1)1. Introduction

Fisherman Enterprise Level Digital Certificate Authentication System is independently developed by Shandong Fisherman Information Technology Co., Ltd. The system complies with Certificate Authentication System Cryptographic and Related Security Technical Specification, the Digital Certificate Authentication System Cryptographic Protocol Specification and other related specification promulgated by the State Cryptography Administration. The system adopts modular structure design and consists of subsystems such as certificate authentication system (CA) and certificate registration system (RA). The system can manage the user's digital certificate throughout its life cycle and is a complete, stable and reliable digital certificate infrastructure product.

2. Features

Certificate Authority(CA) is committed to the whole process management of digital certificates in the life cycle, providing users with safe, effective, standardized and unified certificate issuance management services. The CA implements the functions of certificate template configuration, issuance policy configuration, personnel rights management, certificate/certificate logout list generation, issuance, storage, and distribution, certificate query and statistics, and service and logs security audit.

The Registration Authority System (RA) is dedicated to handling user certificate requests, identity audits, and certificate downloads. It implements functions such as personal rights management, application information entry, application information review, certificate download, certificate template update, user key recovery, and business and log security audits, etc.

3.superiority

High Security

The system adopts a strict authority management system, which can effectively prevent unauthorized illegal access. It has a complete log record function. Through the audit analysis of services and system logs, users can discover potential security risks in time.

The communication between the subsystems applies a secure communication protocol based on the authentication mechanism. All cryptographic operations are performed in the cryptographic device, which effectively prevents information leakage and improves system security.

High Reliability

The system adopts proper structure design, it can operate stably and efficiently under harsh environment and has perfect data backup and recovery function. Through regular backup, system and business data loss due to hardware damage can be prevented.

High Portability

The system adopts B/S structure design and has good portability. It can be deployed on a variety of mainstream operating systems. The system encapsulates the data access interface and supports access to multiple databases.

High Usability

System initialization, parameter configuration, business processing, and other tasks can be operated in the browser, the system has a friendly interface prompt, with prompts, the user can complete the relevant operations intuitively and simply.

Support multiple algorithms

Support using SM2 algorithm for certificate issuance

Support using RSA1024、2048bit algorithms for certificate issuance

Support SM1 Symmetric Algorithm.

Support SM3, SHA-1 Hash algorithm

High Performance

Millions of CA storage capability.

Support 500 Concurrent threads

Hierarchical and modular design, the system has good scalability.

Users can flexibly deploy the system according to the construction scale.

Adopt rich client technology with B/S architecture

The interface is simple and easy to use, providing users with a higher and more comprehensive network experience.

The system is completely self-developed.

The crypto machine, crypto card, USBKEY, VPN, and other cryptographic devices and system software used in the system are independently developed by Fisherman, and all the equipment have passed the certification of the State Cryptography Administration or the Ministry of Public Security.

The system is completely based on national cryptographic technology.

VPN encryption channel is adopted between CA and KM to ensure the security of data transmission.

The communication between RA and CA, CA and KM adopts data encryption and digital signature technology to ensure the confidentiality, integrity and operational behavior of the data.

2) Overall design of enterprise-level digital certificate system.

From the analysis of management subjects and service objects, the CA system can be generally divided into operational CA and enterprise digital certificate authentication systems.

An operational CA generally exists as a third-party electronic certification service organization and is operated and managed independently. Operational CA can provide legally binding third-party electronic certification services and assume corresponding legal responsibilities. Such an CA organization should not only build a professional CA room and sound legal documents, but also need to ensure the security of the CA system and certification business, and meet the requirements of physical environment and facilities, organization, personnel and documents / records and media management, business continuity, auditing and improvement, certification service performance and other aspects of the requirements. Operational CA can provide services for multiple applications in multiple industries, with strong versatility and independence. The scale of certificates is at least several hundred thousand, and the scale of investment is also relatively large.

The enterprise-level digital certificate authentication system is usually maintained and managed by a specific department or team within the enterprise. It is treated as a type of security system and only provides application security services for the enterprise's own IT system. The certificate size is generally within tens of thousands, and the investment scale is relatively small. The enterprise-level digital certificate authentication system not only needs to be deeply integrated with various applications of the enterprise, but also needs to adapt to the internal administrative mode of the organization, and has high requirements in terms of flexible deployment, ease of use and expansion.

Here is an example:

1. General technical route

Management: Adopt B/S mode.

2Operation platform: In this example, the operating system uses Linux and should support multiple operating systems; the database uses MySQL and should support multiple databases. The database is accessed through JDBC; the application middleware uses Tomcat.

3 development tools: We suggest developers to use C, C + + or VC to develop foreground modules such as controls and client tools; and use JSP, Servlet or JDK to develop background Web service modules.

2. Professional technical route

 (1) Certificate mechanism

① certificate classification: includes individuals, units, Web, devices, etc., and the certificate type can be expanded.

②Certificate status: including normal, invalid, frozen, thawed, expired, etc.

