analysis:
public key certificate and certificate authority
noun explanation
1, digital authentication: refers to the use of digital certificates to confirm, identify and authenticate the identities of participants or servers in information exchange on the network.
2. Public key certificate: It associates a public key with a specific person, device or other entity. A public key certificate is signed by a certificate authority, which contains the exact identity of the holder.
3. Public key digital certificate: a document on the network that proves that the owner of the public key in the dual-key system is the user recorded in the certificate.
4, single public key certificate: mutual authentication of all users in a system.
5, multi-public key certificate: used for mutual authentication of users without certificates.
6, customer certificate: to prove the identity of the customer and the ownership of the key.
7. server certificate: to verify the identity and public key of the server.
8. Secure e-mail certificate: to confirm the identity and public key of the e-mail user.
9, CA certificate: the signature key to prove the identity and the CA.
1. A certificate authority CA is used to create and issue certificates. It usually issues certificates to a limited group called a security domain.
11, security server: for ordinary users, it is used to provide security services such as certificate application, browsing, certificate revocation table and certificate download.
12, CA server: it is the core of the whole certificate authority and is responsible for issuing certificates.
13. LDAP server: provides directory browsing service, and is responsible for adding user information and digital certificates transmitted by the registrar server to the server.
14. database service: it is the core part of certification bodies, and is used for storing and managing data, logs and statistical information of certification bodies.
15, the public key user needs to know that the entity of the public key is the public key user.
16. certificate renewal when the certificate holder's certificate expires and is stolen, he will continue to participate in online certification with a new certificate by renewing the certificate when he is attacked. The renewal of certificate includes the replacement of certificate and the extension of certificate.
short answer:
1. What are the conditions for a valid certificate?
a: (1) the certificate has not expired. (2) The key has not been modified. If the key is modified, the original certificate should be recovered and no longer used. If the employee leaves his company, the corresponding certificate can be recovered. If it is not recovered and the key has not been modified, the certificate can continue to be used. (3) The certificate is not in the list of invalid certificates issued by CA. CA is responsible for recycling certificates and issuing a list of invalid certificates. Users should revoke the certificate in time once they find that the key is leaked. And notified by CA to stop using it and put it on file.
2. What are the two ways to generate key pairs?
a: (1) the key pair holder generates the key pair himself: the user generates the key pair himself with hardware or software. If the key pair is used for digital signature, it should support non-repudiation. (2) The key pair is generated by the general system: it is generated by a trusted central organization that users rely on, and then safely sent to the equipment of specific users. Using the resources of such centers, high-quality key pairs can be generated, which is easy to backup and manage.
3. What are the types of certificates?
a: (1) personal certificate: it confirms the identity of the customer and the ownership of the key. In some cases, the server will require a personal certificate to prove the identity of the customer when establishing SSL edge connection. Users can apply to a CA and get a personal certificate after examination.
(2) server certificate: to confirm the identity and public key of the server. When the client requests to establish SSL connection, the server transmits the server certificate to the client. After receiving the certificate, the customer can check whether the CA that issued the certificate should be trusted. For untrusted CA, the browser will prompt the user to accept or reject this certificate.
(3) mail certificate: to confirm the identity and public key of the e-mail user. Some secure e-mail applications can use e-mail certificates to verify the identity of users and encrypt and decrypt information.
(4)CA certifiCAte: the signature key to prove the identity of the CA. In Netscape browser, the server administrator can see the CA certificates accepted by the service and choose whether to trust them. A CA certificate allows a CA to issue other types of certificates.
4. how to secure the key?
Answer: After the key is generated according to the algorithm, the private key should be given to the user first. If backup is needed, the security should be guaranteed, and the public key should be given to the CA to generate the corresponding certificate.
In order to prevent unauthorized users from accessing the key, the key should be stored in tamper-proof hardware or card, or encrypted and stored in a computer file.
here, changing the password pair regularly is an important measure to ensure security.
5. What are the steps to generate a certificate after CA authenticates the identity of the applicant?
a: (1)CA retrieves the required certificate content information; (2)CA confirms the correctness of this information; (3) Back to CA to sign the certificate with its signature key; (4) Send a copy of the certificate to the registrant and ask the registrant to send back the receipt of the certificate when necessary; (5)CA sends the certificate to the certificate database and praises it to the public retrieval service organization; (6) Usually, CA files the certificate; (7)CA records some details in the process of certificate generation in the audit record.
6. What is the basic function of public key certificate?
Answer: The public key is associated with the identity of an individual, personal information pieces or the relevant identity information of other entities. When verifying a digital signature with a public key, other information about the signer is sometimes needed before the signature is confirmed, especially to know whether the signer has been authorized to be the signer for a specific purpose.
The distribution of authorization information also needs to be realized by certificates. By issuing certificates, it can be announced that a person or entity has specific authority or authority, so that others can identify and recognize it.
7. Why can double-key cryptosystem encryption guarantee the confidentiality of data?
a: there is a pair of public key and private key when the double-key cryptosystem is encrypted. The public key can be made public, the private key is kept by the holder, and the private key of the holder can be unlocked in the data encrypted by the public key, thus ensuring the confidentiality of the data. Digital signature, the data encrypted by private key, can be decrypted by the person who owns the public key. As the private key is only kept by the holder, it is proved that the information is from the holder of the private key, which is unauthenticable and complete.