CN107171814A - A kind of digital certificate updating method and device - Google Patents
A kind of digital certificate updating method and device Download PDFInfo
- Publication number
- CN107171814A CN107171814A CN201710618107.6A CN201710618107A CN107171814A CN 107171814 A CN107171814 A CN 107171814A CN 201710618107 A CN201710618107 A CN 201710618107A CN 107171814 A CN107171814 A CN 107171814A
- Authority
- CN
- China
- Prior art keywords
- certificate
- old
- file
- module
- updating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 238000009434 installation Methods 0.000 claims abstract description 10
- 238000012795 verification Methods 0.000 claims description 22
- 238000001514 detection method Methods 0.000 claims description 16
- 230000005540 biological transmission Effects 0.000 claims description 7
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 238000012545 processing Methods 0.000 abstract description 2
- 208000013641 Cerebrofacial arteriovenous metameric syndrome Diseases 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a kind of digital certificate updating method and device, and methods described includes:Verify old certificate file and certificate signature;The new certificate file of installation and execution signature process;Delete old instance objects and certificate file.Digital certificate updating method and device that the application is proposed, the equipment of certificate update are become the safety element module of terminal inner, and the mode of certificate update is to interact processing by the safety element module of TSM platforms and terminal, greatly improves security.And by certificate update to terminal inner, rather than the separate hardware such as key devices, so that user just can complete corresponding operating without carrying hardware keys equipment, so as to facilitate user.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for updating a digital certificate.
Background
Public Key Infrastructure (PKI) is a Key management platform that ensures system information security and is responsible for verifying the identity of the holder of a digital certificate by using Public Key technology and the digital certificate. The technology is widely applied to the fields of online banking, electronic commerce, electronic government affairs and the like. An integrated PKI system is composed of a Certificate Authority (CA), a Key Management Center (KMC), a registration Authority, a directory service, and a security certificate application software and a certificate application service, wherein the certificate Authority is in a central position in the PKI system.
The CA center is also called a digital certificate authentication center, is used as a trusted third party in electronic commerce transactions, and specially solves the problem of validity of a public key in a public key system. The CA center issues a digital certificate for each user who uses the public key, and the role of the digital certificate is to verify that the name of the user listed in the certificate corresponds to the public key listed in the certificate. The digital signature of the CA center prevents attackers from forging and tampering with the digital certificate.
A Registration Authority (RA) center is an extension of the CA function, and is responsible for information entry, verification, certificate issuance, and other work of a certificate applicant; meanwhile, the corresponding management function is completed for the issued certificate. The RA center is an indispensable part of the normal operation of the entire CA center. The CA center takes centralized certificate issuing or online certificate issuing as a main certificate issuing mode; in this case, the service steps of user registration, registration auditing, unified certification and the like all need to be unified and normalized, and the services can be realized by the RA center.
The user security terminal is a tool used by a user for electronic signature and digital authentication on the internet, and the user security terminal generally uses a built-in security chip and adopts a 1024-bit or 2048-bit asymmetric key algorithm or a national key algorithm to encrypt, decrypt and digitally sign data on the internet, so that the confidentiality, authenticity, integrity and non-repudiation of online transactions are ensured. The user security terminal stores the private key and the digital certificate of the user, the authentication of the user identity is realized by utilizing a built-in public key algorithm, and meanwhile, the built-in security chip also ensures that the private key of the user certificate cannot be copied or exported. USB-KEY and SD-KEY used by users such as internet bank users, electronic commerce websites or mobile terminals are common security terminals.
At present, the updating process of the certificate needs hardware equipment to participate each time, and data interaction is carried out with a desktop, so that the use and operation of a user are very inconvenient, and in terms of safety, the current certificate updating process and the certificate data flow need to participate in three aspects, namely a background, a PC (personal computer) or a mobile phone and safety terminal hardware, and if one participation aspect can be reduced, the safety of certificate updating can be further improved.
