I am participating in the 2022 Spring Recruitment series of activities – experience review, click to view the details of the activity.
preface
The company is engaged in information security business, electronic authentication service organization, is doing RA system recently, the leader just explained the digital certificate related knowledge. Take advantage of this period of time memory is still more profound, but also the understanding of digital certificates to do a review.
Basic concept
What is CA?
A CA is also the management center of public keys. To ensure the security of digital certificates, it manages the certificate life cycle, including:
- Issue and update of digital certificates
- Invalidation of digital certificates (cancellation, revocation or revocation)
- Freezing (loss reporting) and unfreezing of digital certificates
- Digital certificate query or download
- Query the status of numerical certificates
Backup of digital certificates
If there is no backup and recovery, when the private key is lost, will lead to a public key encryption, decryption of data can’t in order to solve the problem of the private key of backup and restore, PKI KMC was introduced and used in the whole life cycle of private key management, the user’s private key is produced by themselves, when applied to the CA center for the digital certificate, will be submitted to the private key security KMC reserved for backup
In order to prevent user identity from being falsely used, the private key of the digital certificate should be unique. If the private key is unique, the digital certificate cannot be backed up and restored when it is lost.
In order to solve the problem of backup and recovery of private key, PKI introduces dual certificate mechanism, namely signature certificate and encryption certificate
- The private key of the signature certificate can only be used for signature verification, but cannot be used for encryption and decryption. The public and private keys are generated by users themselves, and KMC does not make backup
- The private key of the encryption certificate can only be used for encryption and decryption, but cannot be used for signature verification. The public and private keys are generated by KNMC and backed up
To ensure the CA certificate query and download speed, THE PKI adopts the LDAP technology to provide high-speed query and download services. LDAP is a lightweight directory access protocol. How can users query the status of their own certificates? To facilitate users to obtain the certificate status, PKI introduces CRL and OCSP technologies.
- CRL: List of invalid certificates, also called certificate blacklist
- OCSP: certificate online protocol.
To ensure security, CA services are not open on the public network. To facilitate remote certificate management and certificate lifecycle management, THE RA service is introduced in PKI to provide face-to-face certificate services for users.
RA system
RA main business process
RA system is an integral part of the certificate authentication system. It is mainly responsible for dealing with users directly and certificate-related management services. The RA system uses the B/S structure and consists of an RA server and an RA operation terminal (browser). Users access the system through operation terminals to perform related operations.
It is divided into two parts: RA system service and user self-service service
The main functions are
| Client certificate management | User self-service platform |
|---|---|
| The certificate application | Self-service Platform Home Page |
| Certificate of the query | The certificate application |
| The certificate update | Certificate of the query |
| The certificate change | Download the certificate |
| Certificate for | Certificate to unlock |
| Certificate to download | Update the certificate |
| Certificate of cancellation | Install the CA certificate chain |
| Certificate of frozen | Downloading the Certificate Revocation List (CRL) |
| Certificate of thawing | Certificate for |
| Authorization code update | |
| Synchronizing certificate Status |
At the end
The specific functions of RA service have not been developed yet. After the work is completed, I will continue to sort out the knowledge of RA or CA digital certificates, which is also a summary for myself.
Writing is not easy. If it helps you, just like it and leave. Remember, (゚▽゚) Blue