申請封包透過該帳號金鑰對之私鑰分別進行簽章,該憑證管理模組於接收該自動化服務帳號及該網域驗證服務申請封包時,透過該帳號金鑰對之公鑰確認該自動化服務帳號以及該網域驗證服務申請封包,以及該憑證管理模組完成該自動化服務帳號之註冊後,透過該憑證管理模組之私鑰簽章該自動化服務帳號之註冊結果回傳至該網域驗證申請者。 In another embodiment, the domain verification applicant generates an account key pair before submitting the automated service account and the domain verification service application package, and signs the automated service account and the domain verification service application package respectively through the private key of the account key pair. When receiving the automated service account and the domain verification service application package, the certificate management module confirms the automated service account and the domain verification service application package through the public key of the account key pair, and after the certificate management module completes the registration of the automated service account, it signs the registration result of the automated service account through the private key of the certificate management module and returns it to the domain verification applicant.
於另一實施例中,該自動憑證申請系統復包括註冊中心模組,用於接收憑證用戶所提出之憑證服務申請封包以及取得來自該憑證管理模組之該網域驗證單之綁定結果,以於驗證後,將該網域驗證單之綁定結果以及 該憑證服務申請封包提交至該憑證中心模組,以令該憑證中心模組據以簽發該憑證,再將該憑證回傳至該註冊中心模組。 In another embodiment, the automatic certificate application system further includes a registration center module for receiving a certificate service application package submitted by a certificate user and obtaining the binding result of the domain verification form from the certificate management module, and submitting the binding result of the domain verification form and the certificate service application package to the certificate center module after verification, so that the certificate center module issues the certificate accordingly, and then returns the certificate to the registration center module.
於另一實施例中,該憑證用戶於提出該憑證服務申請封包之前,先產製用戶金鑰,以令該憑證服務申請封包依序透過該用戶金鑰以及該網域驗證申請者之帳號金鑰進行簽章,且於該註冊中心模組收到該憑證服務申請封包後,透過該網域驗證申請者之帳號金鑰以及該用戶金鑰進行驗證,以於驗證後,將該憑證服務申請封包以及該網域驗證單之綁定結果提供至該憑證中心模組。 In another embodiment, the certificate user generates a user key before submitting the certificate service application package, so that the certificate service application package is signed by the user key and the account key of the domain verification applicant in sequence, and after the registration center module receives the certificate service application package, it verifies it by the account key of the domain verification applicant and the user key, and after verification, provides the binding result of the certificate service application package and the domain verification form to the certificate center module.
於另一實施例中,該憑證中心模組係自該綁定結果中取出該物件識別碼,以將該物件識別碼寫入該憑證之憑證擴充欄位。 In another embodiment, the certificate center module extracts the object identification code from the binding result to write the object identification code into the certificate extension field of the certificate.
於另一實施例中,該憑證管理模組連接一憑證管理資料庫,其中,該憑證管理資料庫係供該憑證管理模組儲存該自動化服務帳號之註冊結果以及該綁定結果。 In another embodiment, the certificate management module is connected to a certificate management database, wherein the certificate management database is used by the certificate management module to store the registration result and the binding result of the automated service account.
於又一實施例中,該憑證中心模組連接一憑證中心資料庫,其中,該憑證中心資料庫係供該憑證中心模組儲存憑證簽發結果。 In another embodiment, the certificate center module is connected to a certificate center database, wherein the certificate center database is used by the certificate center module to store certificate issuance results.
本發明復揭露一種自動憑證申請方法,係於電腦或伺服器上執行該方法,該方法包括:令憑證管理模組接收由網域驗證申請者所提出之自動化服務帳號,經確認後進行註冊;令該憑證管理模組接收該網域驗證申請者所提出之網域驗證服務申請封包,以於該自動化服務帳號註冊後,將該網域驗證服務申請封包綁定於該自動化服務帳號,並初始化網域驗證單;令網域驗證模組透過具有對應之物件識別碼以及與該網域驗證服務申請封包對應之網域驗證方法進行網域驗證,以於該網域驗證後,將網域驗證結果以及該 物件識別碼儲存並回傳至該憑證管理模組,以令該憑證管理模組綁定該物件識別碼、該網域驗證單以及該自動化服務帳號;以及基於該網域驗證單之綁定結果簽發憑證。 The present invention further discloses an automatic certificate application method, which is executed on a computer or server, and includes: allowing a certificate management module to receive an automated service account submitted by a domain verification applicant, and registering the account after confirmation; allowing the certificate management module to receive a domain verification service application packet submitted by the domain verification applicant, and after the automated service account is registered, binding the domain verification service application packet to the automated service account, and initially The domain verification form is configured to be a domain verification form; the domain verification module performs domain verification through a domain verification method corresponding to the domain verification service application package and stores and returns the domain verification result and the object identification code to the certificate management module after the domain verification, so that the certificate management module binds the object identification code, the domain verification form and the automated service account; and issues a certificate based on the binding result of the domain verification form.
於另一實施例中,於該憑證管理模組接收該自動化服務帳號時,透過限定長度之亂數對該自動化服務帳號進行註冊。 In another embodiment, when the certificate management module receives the automated service account, the automated service account is registered by a random number of a limited length.