Disclosure of Invention
In order to solve the above problems, the present application provides a method and an apparatus for updating a digital certificate. The application provides a digital certificate updating method, which comprises the following steps:
step S1: verifying the old certificate file and the certificate signature;
step S2: installing a new certificate file and executing a signature process;
step S3: the old instance object and certificate file are deleted.
Preferably, the step S1 of verifying the old certificate file and the certificate signature includes:
step S101: sending a certificate updating request by an application program memory;
step S102: the integrated access management server receives the request, verifies the old certificate stored in the application program memory, if the verification is successful, step S103 is executed, otherwise, the method is ended;
step S103: sending a verification signature request to the secure element;
step S104: the embedded security element sends the signature file of the old certificate to the comprehensive access management server;
step S105: the integrated access management server verifies the signature of the old certificate, if the verification is successful, step S2 is executed, otherwise, the method is ended.
Preferably, the step S2 of installing a new certificate file includes:
step S201: the comprehensive access management server sends an updating instruction to the trusted service management platform;
step S202: creating an instance object at the embedded secure element;
step S203: the trusted service management platform sends an instruction for installing the personal identification password;
step S204: the embedded security element installs the personal identification password on the instance object;
step S205: the trusted service management platform sends a certificate file to the embedded security element;
step S206: the embedded secure element installs the certificate file in the instance object.
Preferably, the step S3 of deleting the old instance object and the certificate file includes:
step S301: the trusted service management platform sends out an old instance object deletion instruction;
step S302: deleting the old instance object by the embedded safety element;
step S303: the trusted service management platform sends out a detection instruction;
step S304: the embedded security element detects the result, and determines whether the detection is successful, if so, step S305 is executed, otherwise, step S2 is executed;
step S305: displaying the update completion in the application memory.
More preferably, before executing step S2, installing the new certificate file, the following operations are also executed:
step R101: the trusted service management platform selects the shared secret data to send an external authentication instruction to the embedded security element;
step R102: and the embedded safety element carries out external authentication on the trusted service management platform.
Preferably, before executing step S203 and the trusted service management platform issues an instruction to install the personal identification code, the following operations are further executed:
step R201: the trusted service management platform sends an application identifier matching instruction;
step R202: and judging whether the ESE matching is successful or not, if so, executing the step S203, and otherwise, ending the method.
The present application further provides a digital certificate updating system, including:
the system comprises a comprehensive access management server, a trusted service management platform, an application program memory, a user application memory, a trusted application memory and an embedded security element;
the integrated access management server is connected with the trusted service management platform, the trusted service management platform is connected with the application program memory, the trusted service management platform is connected with the embedded security element, and the embedded security element is connected with the application program memory.
The present application further provides a digital certificate updating apparatus, including:
the old certificate verifier is used for verifying the old certificate file and the certificate signature;
a new certificate installer for installing new certificate files and performing a signing process;
and the old certificate deleter is used for deleting the old instance object and the certificate file.
Preferably, the old certificate verifier includes:
the updating request module is used for sending a certificate updating request to the application program memory;
the old certificate verification module is used for verifying the old certificate stored in the application program memory after the comprehensive access management server receives the request;
the signature request module is used for sending a signature verification request to the embedded security element;
the data transmission module is used for sending the signature file of the old certificate to the comprehensive access management server by the embedded security element;
and the signature verification module is used for verifying the signature of the old certificate by the comprehensive access management server.
Preferably, the new certificate installer includes:
the updating instruction module is used for sending an updating instruction to the trusted service management platform by the comprehensive access management server;
an instance creation module to create an instance object in the embedded secure element;
the identification instruction module is used for sending an instruction for installing the personal identification password by the trusted service management platform;
the personal identification password installation module is used for installing the personal identification password for the example object;
the file transmission module is used for sending the certificate file to the embedded security element by the trusted service management platform;
and the certificate installation module is used for installing the certificate file in the instance object by the embedded security element.
Preferably, the old certificate remover comprises:
the deleting instruction module is used for sending an old instance object deleting instruction by the trusted service management platform;
the instance deleting module is used for deleting the old instance object by the embedded security element;
the detection instruction module is used for sending a detection instruction by the trusted service management platform;
the result detection module is used for detecting the result and judging whether the result is successful;
and the update display module is used for displaying the update completion in the application program memory.
