The role of CA is to check the legitimacy of the identity of certificate holders, issue certificates (sign certificates) to prevent certificates from being forged or tampered with, and manage certificates and keys. (3) CA Center CA Center issues a digital certificate to each user who uses the public key. The function of digital certificate is to prove that the user listed in the certificate legally owns the public key listed in the certificate. The digital signature technology of CA certification center makes it impossible for attackers to forge and tamper with certificates. In SET transaction, CA not only issues certificates to consumers and merchants who hold cards, but also issues certificates to banks and gateways involved in the transaction. It is responsible for generating, distributing and managing digital certificates required by all individuals who participate in online transactions. (IV) Types of CA Certificates There are two kinds of certificates issued by CA Center: SSL certificate and SET certificate. Generally speaking, SSL (Secure Sockets Layer) certificates serve the e-commerce activities of banks to enterprises or enterprises to enterprises. SET (Secure Electronic Transaction) certificate is used for credit card consumption and online shopping. Although they are all certificates for identity identification and digital signature, their trust systems are completely different and the standards they meet are different. Simply put, the function of SSL certificate is to prove the identity of the holder through the public key. The function of SET certificate is to prove that the holder really has the credit card account number of the designated bank through the public key, and also to prove the identity of the holder. When a user wants to obtain a certificate, he must first apply to the CA Center and declare his identity. After confirming the user's identity, CA Center issues the corresponding digital security certificate to the user. Certification bodies should follow certain principles when issuing certificates, such as ensuring that the serial numbers of certificates issued by them are different, the subject contents of certificates obtained by two different entities should be different, and the certificates with different subject contents contain different public keys. (5) What is the basic principle and function of 5)CA certificate? Handshaking and communication of SSL protocol In order to better understand and understand SSL protocol, this paper focuses on the handshake protocol of SSL protocol. SSL protocol uses both public key encryption technology and symmetric encryption technology. Although symmetric encryption technology is faster than public key encryption technology, public key encryption technology provides a better identity authentication technology. The handshake protocol of SSL is very effective for mutual authentication between client and server. The main process is as follows: ① The browser of the client transmits the version number of the client SSL protocol, the type of encryption algorithm, the generated random number and other information needed for communication between the server and the client to the server. ② The server will transmit the version number of SSL protocol, the type of encryption algorithm, random number and other related information to the client, and the server will also transmit its own certificate to the client. ③ The client uses the information sent by the server to verify the legitimacy of the server. The legitimacy of the server includes: whether the certificate is expired, whether the CA that issued the server certificate is reliable, whether the public key of the issuer certificate can correctly unlock the "issuer digital signature" of the server certificate, and whether the domain name on the server certificate matches the actual domain name of the server. If the validity verification fails, the communication is disconnected; If the validity is verified, the fourth step will be continued. ④ The client randomly generates a "symmetric password" for future communication, then encrypts it with the server's public key (the server's public key was obtained from the server's certificate in step ②), and then transmits the encrypted "pre-master password" to the server. ⑤ If the server requires authentication of the client (optional during handshake), the user can create a random number and then sign the data, and send the signed random number to the server together with the client's own certificate and the encrypted "pre-master password". ⑥ If the server requires authentication of the customer, the server must check the legality of the customer certificate and the signature random number. The specific legitimacy verification process includes: whether the customer's certificate is valid, whether the CA that provides the certificate for the customer is reliable, whether the public key of the issuing CA can correctly unlock the digital signature of the issuing CA of the customer's certificate, and whether the customer's certificate is in the certificate revocation list (CRL). If the inspection fails, the communication will be interrupted immediately; If the authentication is successful, the server will decrypt the encrypted "pre-master password" with its own private key, and then perform a series of steps to generate the master communication password (the client will also generate the same master communication password by the same method). ⑦ The server and the client use the same master password, that is, the "calling password", and the encryption and decryption communication of secure data communication based on SSL protocol uses symmetric keys. At the same time, the integrity of data communication should be completed during SSL communication to prevent any changes in data communication. (8) The client sends a message to the server indicating that the master password in step (7) to be used in the subsequent data communication is a symmetric key, and at the same time informs the server that the handshake process of the client is over. ⑨ The server sends a message to the client, indicating that the master password to be used in the subsequent data communication in step ⑦ is a symmetric key, and informs the client of the handshake process at the server end. Attending the end of SSL handshake, the data communication of SSL secure channel begins, and the client and server begin to use the same symmetric key for data communication, and check the communication integrity at the same time. The main responsibility of CA Center is to issue and manage digital certificates. Its central task is to issue digital certificates and perform the duties of user identity authentication. CA Center needs very strict policies and processes, as well as perfect security mechanisms in the aspects of decentralized security responsibility, operational security management, system security, physical security, database security, personnel security, key management, etc. In addition, there must be perfect implementation measures such as security audit, operation monitoring, disaster recovery backup, and rapid response to accidents, as well as strong tool support such as identity authentication, access control, anti-virus and anti-attack. The certificate approval business department of CA Center is responsible for the qualification examination of certificate applicants, deciding whether to issue certificates to the applicants, and bearing all the consequences caused by audit errors and issuing certificates to unqualified certificate applicants. Therefore, it should be an institution that can undertake these responsibilities; Certificate P-processor (CP for short) is responsible for the production, issuance and management of certificates of authorized applicants, and bears all consequences caused by operational errors, including confidentiality loss and issuing certificates to unauthorized personnel. Can be borne by the audit business department itself, can also be entrusted to a third party. (6) What aspects does CA certificate management include? CA policy management administrator can specify CA management policies, including: key length, validity period, root certificate, personal certificate, enterprise certificate and backup of server certificate. (7) Draw a picture to illustrate the application process of CA certificate. (8) What is the purpose for users who apply for CA certificates to export certificates? Briefly introduce the operation steps of export 1. When the normal recovery fails, the data recovery agent needs to use the data recovery key to let the agent recover the encrypted data. Therefore, it is very important to protect the recovery key. A good way to prevent recovery keys from being lost is to import these recovery keys into the local computer only when necessary. At other times, you should export the data recovery certificate and private key of the data recovery agent and store them in a. pfx format file on a secure removable medium. 2 Step 1: Export the certificate from IE. Click IE menu Tools to open the Internet Options dialog box, select the Content page, and click Certificate to pop up the Certificate dialog box. Please select the certificate to export, then select Export, and follow the operation of the Certificate Export Wizard to complete the certificate export. Please note that the second step of the Certificate Export Wizard will prompt you whether to export. , please select "Yes, export private key". After successfully exporting the certificate, you will get a file ending with ".". pfx”。 The second step is to import the certificate into Webmail. Select Personal Information in the left frame of Webmail, and then click Set Personal Certificate in the right frame. Please click "Import Certificate". In the Upload Certificate dialog box, browse and locate. Pfx file, click Next, and enter the key protection password that you asked you to enter in the Certificate Export Wizard in the first step. You can choose "Save Password" so that you don't need to enter a password to view encrypted emails in the future. If successful, Webmail will display the brief information of the certificate. With a personal certificate, you can send letters with digital signatures.