於另一實施例中,該自動化服務帳號先利用帳號金鑰進行簽章,以於該憑證管理模組接收該自動化服務帳號及該網域驗證服務申請封包時,利用該帳號金鑰進行確認。 In another embodiment, the automated service account is first signed with an account key, so that when the certificate management module receives the automated service account and the domain authentication service application package, the account key is used for confirmation.
於另一實施例中,於簽發該憑證前,該憑證中心模組先自該綁定結果中取出該物件識別碼,以將該物件識別碼寫入該憑證之憑證擴充欄位。 In another embodiment, before issuing the certificate, the certificate center module first extracts the object identification code from the binding result to write the object identification code into the certificate extension field of the certificate.
於另一實施例中,該令憑證中心模組基於該網域驗證單之綁定結果簽發憑證之步驟中,包括:先接收憑證用戶所提出之憑證服務申請封包以及取得來自該憑證管理模組之綁定結果,以於驗證後,依據該網域驗證單之綁定結果以及於該憑證服務申請封包以簽發該憑證。 In another embodiment, the step of instructing the certificate center module to issue a certificate based on the binding result of the domain verification form includes: first receiving a certificate service application package submitted by a certificate user and obtaining the binding result from the certificate management module, and then issuing the certificate based on the binding result of the domain verification form and the certificate service application package after verification.
於又一實施例中,該憑證服務申請封包先經用戶金鑰以及該網域驗證申請者之帳號金鑰進行簽章,以於該註冊中心模組接收到該憑證服務申請封包時,利用該網域驗證申請者之帳號金鑰以及該用戶金鑰進行驗證。 In another embodiment, the certificate service application package is first signed by the user key and the account key of the domain verification applicant, so that when the registration center module receives the certificate service application package, the account key of the domain verification applicant and the user key are used for verification.
本發明復揭露一種電腦可讀媒介,應用於計算裝置或電腦中,係儲存有指令,以執行前述之自動憑證申請方法。 The present invention further discloses a computer-readable medium, which is used in a computing device or a computer and stores instructions for executing the aforementioned automatic certificate application method.
由上可知,本發明之自動憑證申請系統、方法及其電腦可讀媒介,係透過憑證管理模組針對網域驗證申請者之自動化服務帳號進行註冊,使網域驗證模組依據網域驗證申請封包採用對應之網域驗證方法,其中,網 域驗證方法具有對應之物件識別碼,以於執行網域驗證後,綁定該物件識別碼與網域驗證之相關資訊,因而可對所採用之網域驗證方法提供限定機制,故可避免網域驗證之資安問題,且可提供用於查驗時之佐證,達到使自動憑證申請流程安全且可靠之目的。 As can be seen from the above, the automatic certificate application system, method and computer-readable medium of the present invention registers the automated service account of the domain verification applicant through the certificate management module, so that the domain verification module adopts the corresponding domain verification method according to the domain verification application packet, wherein the domain verification method has a corresponding object identification code, so that after executing the domain verification, the object identification code and the relevant information of the domain verification are bound, thereby providing a restriction mechanism for the adopted domain verification method, thereby avoiding the information security problem of the domain verification, and providing evidence for verification, so as to achieve the purpose of making the automatic certificate application process safe and reliable.
1:自動憑證申請系統 1: Automatic certificate application system
11:憑證管理模組 11: Certificate management module
12:網域驗證模組 12:Domain verification module
13:憑證中心模組 13: Certificate Center Module
14:註冊中心模組 14: Registration center module
21:網域驗證申請者 21:Domain verification applicant
22:憑證用戶 22: Certificate User
31:TLS網頁伺服器 31:TLS web server
32:網域名稱伺服器 32:Domain name server
41:憑證管理資料庫 41: Certificate management database
42:憑證中心資料庫 42:Certificate Center Database
S310~S340:流程 S310~S340: Process
S341~S343:流程 S341~S343: Process
圖1係本發明之自動憑證申請系統的架構示意圖。 Figure 1 is a schematic diagram of the architecture of the automatic certificate application system of the present invention.
圖2係本發明之自動憑證申請系統之實際應用的架構示意圖。 Figure 2 is a schematic diagram of the actual application of the automatic certificate application system of the present invention.
圖3係本發明之自動憑證申請方法的方法流程圖。 Figure 3 is a flow chart of the automatic certificate application method of the present invention.
圖4係本發明之自動憑證申請方法中請求憑證服務的流程圖。 Figure 4 is a flow chart of requesting certificate service in the automatic certificate application method of the present invention.
以下藉由特定的具體實施形態說明本發明之技術內容,熟悉此技藝之人士可由本說明書所揭示之內容輕易地瞭解本發明之優點與功效。然本發明亦可藉由其他不同的具體實施形態加以施行或應用。 The following describes the technical content of the present invention through a specific concrete implementation form. People familiar with this technology can easily understand the advantages and effects of the present invention from the content disclosed in this manual. However, the present invention can also be implemented or applied through other different specific implementation forms.