The method and the device for updating the digital certificate provided by the invention have the following technical effects that:
1. according to the digital certificate updating method and device, an SE (secure element) module in the terminal is used as certificate updating equipment, and the certificate updating mode is that interaction processing is carried out between the SE module and a TSM (Trusted Service Manager) platform, so that the certificate updating safety is greatly improved.
2. According to the digital certificate updating method and device, the terminal is used for updating the certificate, so that the user can complete the certificate updating operation without carrying independent hardware equipment.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic diagram of the digital certificate updating system of the present application;
FIG. 2 is a schematic structural diagram of a digital certificate updating apparatus according to the present application;
FIG. 3 is a schematic diagram of an old certificate verifier according to the present application;
FIG. 4 is a schematic diagram of a new certificate installer of the present application;
FIG. 5 is a schematic diagram of an old certificate remover according to the present application;
FIG. 6 is a flow chart illustrating a digital certificate updating method according to the present application;
FIG. 7 is a flowchart of a method for verifying old certificate documents and certificate signatures according to the present application;
FIG. 8 is a flowchart of a method for installing a new certificate file and performing a signing process according to the present application;
FIG. 9 is a flowchart of a method for deleting old instance objects and certificate files according to the present application;
FIG. 10 is a flow chart of a method of external authentication of the present application;
fig. 11 is a flowchart of a method for AID matching according to the present application.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
The present application proposes a digital certificate updating system, as shown in fig. 1, including:
a Comprehensive Access Management Server 11 (computer Access Management Server, CAMS), a Trusted Service Management platform 12 (TSM), an Application (APP) memory 13, a user Application (CA) memory 14, a Trusted Application (TA) memory 15, and an Embedded Secure Element 16 (ESE);
the integrated access management server 11 is connected with the trusted service management platform 12, the trusted service management platform 12 is connected with the application program 13, the trusted service management platform 12 is connected with the embedded secure element 16, the embedded secure element 16 is connected with the APP memory 13, and the CA memory 14 and the TA memory 15 are respectively connected with the embedded secure element 16 and are connected with each other.
The above-mentioned digital certificate updating system, in which a digital certificate updating apparatus is used when updating ESE by TSM, as shown in fig. 2, includes:
an old certificate verifier 21, a new certificate installer 22, and an old certificate remover 23;
the old certificate verifier 21 is configured to verify an old certificate file and a certificate signature;
as shown in fig. 3, the old certificate verifier 21 includes:
an update request module 31, an old certificate verification module 32, a signature request module 33, a data transmission module 34, and a signature verification module 35; wherein,
an update request module 31, configured to send a certificate update request to the application program memory; an old certificate verification module 32, configured to verify an old certificate stored in the application storage, when the integrated access management server receives the request; a signature request module 33, configured to send a verification signature request to the embedded secure element; the data transmission module 34 is used for the embedded security element to send the signature file of the old certificate to the integrated access management server; and the signature verification module 35 is used for verifying the signature of the old certificate by the integrated access management server.
When the certificate is soon due, the CAMS sends update prompt information to the APP, specifically,
the method for judging the fast expiration of the certificate comprises any one of the following steps:
when detecting that the mobile phone terminal communicates with the main device for the first time, the main device analyzes the set expiration time of the certificate from the certificate stored in the mobile phone terminal;
analyzing the set expiration time of the certificate from the certificate stored in the mobile phone terminal, and storing or updating the certificate expiration time recorded in advance on the main equipment;
and the main equipment judges whether the residual effective time of the certificate meets a preset pre-reminding time point or not under the condition that the certificate does not expire, and if so, reminds the user that the certificate is about to expire according to a reminding mode corresponding to the met pre-reminding time point.
