National secret entry and exit parameters must be encrypted and decrypted, requiring two sets of secret keys. In the dual state secret key system, the applicant now has two certificates, one for authentication and one for encryption. The CA has the public and private key pairs used by the user for encryption and decryption, so the CA can decrypt the user's ciphertext.

The role of dual keys

For the generation of certificates for authentication, the user generates a pair of public and private keys by himself, in which he retains the private key for signature, and the public key is sent to the CA organization , ask the CA to sign it and generate a signing certificate for the user. The CA does not have a backup of the user's private key for signing. The user's private signing key is lost and cannot be regenerated. However, because the signing certificate is public, the things it has signed before are still valid.

Generation of certificates used for encryption: This certificate is obtained by the CA agency from its own KMC for the user, and at the same time, it backs up the pair of public and private keys. Then, the CA signs the public key to generate an encryption certificate. The CA uses the user's signature certificate to encrypt the encryption private key, encryption certificate, etc., and then returns it to the user.