本發明之自動憑證申請系統為基於註冊資訊、投單資訊、網域驗證資訊及憑證欄位資訊之變更實施,以於憑證申請流程中提供網域驗證方法限定機制之功效。此外,本發明之自動憑證申請系統所接收之憑證服務申請之憑證格式為於Web PKI背景下之SSL憑證,但不侷限於特定SSL憑證類別,其中,SSL憑證包含組織驗證(Organization Validated,OV)SSL憑證、個人驗證(Individual Validation,IV)SSL憑證、網域驗證(Domain Validation,DV)SSL憑證以及延伸驗證(Extended Validation,EV)SSL憑證。 The automatic certificate application system of the present invention is implemented based on the changes of registration information, order information, domain verification information and certificate field information to provide the function of domain verification method limitation mechanism in the certificate application process. In addition, the certificate format of the certificate service application received by the automatic certificate application system of the present invention is an SSL certificate in the context of Web PKI, but is not limited to a specific SSL certificate category, wherein SSL certificates include Organization Validated (OV) SSL certificates, Individual Validation (IV) SSL certificates, Domain Validation (DV) SSL certificates and Extended Validation (EV) SSL certificates.
圖1為本發明之自動憑證申請系統之架構示意圖。如圖所示,本發明之自動憑證申請系統1係包括憑證管理模組11、網域驗證模組12以及憑證中心模組13,且該憑證管理模組11與該網域驗證模組12以及該憑證中心模組13通訊或電性連接,其中,該憑證管理模組11用於對自動化服務帳號進行確認及註冊,此後,該網域驗證模組12依據該憑證管理模組11所傳送之網域驗證申請封包提供網域驗證服務,於網域驗證後,該憑證中心模組13依據網域驗證結果以決定憑證之簽發,其中,憑證可為SSL憑證。以下係進一步說明有關本發明之自動憑證申請系統1。
FIG1 is a schematic diagram of the automatic certificate application system of the present invention. As shown in the figure, the automatic
該憑證管理模組11係用於註冊以及驗證該自動化服務帳號、驗證網域驗證服務申請單狀態管理、以及初始化網域驗證請求。
The
具體而言,該憑證管理模組11係接收該自動化服務帳號並進行確認,例如,該憑證管理模組11可利用與該自動化服務帳號對應之金鑰進行確認,且於確認後,執行該自動化服務帳號之註冊。於一實施例中,該憑證管理模組11以限定長度之亂數註冊該自動化服務帳號,且儲存該亂數,使所註冊之該自動化服務帳號符合唯一性。
Specifically, the
該憑證管理模組11於該自動化服務帳號經確認且註冊後,復接收該網域驗證服務申請封包,且將該網域驗證服務申請封包綁定於該自動化服務帳號,以初始化網域驗證單,接著,將該網域驗證服務申請封包送出。
After the automated service account is confirmed and registered, the
該網域驗證模組12具有多種網域驗證方法,於自該憑證管理模組11接收該網域驗證服務申請封包後,針對不同之網域所提出之網域驗證服務申請封包具有限定之網域驗證方法。詳言之,該網域驗證模組12針對該網域驗證服務申請封包利用對應之網域驗證方法進行網域驗證,其中,該網域
驗證方法具有對應之物件識別碼以作為限定值,據此,於網域驗證後,將網域驗證結果以及該物件識別碼儲存。此外,該網域驗證模組12還將該網域驗證結果回傳該憑證管理模組11,使該憑證管理模組11綁定該物件識別碼、該網域驗證單以及該自動化服務帳號,並變更該網域驗證單之狀態為網域驗證完成。
The
該憑證中心模組13係提供憑證申請、憑證廢止、憑證展期以及憑證變更,是以,該憑證中心模組13可基於該網域驗證單之綁定結果,執行憑證申請服務處理流程,以簽發憑證,其中,憑證申請服務處理流程包含簽發驗證、憑證格式確認、及憑證狀態驗證等流程。再者,憑證中心模組13可簽發線上憑證狀態協定(Online Certificate Status Protocol,OCSP)回應訊息以及憑證廢止清冊(Certificate Revocation List,CRL),用以公告所核發之正式憑證之狀態資訊。
The
於一實施例中,該憑證中心模組13自該網域驗證單之綁定結果中取出該物件識別碼,且於該憑證待核發時,將該物件識別碼寫入該憑證之憑證擴充欄位,據此,本發明之自動憑證申請系統1藉由憑證中心模組13將物件識別碼嵌入憑證政策憑證擴充欄位中,藉以揭露所採用之網域驗證方法,故可達到供任意第三方進行公開查詢之目的。
In one embodiment, the