A new certificate installer 22 for installing a new certificate file and performing a signing process;
the new certificate installer 22, as shown in fig. 4, includes:
an update instruction module 41, an instance creation module 42, an identification instruction module 43, a personal identification Number (PIN code) installation module 44, a file transfer module 45, and a certificate installation module 46; wherein,
an update instruction module 41, configured to send an update instruction to the trusted service management platform by the integrated access management server; an instance creation module 42 for creating an instance object in the embedded secure element; an identification instruction module 43, configured to send an instruction for installing a personal identification password from the trusted service management platform; a personal identification code installation module 44, configured to perform personal identification code installation on the instance object; the file transmission module 45 is used for sending the certificate file to the embedded security element by the trusted service management platform; and a certificate installation module 46, configured to install the certificate file in the instance object by the embedded secure element.
When receiving a request sent by an APP, a CA judges the request and judges whether the request is sent from a trusted APP and a legal client.
The CA judges the request by analyzing the request file to obtain the equipment information and the APP information therein, uploads the information to the security server for comparison, and if the equipment information and the APP information are the same, the information is considered to be sent from the trusted APP and the legal client.
And in order to further increase the security of the certificate, before sending the certificate file, the TSM encrypts the file to be sent by using the ESE public key, and after the ESE receives the certificate file, the TSM decrypts the file by using the negotiated private key to obtain the plaintext certificate.
And the old certificate deleter 23 is used for deleting the old instance object and the certificate file.
Specifically, as shown in fig. 5, the old certificate remover 23 includes:
a deletion instruction module 51, an instance deletion module 52, a detection instruction module 53, a result detection module 53, and an update display module 54; wherein,
a delete instruction module 51, configured to send an old instance object delete instruction by the trusted service management platform; an instance deletion module 52, configured to delete the old instance object by the embedded secure element; a detection instruction module 53, configured to send a detection instruction by the trusted service management platform; a result detecting module 54, configured to detect a result and determine whether the result is successful; and an update display module 55 for displaying the update completion in the application program memory. Obviously, the TSM needs to effectively manage the certificate to support the above digital certificate updating system and apparatus, and the specific method is as follows:
firstly, configuring a digital certificate into a database; secondly, checking whether the digital certificate in the database needs to be updated, if so, continuing, otherwise, exiting; then, the digital certificate in the database is artificially updated (or automatically updated); and finally, setting the digital certificate to be in a non-updated state, and finishing the process of maintaining the TSM certificate.
In the process of updating the certificate in the ESE, in order to further guarantee the safety of the ESE, an application access safety method is adopted, and specifically, only a specified application is set to be capable of accessing the ESE;
the specified application can be carried by the user when the mobile phone leaves the factory, or downloaded to the mobile phone by CAMS or other security ways after the user passes the security authentication;
after the certificate of the ESE is updated, if the designated application is obtained in a downloading mode, the ESE is deleted from the mobile phone to ensure that information is not divulged.
The digital certificate updating apparatus and system proposed in the present application are described above with reference to fig. 1 to 5, and the digital certificate updating method proposed in the present application is described below with reference to fig. 6 to 11
The digital certificate updating method provided by the present application, as shown in fig. 6, includes:
step S1: verifying the old certificate file and the certificate signature;
as shown in fig. 7, the step S1 includes:
step S101: the application memory 13 issues a certificate update request;
when the certificate is soon due, the CAMS sends update prompt information to the APP, specifically,
the method for judging the fast expiration of the certificate comprises any one of the following steps:
when detecting that the mobile phone terminal communicates with the main device for the first time, the main device analyzes the set expiration time of the certificate from the certificate stored in the mobile phone terminal;
analyzing the set expiration time of the certificate from the certificate stored in the mobile phone terminal, and storing or updating the certificate expiration time recorded in advance on the main equipment;
and the main equipment judges whether the residual effective time of the certificate meets a preset pre-reminding time point or not under the condition that the certificate does not expire, and if so, reminds the user that the certificate is about to expire according to a reminding mode corresponding to the met pre-reminding time point.
Step S102: the integrated access management server receives the request, verifies the old certificate stored in the application program memory 13, if the verification is successful, step S103 is executed, otherwise, the method is ended;
when receiving a request sent by an APP, a CA judges the request and judges whether the request is sent from a trusted APP and a legal client.