③Certificate business status: includes application, invalidation, freezing, thawing, update, etc. Among them, the application status includes the entered, the approval passed, failed, and the production; the certificate invalidation status includes the entered, the approval passed, and the failed; the certificate freezing status includes the entered, the approval passed, and failed; the certificate thawing status includes the entered, the approved and the failed; certificate update status includes entered, approved, failed, updated.

④certificate application process: includes three-step process and one step process. The three-step process consists of input, audit, and production. Each step of the process is operated by different operators; the one-step process is completed by the same operator at one time.

⑤The certificate update process consists of three types of processes: three-step process, two-step process, and one step process. The three-step process consists of entry, review, and update; the two-step process consists of auditing (based on old certificates) and updates. Each step is operated by different operators; one-step process is completed by the same operator at one time. The certificate applicant can be authenticated by the old certificate when the certificate is produced.

⑥certificate invalidation/freeze/thaw process: includes a two-step process and one-step process. The two-step process consists of entry, revie, and compose. Each step of the process is operated by different operators; the one-step process is completed by the same operator at one time.

Management mechanism

①Three level management system: consists of CA administrator, RA administrator, and RA operator.

② identity authentications: support certificate mode and password mode.

③Access Control: Adopt RBAC mechanism.

④CA administrator: The main responsibility is to manage the CA, including initialization, CA policy management, RA management, RA administrator management, query statistics, and mandatory business functions.

⑤RA Administrator: The primary responsibility is to manage the RA operator.

⑥RA Operator: The main responsibility is to operate a specific business, which consists of three roles: recorder, auditor, and producer.

RA Service

①Business functions: mainly include certificate application, invalidation, update, freezing, RA operator management, query statistics, RA policy management, etc.

②RA administrator: The main responsibilities include operator management, query statistics, RA policy configuration, and mandatory business functions.

③RA recorder: The main responsibilities include query statistics, record data, etc.

④RA auditor: The responsibilities include query statistics, audits, etc.

⑤RA producer: The main duties are query statistics, production, etc.

Certificate Services

Certificate service consists of Web services and non-Web services

①Web services: mainly include CA certificate download (support certificate chain), CRL download, single certificate download/update, dual certificate download/update, web certificate download, certificate inquiry, application/update self-service entry, invalidation/freeze/unfree self-service entry, etc.

②Non-Web services: mainly include OCSP/SOCSP services, LDAP certificate services, and certificate verification services.

Security

①License control: Control the license by the number of certificates and the number of RAs.

②web mode management: identity authentication tend to use certificate authentication mode (two-way SSL or one-way SSL+ security control) first, and it can also support password mode.

③User self-service download certificate: use password to authenticate.

④password storage security: the database should be encrypted.

⑤Critical Data Storage Integrity: Use the HMAC mechanism.

key data transmission confidentiality: using symmetric encryption mechanism between RA and CA.

3. Introduction of enterprise-level digital certificate authentication system module function.

The module starting with “w” in the composition of the enterprise digital certificate authentication system means providing services by Web.

rCASigner: The main functions include generating the root CA public and private key pair, issuing the root CA certificate, operating the CA certificate and CRL signer certificate, support software HSM and hardware HSM.

KMCSEV: The main functions include providing external public and private key pair generation services, supporting software and hardware HSM.

OCASignSry: The main functions include generating CA public/private key pair, providing a certificate issuing service, supporting single certificate and dual certificate signing, supporting software and hardware HSM, and providing external license authentication services.

CRLSignSrv: The main functions include generating public and private key pair of the CRL signer and providing a CRL issuing service to the outside.

wCAMgrSrv: Main functions include configuring CA parameters, managing RA, managing CA administrators and RA administrators, and advanced certificate management functions (mandatory application, invalidation, freezing, unfreezing, auditing, update, etc.).

doCRL: The main functions include periodically extracting the certificate from the database and submitting the signature to CRLSignSrv and saving it to the database or file.

dOL DAP: The main functions include periodically extracting certificates from the database and publishing them to LDAP.

DB: Use MySQL first.

wIsers: The main functions include downloading the CA certificate (root CA, operating CA), downloading the CRL, querying and downloading other people's certificates according to the conditions, self-certificate application (generating public and private key pairs, submitting P10 packages, installing certificates, etc.), and updating their own certificates. (identification by old certificate), etc.

LDAP: Use OpenLDAP first.

OCSPSrv provides an online certificate status query service based on the Ocsp protocol.

SCVPSrv: Provides online certificate verification service based on SCvP protocol.

wRASrV: Main functions include management of RA operators, common certificate management functions (certificate application, invalidation, freezing, thawing, update, etc.), advanced certificate management functions (mandatory application, invalidation, freezing, thawing, review, update, etc.).

WRAAP1: The AP mode is provided externally, which facilitates the integration of the RA function with the application system. There are mainly advanced functions such as mandatory application, invalidation, freezing, thawing, auditing, and updating.

Cert Tool: The main functions include viewing certificate information, generating or splitting P12 certificate chains, and testing various encryption algorithms.