又如圖1所示,本發明之自動憑證申請系統1復包括註冊中心模組14,其於等待憑證管理模組11完成帳號管理、投單管理及回報網域驗證結果正常後,接收憑證服務申請封包並驗證該憑證服務申請封包,以於驗證後,自該憑證管理模組11取得該網域驗證單之綁定結果,且將該綁定結果以及該憑證服務申請封包提交至該憑證中心模組13,使該憑證中心模組13依
據該綁定結果以及該憑證服務申請封包簽發該憑證,接著,回傳該憑證至註冊中心模組14,其中,該綁定結果包含網域驗證申請者的自動化服務帳號之資訊、網域驗證服務申請單之資訊以及限定採用之網域驗證結果之資訊。
As shown in FIG. 1 , the automatic
圖2為本發明之自動憑證申請系統之實際應用的架構示意圖。如圖所示,本發明之自動憑證申請系統1可供系統使用者以及外部介接系統或外部介接伺服器連接,且可連接至不同功能之資料庫,其中,系統使用者包括與該憑證管理模組11連接之網域驗證申請者21以及與該註冊中心模組連接之憑證用戶22,該外部介接系統或外部介接伺服器係與該網域驗證模組12連接,例如傳輸層安全性協定(Transport Layer Security,TLS)網頁伺服器31及網域名稱伺服器32。另外,該不同功能之資料庫可包括與該憑證管理模組11連接之憑證管理資料庫41及與該憑證中心模組13連接之憑證中心資料庫42。以下進一步說明有關本發明之自動憑證申請系統1於實際應用之實施例。
FIG2 is a schematic diagram of the actual application of the automatic certificate application system of the present invention. As shown in the figure, the automatic
為了使該TLS網頁伺服器31能對外提供服務於特定網域,因而需要設定憑證(例如SSL憑證)於其組態設定中,而欲取得該憑證之前,須先證明該TLS網頁伺服器31對該網域之所有權,是以,先由網域驗證申請者21連結至自動憑證申請系統1,向憑證管理模組11提出用於網域驗證服務之註冊服務申請封包以及網域驗證服務申請封包,其中,該註冊服務申請封包中包括該網域驗證申請者之自動化服務帳號。
In order for the
詳言之,該自動化服務帳號以及該網域驗證服務申請封包由該網域驗證申請者21提出,其中,該網域驗證申請者21欲向自動憑證申請系統1註冊該自動化服務帳號時,連線至該憑證管理模組11,透過發送該註冊
服務申請封包以提供該自動化服務帳號,使該憑證管理模組11對該自動化服務帳號進行確認以及註冊,之後,於欲進行網域驗證時,向自動憑證申請系統1提出該網域驗證服務申請封包。
Specifically, the automated service account and the domain verification service application packet are submitted by the
於一實施例中,該網域驗證申請者21於提出該自動化服務帳號之前,先產製一帳號金鑰對,使該自動化服務帳號以及該網域驗證服務申請封包透過該帳號金鑰對之私鑰分別進行簽章,於實際應用上,該網域驗證申請者21係以該帳號金鑰對之私鑰簽章用於網域驗證服務且包含有該網域驗證申請者之自動化服務帳號之註冊服務申請封包,並於簽章後,向憑證管理模組11送出註冊服務申請。接著,該憑證管理模組11於接收該自動化服務帳號時,透過帳號金鑰對之公鑰確認該自動化服務帳號,且該憑證管理模組11於該自動化服務帳號註冊後,透過該憑證管理模組11之私鑰簽章該自動化服務帳號對應之註冊結果,以回傳至該網域驗證申請者21。
In one embodiment, before submitting the automated service account, the
當該網域驗證申請者21收到註冊結果之通知,經驗章確認無誤後,可向該憑證管理模組11發起網域驗證服務申請,此時,網域驗證申請者21使用帳號金鑰對之私鑰簽章該網域驗證服務申請封包,並於簽章後,網域驗證申請者21向憑證管理模組11送出投單服務申請,即提交該網域驗證服務申請封包,該憑證管理模組11於收到投單服務申請後,使用帳號金鑰對之公鑰來確認該網域驗證服務申請封包,以於驗證通過後,該憑證管理模組11將該網域驗證服務申請封包綁定於所對應之自動化服務帳號,且將綁定結果寫入連接該憑證管理模組11且用以供該憑證管理模組11儲存該自動化服務帳號之註冊結果以及該綁定結果之憑證管理資料庫41,並初始化SSL網域驗證單之狀態。
When the
於一實施例中,對於該憑證管理模組11而言,該網域驗證服務申請封包之接收時機點為憑證用戶22進行憑證首次申請或憑證快到期時,此時須針對網域驗證申請者21提出的網域驗證服務申請單進行網域驗證服務申請者身分驗證,且檢查紀錄包含該憑證用戶22是否於限定期限內重發要求簽發憑證之歷程檢查結果,且於憑證申請各階段轉變網域驗證服務申請單之狀態,以完成該網域驗證單之狀態變更。
In one embodiment, for the
於該自動化服務帳號經確認以及註冊後,憑證管理模組11針對該網域驗證單,送出以憑證管理模組11之私鑰簽章後之網域驗證服務申請封包至網域驗證模組12,於網域驗證模組12收到用於網域驗證服務申請之該網域驗證服務申請封包後,利用該憑證管理模組11之公鑰驗證該網域驗證服務申請封包,以於通過驗證後,提供限定於符合憑證中心與瀏覽器論壇所允許使用的各種網域所有權之網域驗證方法,以提供多元網域驗證服務,利用限定之網域驗證方法執行網域驗證,過程中將連結到TLS網頁伺服器31及網域名稱伺服器32,其中,各種網域驗證方法將以唯一的物件識別碼作為區隔,且將各合於規定之網域驗證方法列入網域驗證方法白名單列表中,據此,若欲採用之網域驗證方法未列於該網域驗證方法之白名單內,則該網域驗證方法將不予採用,藉以避免公開規範沒有限定網域驗證方法之問題。另外,該白名單可進一步以雜湊值對應表加以分類。
After the automated service account is confirmed and registered, the