The CA judges the request by analyzing the request file to obtain the equipment information and the APP information therein, uploads the information to the security server for comparison, and if the equipment information and the APP information are the same, the information is considered to be sent from the trusted APP and the legal client.
Step S103: sending a verification signature request to the secure element;
step S104: the embedded security element sends the signature file of the old certificate to the comprehensive access management server;
step S105: the integrated access management server verifies the signature of the old certificate, if the verification is successful, step S2 is executed, otherwise, the method is ended.
Step S2: installing a new certificate file and executing a signature process;
as shown in fig. 8, the step S2 includes:
step S201: the comprehensive access management server sends an updating instruction to the trusted service management platform;
step S202: creating an instance object at the embedded secure element;
step S203: the trusted service management platform sends an instruction for installing the personal identification password;
before step S203 is executed and the trusted service management platform issues an instruction to install the personal identification code, the operations shown in fig. 11 are also executed:
step R201: the trusted service management platform sends an Application Identifier (AID) matching instruction;
step R202: and judging whether the ESE matching is successful or not, if so, executing the step S203, and otherwise, ending the method.
By the AID matching verification method as shown in fig. 11, the security of the user can be greatly improved.
Step S204: the embedded security element installs the personal identification password on the instance object;
step S205: the trusted service management platform sends a certificate file to the embedded security element;
before sending the certificate file, the TSM encrypts the file to be sent by using an ESE public key, and after the ESE receives the certificate file, the TSM decrypts the file by using a private key which realizes negotiation to obtain a plaintext certificate.
Step S206: the embedded secure element installs the certificate file in the instance object.
Specifically, before executing step S2, installing a new certificate file, the security of the user operation is also increased by executing the step operations shown in fig. 10:
step R101: the trusted service management platform selects Shared Secret Data (SSD) to send an external authentication instruction to the embedded security element;
step R102: and the embedded safety element carries out external authentication on the trusted service management platform.
Step S3: the old instance object and certificate file are deleted.
As shown in fig. 9, step S3 includes:
step S301: the trusted service management platform sends out an old instance object deletion instruction;
step S302: deleting the old instance object by the embedded safety element;
step S303: the trusted service management platform sends out a detection instruction;
step S304: the embedded security element detects the result, and determines whether the detection is successful, if so, step S305 is executed, otherwise, step S2 is executed;
step S305: the update completion is displayed in the application memory 13.
Obviously, the TSM needs to effectively manage the certificate to support the above digital certificate update method, and the specific method is as follows:
firstly, configuring a digital certificate into a database; secondly, checking whether the digital certificate in the database needs to be updated, if so, continuing, otherwise, exiting; then, the digital certificate in the database is artificially updated (or automatically updated); and finally, setting the digital certificate to be in a non-updated state, and finishing the process of maintaining the TSM certificate.
In the digital certificate updating device provided by the application, when the certificate in the ESE is updated, in order to further guarantee the safety of the ESE, an application access safety method is adopted, and specifically, only a specified application is set to be capable of accessing the ESE;
the specified application can be carried by the user when the mobile phone leaves the factory, or downloaded to the mobile phone by CAMS or other security ways after the user passes the security authentication;
after the certificate of the ESE is updated, if the designated application is obtained in a downloading mode, the ESE is deleted from the mobile phone to ensure that information is not divulged.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A method for updating a digital certificate, comprising:
step S1: verifying the old certificate file and the certificate signature;
step S2: installing a new certificate file and executing a signature process;
step S3: the old instance object and certificate file are deleted.
2. The method for updating a digital certificate according to claim 1, wherein the step S1 of verifying the old certificate file and the certificate signature comprises:
step S101: sending a certificate updating request by an application program memory;
step S102: the integrated access management server receives the request, verifies the old certificate stored in the application program memory, if the verification is successful, step S103 is executed, otherwise, the method is ended;
step S103: sending a verification signature request to the embedded security element;
step S104: the embedded security element sends the signature file of the old certificate to the comprehensive access management server;
step S105: the integrated access management server verifies the signature of the old certificate, if the verification is successful, step S2 is executed, otherwise, the method is ended.
