Design And Implementation Of Certificate Authority System

With the rapid development of information security techniques and Public Key Infrastructure(PKI),as well as all levels of the certificate Certification Center Builded and promoted,We urgently need to develop the Certificate Authentication (CA)system,which is reliable and meet a variety of complex applications.We are more and more paying attention to the limitations,which CA system cannot meet a great deal of security applications.The fact that the status of the development of domestic CA system and laws and regulations of China's electronic authentication service industry put forward to the higher requirements.It is eager to establish a fully functional,technologically advanced,safe and reliable system based on PKI technologies,which the CA market of standardization,and elimination system,restructuring mechanism.The CA systems architecture includes four key entities:the KMC Subsystem,the KMC Subsystem,the CA Subsystem,the RA Subsystem,the OCSP/LDAP Subsystem.This CA Systems provide the management processes of digital certificate lifecycle,include user register management,certificate / CRL generation and issuance, certificate / CRL storage and release,the certificate status queries,key generation and management,process safety auditing.This thesis,the top-down method described is used on the design of CA systems. It first designs the overall frame of the CA systems from two aspects:the network topology and logical structure;And then designs the composition of the Procedures and modules of the KMC subsystem,CA subsystem,RA subsystem,OCSP / LDAP subsystem;finally discusses and designs the certificate template mechanism.This thesis,using the method of grasping the principal contradiction describes the tmplement of authentication system.It starts with business processes to implement from two aspects:the total of business processes and user certificate application processes;and then has a detailed description of the system to implement business-critical points,including the message of CA system message,the construction of the RACA's interface,the analysis of RACA's business message,programing message to certificate application,programing message to certificate management;finally has a realizable description on the certificate template mechanism,a unified interface,system security design.Compared with the traditional CA system,it has the following improvements and Innovations.(1) it establishs a fully functional,technologically advanced,safe and reliable system based on PKI technologies,which supports the RCA-CA-SCA-RA-LRA hierarchical structure.(2) it supports a complete dual-certificate(encryption certificate and signed certificate) mode,compatible with a single certificate mode.(3) It has the flexible hierarchical structure and freely makes up the various subsystems to meet with a great deal of security applications.(4)it offer the certificate template mechanism to meet a great deal of applications of digital certificate.(5) it is open to secondary development and is able to adapt to internal and external environment changes.The CA System provides basic services for all sectors and it has been used in e-government areas,e-commerce fields.The integrated application of CA system,PMI system,SSO system becomes the industry hot spots and it raises higher requirements on the CA system.In this paper,the significance lies in the fact that putting forward a complete set of methods on CA system,that has a strong practical value,that provides an idea of all levels of construction of CA system.Template mechanism of this paper can also be used to sign attribute certificate in Privilege Management Infrastructure(PMI) System.The design methods and analytical models can also be used to guide the development of other large-scale projects.