於該網域驗證模組12執行完網域驗證後,會將所採用的網域驗證方法之物件識別碼以及該網域驗證結果經網域驗證模組12之私鑰進行簽章,且將驗證結果回傳給憑證管理模組11。詳言之,網域驗證之結果可分為兩種情況,即為網域驗證失敗或網域驗證成功,於網域驗證失敗時,該網域
驗證單將依照排程設定時間區段,且啟動批次重新驗證,若重新驗證失敗次數達到限定數量後,仍為網域驗證失敗,則該網域驗證模組12會回傳失敗之網域驗證結果至憑證管理模組11;另外,若為網域驗證結果為成功,則回傳成功之該網域驗證結果。
After the
該憑證管理模組11於收到網域驗證結果後,利用網域驗證模組12之公鑰進行驗章,以於驗證通過後,將該網域驗證單之狀態變更為網域驗證完成,且將所採用網域驗證方法所對應之物件識別碼綁定於該網域驗證單以及對應之自動化服務帳號,該自動化服務帳號仍以前述亂數(即憑證管理模組11以限定長度之亂數註冊自動化服務帳號所採用之亂數)作為唯一性識別。
After receiving the domain verification result, the
綜上,該憑證管理模組11完成該物件識別碼與該網域驗證單以及該自動化服務帳號之綁定後,表示該網域驗證申請者21對於該網域之擁有權已驗證完成,該憑證管理模組11會將網域驗證結果以其私鑰簽章後,回傳給網域驗證申請者21,此時,網域驗證申請者21即可使用憑證管理模組11之公鑰驗章該網域驗證結果,以確認回傳結果。
In summary, after the
若該網域驗證結果為成功,憑證用戶22於填寫憑證申請資料,且於確認用戶約定條款後,將憑證申請資料及相關證明資料傳送給註冊中心模組14,亦即,該憑證用戶22將憑證申請資料及相關證明資料所形成之憑證服務申請封包向該註冊中心模組14提出。具體而言,該憑證服務申請封包由憑證用戶22所提出,且該憑證用戶22於提出之前,會先產製用戶金鑰,使該憑證服務申請封包經該用戶金鑰進行簽章,再進一步以網域驗證申請者之帳號金鑰進行簽章,以提供雙重簽章的功效,且於申請憑證時,將該憑證服務申請封包透過安全管道提交給註冊中心模組14,其中,為了保障憑證用戶
22之個資資訊,自動憑證申請系統1不得以任何形式進行代產金鑰活動或者提供代管金鑰服務。
If the domain verification result is successful, the
該註冊中心模組14於收到該憑證服務申請封包後,透過該網域驗證申請者之帳號金鑰以及該用戶金鑰進行驗證,於驗證後,可透過憑證管理模組11存取憑證管理資料庫41中對應網域驗證申請者21已驗證通過之網域驗證單及相關綁定資訊,並將該憑證服務申請封包以及該網域驗證單之綁定結果提供至該憑證中心模組13。詳言之,該註冊中心模組14依據憑證實務作業基準之規範執行憑證用戶之身分識別與鑑別驗證程序,其中,該註冊中心模組14之主要功能包含憑證主體身分驗證、憑證服務申請封包格式及內容驗證等,其中,憑證主體身分驗證流程依照申請之SSL憑證種類而有所不同,而分別對應不同之身分認證保證等級。當相關身分識別與鑑別驗證程序確認無誤,則將該憑證服務申請封包及該網域驗證單之綁定資訊以註冊中心模組14之私鑰簽章後提交給憑證中心模組13。
After receiving the certificate service application package, the
憑證中心模組13收到註冊中心模組14所提交之資訊後,以註冊中心模組14之公鑰進行驗證,於通過驗證後,依據所取得憑證服務申請封包之內容進行憑證核發流程,此時,憑證中心模組13將該網域驗證單綁定資訊中所採用網域驗證方法之物件識別碼取出且寫入待核發之該憑證的憑證政策憑證擴充欄位,其中,所寫入之該物件識別碼之值及其對應之網域驗證方法亦可進一步於憑證中心模組13所屬之憑證實務作業基準中進行公告,以供後續查驗時加以證明。
After receiving the information submitted by the
憑證中心模組13若收到網域驗證結果為失敗或者憑證用戶之身分識別失敗時,使用與簽發憑證時相同之憑證中心模組13私鑰將憑證序號
與憑證申請失敗理由等資訊,經由數位簽章後記載於連接於該憑證中心模組13且用以供該憑證中心模組13儲存憑證簽發結果之憑證中心資料庫42,此時,由於憑證尚未被核發,因此,無須將相關資訊紀錄於憑證廢止清冊,亦無須提供線上憑證狀態協定查詢服務來確認憑證廢止狀態。
If the
若憑證中心模組13收到網域驗證成功及憑證用戶之身分識別成功時,該憑證中心模組13將以其私鑰簽發終端實體之憑證,並回傳至註冊中心模組14。註冊中心模組14於收到該憑證後,將驗證該憑證內的憑證中心模組13簽章以及憑證串鍊,以於通過驗證後,方得啟用憑證接受流程予憑證用戶22進行最終確認,俾於確認完成後,結束憑證簽發流程,其中,憑證簽發結果將由憑證中心模組13寫入憑證中心資料庫42,憑證中心模組13亦可自行提供線上憑證狀態協定查詢服務供憑證用戶22查詢憑證狀態相關資訊。
If the
圖3係本發明之自動憑證申請方法的方法流程圖。本發明之自動憑證申請方法能於電腦或伺服器上執行,於本實施例中,本發明之自動憑證申請方法係利用前述之自動憑證申請系統執行。如圖所示,該方法包括以下流程。 FIG3 is a method flow chart of the automatic certificate application method of the present invention. The automatic certificate application method of the present invention can be executed on a computer or a server. In this embodiment, the automatic certificate application method of the present invention is executed using the aforementioned automatic certificate application system. As shown in the figure, the method includes the following process.