3. The digital certificate updating method according to claim 1, wherein the step S2 of installing a new certificate file comprises:
step S201: the comprehensive access management server sends an updating instruction to the trusted service management platform;
step S202: creating an instance object at the embedded secure element;
step S203: the trusted service management platform sends an instruction for installing the personal identification password;
step S204: the embedded security element installs the personal identification password on the instance object;
step S205: the trusted service management platform sends a certificate file to the embedded security element;
step S206: the embedded secure element installs the certificate file in the instance object.
4. The method for updating a digital certificate according to claim 1, wherein the step S3 of deleting the old instance object and the certificate file comprises:
step S301: the trusted service management platform sends out an old instance object deletion instruction;
step S302: deleting the old instance object by the embedded safety element;
step S303: the trusted service management platform sends out a detection instruction;
step S304: the embedded security element detects the result, and determines whether the detection is successful, if so, step S305 is executed, otherwise, step S2 is executed;
step S305: displaying the update completion in the application memory.
5. The digital certificate updating method according to any of claims 1-4, wherein before executing step S2, installing a new certificate file, the following operations are further executed:
step R101: the trusted service management platform selects the shared secret data to send an external authentication instruction to the embedded security element;
step R102: and the embedded safety element carries out external authentication on the trusted service management platform.
6. The method for updating digital certificate as claimed in any of claims 1-4, wherein before step S203, the trusted service management platform issues the instruction to install the personal identification number, the following operations are further executed:
step R201: the trusted service management platform sends an application identifier matching instruction;
step R202: and judging whether the ESE matching is successful or not, if so, executing the step S203, and otherwise, ending the method.
7. A digital certificate updating apparatus, comprising:
the old certificate verifier is used for verifying the old certificate file and the certificate signature;
a new certificate installer for installing new certificate files and performing a signing process;
and the old certificate deleter is used for deleting the old instance object and the certificate file.
8. The digital certificate updating apparatus as defined in claim 7, wherein the old certificate verifier includes:
the updating request module is used for sending a certificate updating request to the application program memory;
the old certificate verification module is used for verifying the old certificate stored in the application program memory after the comprehensive access management server receives the request;
the signature request module is used for sending a signature verification request to the embedded security element;
the data transmission module is used for sending the signature file of the old certificate to the comprehensive access management server by the embedded security element;
and the signature verification module is used for verifying the signature of the old certificate by the comprehensive access management server.
9. The digital certificate updating apparatus as claimed in claim 7, wherein said new certificate installer comprises:
the updating instruction module is used for sending an updating instruction to the trusted service management platform by the comprehensive access management server;
an instance creation module to create an instance object in the embedded secure element;
the identification instruction module is used for sending an instruction for installing the personal identification password by the trusted service management platform;
the personal identification password installation module is used for installing the personal identification password for the example object;
the file transmission module is used for sending the certificate file to the embedded security element by the trusted service management platform;
and the certificate installation module is used for installing the certificate file in the instance object by the embedded security element.
