Digital certificate concept
Digital Certificate (Digital Certificate), also known as "digital ID card" and "network ID card", is signed and issued by the certificate certification authority CA, including public key owner information, public key, issuer information, validity period, certificate An electronic file (data structure) of the digital signature and extended information of the certification authority (CA), which can be used to prove the true identity of the digital certificate holder; it is the basis for various end entities and end users to conduct information exchange and commercial activities on the Internet Identity proof, in each mitigation of electronic transactions, all parties to the transaction need to verify the validity of each other's digital certificates, so as to solve the problem of mutual trust.
A certificate is an electronic file/credential used to prove identity in a network environment;
The role of the certificate in the network is similar to the ID card in real life;
The information contained in the certificate is similar to that of the ID card and can be compared;
The verification (anti-counterfeiting) of the certificate is similar to the verification (anti-counterfeiting) of the ID card (driver's license), and can be compared;
The management of the certificate can also be compared with the identity card (driver's license), there are mechanisms such as application, issuance, invalidation, renewal, etc., and there are relevant management agencies;
Digital Certificate Necessity
1. Technical requirements
Prove the ownership of the public key information and confirm whether the public key is legal. The whole process of public key transfer may encounter man-in-the-middle attacks.
2. Business requirements and security requirements
Provide business system two-factor authentication;
Improve business system user login security, strong identity authentication, and data encryption;
3. Policy requirements and policy support
electronic signature law;
Laws and regulations and industry norms, guarantee requirements;
other industry regulations;
Digital certificate content
The digital certificate is the carrier of the public key! The identity of the digital certificate key holder provides proof. The digital certificate contains the basic information of the certified person and its public key information, mainly including the following information:
digital certificate type
Digital certificates can be divided into personal certificates, institutional certificates and device certificates by category, and can be divided into signature certificates and encryption certificates according to their uses. digital certificate.
signed certificate
The key is generated on the client, the private key is kept by itself, and the public key is submitted to the CA to issue a certificate and publish it.
Certificate for signature, including: private key + public key certificate; certificate for signature verification, root certificate (trusted domain certificate)
If it is RAW or Detech, it may involve the opponent's public key certificate, and the synchronization of the opponent's public key certificate, configure CRL
Application: identity proof, electronic signature, key loss does not need to be recovered, just reissue the certificate
encryption certificate
The key is generated on the server side, and the public and private keys are recorded/backed up in the KMC on the server side. The private key is sent to the client for storage and use, and the public key is handed over to the CA to issue a certificate and publish it.
Application: data encryption, the encrypted data can be decrypted by the private key backed up by the server, and the lost private key of the client can be found through the CA
Digital Certificate Certificate Chain
certificate chain formation
Root-CA:
The root CA generates a pair of public key and private key (generated and stored by the encryption machine), uses the private key to digitally sign the information of its own CA and the public key (operation by the encryption machine), and encapsulates and issues the root CA certificate
Intermediate CA:
The intermediate CA generates a pair of public key and private key (generated and stored by the encryption machine), digitally signs the information and public key of the intermediate CA with the private key of the root CA (encryption machine operation), and encapsulates the intermediate CA certificate. The upper-level CA issues certificates to the lower-level CA according to this logic.
User certificate:
The final CA (operating CA) private key digitally signs the user information and public key to obtain the user certificate. User certificates are divided into signature certificates and encryption certificates, and the issuance process is different.
The level-by-level relationship of certificates forms a certificate chain.
Digital certificate issuance
There are several ways for a CA to distribute certificates to users. The first way is out-of-band distribution (Out-of-band Distribution), that is, offline. For example, the key pair is generated by the software operator instead of the customer, and the certificate is also downloaded from the CA by the operator instead of the customer, and then the private key and the downloaded certificate are stored in a floppy disk, and then handed over to the user. The advantage of this is that it saves users the trouble of downloading certificates online. The second way is in-band distribution (In-band distribution), that is, users download digital certificates from the Internet to their computers. When downloading, the user should show the "reference number" and "authorization code" to the CA to prove his identity to the CA. This is less expensive, but for users who are not familiar with using computers, they may encounter some troubles when downloading. In addition to the above two methods, the CA also centrally places the certificate in the public database and publishes it, and users can query and call it whenever they want.
Certificate issuance process :
Prerequisite: The certificate application process has been completed, and the reference number and authorization code for downloading the certificate have been obtained:
1. The client generates a public-private key pair;
2. The public key and user application information are signed by the private key to form an application file (CSR);
3. Submit the CSR+ reference number authorization code to the CA side;
4. The CA verifies and inquires the information of the applicant user through the authorization code of the reference number;
5. The CA forms the certificate data with the public key and the information of the user applying for the certificate;
6. The CA digitally signs the certificate data with the private key, and packages the certificate data into a digital certificate;
7. The digital certificate is issued to the client;
8. The client saves the digital certificate.
数字证书载体
数字证书和私钥储存的介质有多种,大致分为硬证书和软证书。可以存储在计算机硬盘、软盘、智能卡或USB key里。
1、软件载体
证书与私钥以数字文件形式存在
无成本,无兼容性问题
不能完全阻止私钥复制,不能确保唯一性,依赖于计算机系统自身的安全性
2、IC卡/USB Key载体
安全性高,确保证书私钥唯一性和不被复制
PIN机制保护私钥
驱动与CSP问题
有成本,硬件驱动和CSP等的兼容性问题