於流程S310中,請求註冊服務。詳言之,透過自動憑證申請系統之憑證管理模組接收來自網域驗證申請者之自動化服務帳號以進行確認,於通過確認後,進行該自動化服務帳號之註冊,其中,該憑證管理模組以限定的唯一值(例如限定長度之亂數)來註冊該網域驗證申請者之自動化服務帳號。 In process S310, a registration service is requested. Specifically, the certificate management module of the automatic certificate application system receives the automated service account from the domain verification applicant for confirmation. After the confirmation, the automated service account is registered, wherein the certificate management module registers the automated service account of the domain verification applicant with a limited unique value (e.g., a random number of a limited length).
於一實施例中,該網域驗證申請者先自行產製帳號金鑰,於傳送該自動化服務帳號及該網域驗證服務申請封包前,使該自動化服務帳號及 該網域驗證服務申請封包先經該帳號金鑰進行簽章,以於該憑證管理模組接收該自動化服務帳號及該網域驗證服務申請封包時,可利用該帳號金鑰進行確認,進而確認該網域驗證申請者之身分,有關使用帳號金鑰之確認過程如前面所述,故不再贅言。 In one embodiment, the domain verification applicant first generates an account key by himself, and before sending the automated service account and the domain verification service application package, the automated service account and the domain verification service application package are signed by the account key, so that when the certificate management module receives the automated service account and the domain verification service application package, the account key can be used for confirmation, thereby confirming the identity of the domain verification applicant. The confirmation process using the account key is as described above, so it is not repeated here.
於一實施例中,於該憑證管理模組接收到該自動化服務帳號時,透過限定長度之亂數對該自動化服務帳號進行註冊,使該自動化服務帳號具有唯一性。 In one embodiment, when the certificate management module receives the automated service account, the automated service account is registered by a random number of a limited length, so that the automated service account is unique.
於流程S320中,請求投單服務。於註冊該自動憑證申請系統後,網域驗證申請者即可發起網域驗證服務申請,而向該憑證管理模組傳送網域驗證服務申請封包,使其接收網域驗證服務申請封包,將該網域驗證服務申請封包綁定於經註冊之該自動化服務帳號,並初始化網域驗證單。 In process S320, request a service order. After registering the automatic certificate application system, the domain verification applicant can initiate a domain verification service application and send a domain verification service application packet to the certificate management module, so that it receives the domain verification service application packet, binds the domain verification service application packet to the registered automated service account, and initializes the domain verification order.
於流程S330中,執行網域驗證。由於網域驗證方法為開放項目且具多元性,因此,該網域驗證模組限定所採用之網域驗證方法,且將所採用之網域驗證方法以對應之限定值紀錄於資料庫,以供後續流程使用。詳言之,該網域驗證模組利用與該網域驗證服務申請封包對應之網域驗證方法進行網域驗證,其中,該網域驗證方法具有對應之物件識別碼,以於該網域驗證後,將網域驗證結果以及該物件識別碼儲存於憑證管理資料庫。另外,復將網域驗證結果以及該物件識別碼回傳至該憑證管理模組,以令該憑證管理模組將該物件識別碼、該網域驗證單以及該自動化服務帳號綁定。 In process S330, domain verification is performed. Since the domain verification method is an open item and has diversity, the domain verification module limits the domain verification method used, and records the adopted domain verification method with the corresponding limit value in the database for use in subsequent processes. In detail, the domain verification module uses the domain verification method corresponding to the domain verification service application packet to perform domain verification, wherein the domain verification method has a corresponding object identifier, so that after the domain verification, the domain verification result and the object identifier are stored in the certificate management database. In addition, the domain verification result and the object identification code are returned to the certificate management module so that the certificate management module binds the object identification code, the domain verification form and the automated service account.
於流程S340中,請求憑證服務。於完成該網域驗證之流程後,即可令憑證中心模組基於該網域驗證單之綁定結果簽發憑證。 In process S340, a certificate service is requested. After the domain verification process is completed, the certificate center module can issue a certificate based on the binding result of the domain verification form.
圖4係本發明之自動憑證申請方法中請求憑證服務的流程圖。如圖所示,該請求憑證服務包括以下流程。 Figure 4 is a flow chart of requesting certificate service in the automatic certificate application method of the present invention. As shown in the figure, the requesting certificate service includes the following process.