10. The digital certificate updating apparatus as claimed in claim 7, wherein said old certificate remover comprises:
the deleting instruction module is used for sending an old instance object deleting instruction by the trusted service management platform;
the instance deleting module is used for deleting the old instance object by the embedded security element;
the detection instruction module is used for sending a detection instruction by the trusted service management platform;
the result detection module is used for detecting the result and judging whether the result is successful;
and the update display module is used for displaying the update completion in the application program memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710618107.6A CN107171814A (en) | 2017-07-26 | 2017-07-26 | A kind of digital certificate updating method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710618107.6A CN107171814A (en) | 2017-07-26 | 2017-07-26 | A kind of digital certificate updating method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107171814A true CN107171814A (en) | 2017-09-15 |
Family
ID=59817441
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710618107.6A Pending CN107171814A (en) | 2017-07-26 | 2017-07-26 | A kind of digital certificate updating method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107171814A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109922056A (en) * | 2019-02-26 | 2019-06-21 | 阿里巴巴集团控股有限公司 | Data safety processing method and its terminal, server |
| CN113259108A (en) * | 2020-02-10 | 2021-08-13 | 上海艾拉比智能科技有限公司 | Certificate updating method, Internet of things platform and Internet of things equipment |
| CN113794564A (en) * | 2021-07-26 | 2021-12-14 | 浪潮软件股份有限公司 | Local SSL self-signed certificate upgrading strategy implementation method of mobile terminal |
| CN115885532A (en) * | 2020-08-18 | 2023-03-31 | 诺基亚通信公司 | Renewing provider certificates in a network |
| WO2024055302A1 (en) * | 2022-09-16 | 2024-03-21 | Nokia Shanghai Bell Co., Ltd. | Method and apparatus for mitigating a risk of service un-availability during ca migaration |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103117987A (en) * | 2011-11-17 | 2013-05-22 | 航天信息股份有限公司 | Digital certificate updating method |
-
2017
- 2017-07-26 CN CN201710618107.6A patent/CN107171814A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103117987A (en) * | 2011-11-17 | 2013-05-22 | 航天信息股份有限公司 | Digital certificate updating method |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109922056A (en) * | 2019-02-26 | 2019-06-21 | 阿里巴巴集团控股有限公司 | Data safety processing method and its terminal, server |
| US11251976B2 (en) | 2019-02-26 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Data security processing method and terminal thereof, and server |
| CN113259108A (en) * | 2020-02-10 | 2021-08-13 | 上海艾拉比智能科技有限公司 | Certificate updating method, Internet of things platform and Internet of things equipment |
| CN115885532A (en) * | 2020-08-18 | 2023-03-31 | 诺基亚通信公司 | Renewing provider certificates in a network |
| CN113794564A (en) * | 2021-07-26 | 2021-12-14 | 浪潮软件股份有限公司 | Local SSL self-signed certificate upgrading strategy implementation method of mobile terminal |
| WO2024055302A1 (en) * | 2022-09-16 | 2024-03-21 | Nokia Shanghai Bell Co., Ltd. | Method and apparatus for mitigating a risk of service un-availability during ca migaration |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107070667B (en) | Identity authentication method | |
| US7689828B2 (en) | System and method for implementing digital signature using one time private keys | |
| CN111404696B (en) | Collaborative signature method, security service middleware, related platform and system | |
| CN105516948B (en) | A kind of apparatus control method and device | |
| CN108173659B (en) | Certificate management method and system based on UKEY equipment and terminal equipment | |
| EP3535724A1 (en) | Verifying an association between a communication device and a user | |
| CN105915338B (en) | Generate the method and system of key | |
| CN107171814A (en) | A kind of digital certificate updating method and device | |
| CN109359977B (en) | Network communication method, device, computer equipment and storage medium | |
| CN107682160B (en) | Authentication method and device for production equipment and electronic equipment | |
| CN106936588B (en) | Hosting method, device and system of hardware control lock | |
| CN110611657A (en) | File stream processing method, device and system based on block chain | |
| US10372440B1 (en) | Tokenized mobile device update systems and methods | |
| KR20120053929A (en) | The agent system for digital signature using sign private key with double encryption and method thereof features to store in web storage | |
| CN111641615A (en) | Distributed identity authentication method and system based on certificate | |
| CN113472790A (en) | Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server | |
| CN113434882A (en) | Communication protection method and device of application program, computer equipment and storage medium | |
| US11714627B2 (en) | Tokenized mobile device update systems and methods | |
| CN106656955A (en) | Communication method and system and user terminal | |
| CN110838919B (en) | Communication method, storage method, operation method and device | |
| JP6378424B1 (en) | User authentication method with enhanced integrity and security | |
| CN111654503A (en) | Remote control method, device, equipment and storage medium | |
| CN114760070A (en) | Digital certificate issuing method, digital certificate issuing center and readable storage medium | |
| JP5277888B2 (en) | Application issuing system, apparatus and method | |
| CN108964883B (en) | Digital certificate storage and signature method taking smart phone as medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170915 |