於流程S341中,申請憑證服務。於本流程中,憑證申請者以自行產製之用戶金鑰以及網域驗證申請者以其於前述流程產製之帳號金鑰簽章憑證服務申請封包,進而提交經簽章之憑證服務申請封包,於註冊中心模組接收到該憑證服務申請封包時,利用該網域驗證申請者之帳號金鑰以及該用戶金鑰進行驗證,以於完成驗證後,該註冊中心模組自該憑證管理模組取得綁定結果,其中,該綁定結果具有該物件識別碼、該網域驗證單以及該自動化服務帳號,再將該綁定結果及該憑證服務申請封包發送至憑證中心模組。 In process S341, apply for certificate service. In this process, the certificate applicant signs the certificate service application package with the user key generated by himself and the account key generated by the domain verification applicant in the above process, and then submits the signed certificate service application package. When the registration center module receives the certificate service application package, it uses the account key of the domain verification applicant and the user key to verify. After the verification is completed, the registration center module obtains the binding result from the certificate management module, wherein the binding result has the object identification code, the domain verification form and the automated service account, and then sends the binding result and the certificate service application package to the certificate center module.
於流程S342中,執行憑證內容變更。於本流程中,憑證中心模組於接收憑證服務申請封包以及該綁定結果後執行驗證,並於驗證後,依據該網域驗證單之綁定結果以及於該憑證服務申請封包簽發該憑證。於一實施例中,該憑證中心模組於簽發該憑證前,先自該綁定結果中取出該物件識別碼,且將該物件識別碼寫入待核發的憑證之特定的憑證擴充欄位,並將相關佐證資訊留存及發佈。 In process S342, the certificate content is changed. In this process, the certificate center module performs verification after receiving the certificate service application package and the binding result, and after verification, issues the certificate according to the binding result of the domain verification form and the certificate service application package. In one embodiment, before issuing the certificate, the certificate center module first extracts the object identifier from the binding result, writes the object identifier into a specific certificate extension field of the certificate to be issued, and retains and publishes the relevant supporting information.
於流程S343中,執行憑證核發服務。於本流程中,該憑證中心模組對該憑證服務申請封包進行驗證後,如驗證結果為失敗,此時將失敗之流程以及原因紀錄,且不允許保留該筆申請之個資資訊,如驗證結果為成功,則須啟用憑證接受流程,進入憑證已排程核發工作流,方得核發該憑證。 In process S343, the certificate issuance service is executed. In this process, after the certificate center module verifies the certificate service application package, if the verification result is a failure, the failed process and reason will be recorded, and the personal information of the application will not be allowed to be retained. If the verification result is successful, the certificate acceptance process must be activated and the certificate issuance workflow must be entered before the certificate can be issued.
此外,本發明還揭示一種電腦可讀媒介,係應用於具有處理器(例如,CPU、GPU等)及/或記憶體的計算裝置或電腦中,且儲存有指令,並可利用此計算裝置或電腦透過處理器及/或記憶體執行此電腦可讀媒介,以於 執行此電腦可讀媒介時執行上述之方法、各步驟及流程。 In addition, the present invention also discloses a computer-readable medium, which is applied to a computing device or computer having a processor (e.g., CPU, GPU, etc.) and/or a memory, and stores instructions, and the computing device or computer can execute the computer-readable medium through the processor and/or memory to execute the above-mentioned method, steps and processes when executing the computer-readable medium.
綜上,本發明之自動憑證申請系統、方法及其電腦可讀媒介,針對習知技術於核發SSL憑證時關於自動憑證管理環境下之憑證中心伺服器端進行改良,其重點在於透過註冊資訊、投單資訊、網域驗證資訊及憑證欄位資訊之變更實施,以達到憑證中心伺服器端在接收到憑證申請後,自動進行憑證申請流程,且對於採用之網域驗證方法提供限定機制,可避免誤用網域驗證方法所延伸之資安問題,且所提出之憑證變更方法可於憑證核發後提供佐證給任意第三方進行公開查驗時所用,使自動憑證申請流程更為安全可靠,進而避免因人工換發的失誤而產出誤發憑證。此外,本發明無須改變憑證申請者進行憑證服務申請流程的既有工作流,應而無須大幅更動現有流程下即可完成上述目的和功效。 In summary, the automatic certificate application system, method and computer-readable medium of the present invention improve the certificate center server side in the automatic certificate management environment when issuing SSL certificates. The key point is to achieve the certificate center server side receiving the certificate application by changing the registration information, order information, domain verification information and certificate field information. The certificate application process is automatically carried out, and a restriction mechanism is provided for the adopted domain verification method, which can avoid the information security issues extended by the misuse of the domain verification method. The proposed certificate change method can provide evidence to any third party for public inspection after the certificate is issued, making the automatic certificate application process safer and more reliable, thereby avoiding the production of misissued certificates due to manual replacement errors. In addition, the present invention does not need to change the existing workflow of the certificate applicant in the certificate service application process, and should be able to achieve the above purpose and effect without significantly changing the existing process.
本發明的模組、單元、裝置等包括微處理器及記憶體,而演算法、資料、程式等係儲存記憶體或晶片內,微處理器可從記憶體載入資料或演算法或程式進行資料分析或計算等處理,在此不予贅述。易言之,本發明之自動憑證申請系統及其方法可於電子設備上執行,例如一般電腦、平板或是伺服器,在收到資料後執行資料分析與運算,故本發明之自動憑證申請系統及其方法所進行程序,可透過軟體設計並架構在具有處理器、記憶體等元件之電子設備上,以於各類電子設備上運行;另外,亦可將自動憑證申請系統內各模組或單元分別以獨立元件組成,例如設計為計算器、記憶體、儲存器或是具有處理單元的韌體,皆可用於實現本發明,亦即本發明可選擇以軟體程式、硬體或韌體架構呈現。 The modules, units, devices, etc. of the present invention include a microprocessor and a memory, and algorithms, data, programs, etc. are stored in the memory or chip. The microprocessor can load data or algorithms or programs from the memory to perform data analysis or calculation, etc., which will not be elaborated here. In other words, the automatic certificate application system and method of the present invention can be executed on electronic devices, such as general computers, tablets or servers, and perform data analysis and calculations after receiving data. Therefore, the program performed by the automatic certificate application system and method of the present invention can be designed and constructed on electronic devices with components such as processors and memories through software to run on various types of electronic devices; in addition, each module or unit in the automatic certificate application system can be composed of independent components, such as designed as a calculator, memory, storage or firmware with a processing unit, which can all be used to implement the present invention, that is, the present invention can be presented in software programs, hardware or firmware architecture.
上述實施例僅為例示性說明,而非用於限制本發明。任何熟習此項技藝之人士均可在不違背本發明之精神及範疇下,對上述實施例進行修飾與改變。因此,本發明之權利保護範圍係由本發明所附之申請專利範圍所定義,只要不影響本發明之效果及實施目的,應涵蓋於此公開技術內容中。 The above embodiments are only illustrative and not intended to limit the present invention. Anyone familiar with this technology may modify and change the above embodiments without violating the spirit and scope of the present invention. Therefore, the scope of protection of the present invention is defined by the scope of the patent application attached to the present invention. As long as it does not affect the effect and implementation purpose of the present invention, it should be covered by this public technical content.
1:自動憑證申請系統 1: Automatic certificate application system
11:憑證管理模組 11: Certificate management module
12:網域驗證模組 12:Domain verification module
13:憑證中心模組 13: Certificate Center Module
14:註冊中心模組 14: Registration center module
Claims (15)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW112104626A TWI841232B (en) | 2023-02-09 | 2023-02-09 | Automatic certificate application system, method and computer readable medium thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW112104626A TWI841232B (en) | 2023-02-09 | 2023-02-09 | Automatic certificate application system, method and computer readable medium thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TWI841232B true TWI841232B (en) | 2024-05-01 |
| TW202433901A TW202433901A (en) | 2024-08-16 |
Family
ID=92076855
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW112104626A TWI841232B (en) | 2023-02-09 | 2023-02-09 | Automatic certificate application system, method and computer readable medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI841232B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7650497B2 (en) * | 2003-08-15 | 2010-01-19 | Venafi, Inc. | Automated digital certificate renewer |
| TW202247189A (en) * | 2021-05-18 | 2022-12-01 | 高雄醫學大學 | Application method for healthcare certification and signing electronic medical records |
| TWI786981B (en) * | 2021-12-07 | 2022-12-11 | 中華電信股份有限公司 | System and mehtod of precertificate management and computer readable medium thererof |
-
2023
- 2023-02-09 TW TW112104626A patent/TWI841232B/en active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7650497B2 (en) * | 2003-08-15 | 2010-01-19 | Venafi, Inc. | Automated digital certificate renewer |
| TW202247189A (en) * | 2021-05-18 | 2022-12-01 | 高雄醫學大學 | Application method for healthcare certification and signing electronic medical records |
| TWI786981B (en) * | 2021-12-07 | 2022-12-11 | 中華電信股份有限公司 | System and mehtod of precertificate management and computer readable medium thererof |
Also Published As
| Publication number | Publication date |
|---|---|
| TW202433901A (en) | 2024-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106384236B (en) | Based on the ca authentication management method of block chain, apparatus and system | |
| US7167985B2 (en) | System and method for providing trusted browser verification | |
| US7509498B2 (en) | Digital signature validation | |
| JP6742558B2 (en) | Certification system and certification program | |
| JPWO2020010279A5 (en) | ||
| CN114760071B (en) | Zero-knowledge proof based cross-domain digital certificate management method, system and medium | |
| CN108885658A (en) | By voucher to the proof of equipment authenticity | |
| JP2004104750A (en) | Digital signature verification method | |
| CN114157428A (en) | Block chain-based digital certificate management method and system | |
| CN110852648A (en) | A data processing method, device and computer storage medium | |
| CN107994993B (en) | Application detection method and device | |
| CN101582876A (en) | Method, device and system for registering user generated content (UGC) | |
| TWI786981B (en) | System and mehtod of precertificate management and computer readable medium thererof | |
| CN112615719A (en) | Decentralized online contract signing method, device, equipment and medium | |
| TWI668590B (en) | Certificate validity verification system and method thereof | |
| JP6742557B2 (en) | Authentication system | |
| TWI841232B (en) | Automatic certificate application system, method and computer readable medium thereof | |
| CN110855442A (en) | PKI (public key infrastructure) technology-based inter-device certificate verification method | |
| CN104683307A (en) | A Method of Internet Real-name Authentication Based on Temporary Certificate | |
| CN116112215B (en) | Remote certification method, device, electronic device and storage medium based on alliance chain | |
| CN114024678A (en) | Information processing method and system and related device | |
| TWI732247B (en) | Method to display the validation of certificate at signing time | |
| TWI815750B (en) | Automatic domain verification system, certificate issuance method and computer-readable medium | |
| CN113472815B (en) | Automatic filing method for Internet release | |
| TWI781071B (en) | Method of verifying securities orders |