CA系统原理讲解.doc

CA注册前端CertificateEnrollControl(xenroll)ApplicationCertificateRequestPKCS10CertificateServer(CA)CertificateStores(Browser MY Store)OrApplicationC+ orVisual BasicApplicationWebPage PKCS10 PersonalInformation ApplicationCertificateReceiptPKCS 7PKCS 7 Link Private Key and PKCS7Install into Browser automatically xenroll的方法：acceptPKCS7 接受CA发放的PKCS #7证书createPKCS10 产生PKCS #10 Certificate Request，同时产生客户端证书私钥getCertFromPKCS7 获得PKCS7证书InstallPKCS7 安装PKCS7证书 xenroll的属性：GenKeyFlags 客户端的证书是否可以被导出，确省值为“CRYPT_EXPORTABLE”KeySpec 客户端私钥的用途 AT_KEYEXCHANGE，AT_SIGNATUREMyStoreNameRootStoreNameCAStoreName CA审核系统批准生成Certificate Request文件证书申请未通过未批准CA管理员审核OpennSSL函数库ApplicationCertificateRequest(PKCS #10)Perl中的DBI：MySQL接口写入MYSQL数据库证书请求表ApplicationCertificateReceipt(PKCS #10)PersonalInformation 扩展信息角色 证书当前序列号 写入MYSQL数据库证书发放表 CA吊销过程更新CRL将个人信息从证书发放表作废；将个人信息写入证书作废表；OpennSSL函数库CA管理员审核Perl中的DBI：MySQL接口用户提出申请 Certificate Request加密格式-BEGIN CERTIFICATE-MIICTDCCAbUCAQkwDQYJKoZIhvcNAQEEBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMQwwCgYDVQQKEwNQS1UxDjAMBgNVBAsTBUluZm9yMREwDwYDVQQDEwhHb2xkdGVjaDEiMCAGCSqGSIb3DQEJARYTc2hpaGFvXzEwMEBzaW5hLmNvbTAeFw0wMjAzMjgwNDU0MzVaFw0wMjA0MjcwNDU0MzVaMIGZMQswCQYDVQQGEwJDTjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzEaMBgGA1UEChMRUGVraW5nIFVuaXZlcnNpdHkxHzAdBgNVBAsTFkluZm9ybWF0aW9uIERlcGFydG1lbnQxGjAYBgkqhkiG9w0BCQEWC3JlcmVyZXJlcmVyMQ0wCwYDVQQDEwRyZXJlMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALHnkBT6bI1yt37POTUbj48+8f2S1m7jvu83AywLYOyOUChJn8RLd/SsvMV5xGd8AZd+GXzZcdX9i5WtDV7bt08CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBSgDW+C9muasoE+jUXnnIsjUQSy+gce9MIhgtGDQessVxULaof7i3hIlRIVseHcneH0PJHS5oSz2v4Q9oD4DMAwCzdiFSDc+Lu50v6418D8tUzIsuiGEzWxN2rACcfr2OywDiu2Yy4brpGC6WireuoiR9C6/EWRO3NoLFGxzDYvA=-END CERTIFICATE-每行64字Certificate加密格式-BEGIN CERTIFICATE REQUEST-MIICnjCCAkgCAQAwgZkxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlqaW5nMRowGAYDVQQKExFQZWtpbmcgVW5pdmVyc2l0eTEfMB0GA1UECxMWSW5mb3JtYXRpb24gRGVwYXJ0bWVudDEaMBgGCSqGSIb3DQEJARYLcmVyZXJlcmVyZXIxDTALBgNVBAMTBHJlcmUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAseeQFPpsjXK3fs85NRuPjz7x/ZLWbuO+7zcDLAtg7I5QKEmfxEt39Ky8xXnEZ3wBl34ZfNlx1f2Lla0NXtu3TwIDAQABoIIBRzAaBgorBgEEAYI3DQIDMQwWCjUuMC4yMTk1LjIwNQYKKwYBBAGCNwIBDjEnMCUwDgYDVR0PAQH/BAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMIHxBgorBgEEAYI3DQICMYHiMIHfAgECHk4ATQBpAGMAcgBvAHMAbwBmAHQAIABTAHQAcgBvAG4AZwAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkAjuYPzZPpbLgCWYnXoNeX2gS6nuI4osrWHlQQKcS67VJclhELlnT3hBb9Blr7I0BsJ/lguZvZFTZnC1bMeNULRg17bhExTg+nUovzPcJhMvG7G3DR17PrJ7V+egHAsQV4dQC2hOGGhOnv88JhP9Pwpso3t2tqJROa5ZNRRSJSkw8AAAAAAAAAADANBgkqhkiG9w0BAQUFAANBABCrCSOvajLRDgAtFMO3Y1lHRkNrubCCm1UmgeJcFswg10ZxGW/CWUPlR5C4GXregncyT9YIgn/ANhkj77x4Sbc=-END CERTIFICATE REQUEST-每行72字证书请求的文本格式Certificate Request: Data: Version: 0 (0x0) Subject: C=CN, ST=Beijing, L=Beijing, O=Peking University, OU=Information Department/Email=rererererer, CN=rere Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:b1:e7:90:14:fa:6c:8d:72:b7:7e:cf:39:35:1b: 8f:8f:3e:f1:fd:92:d6:6e:e3:be:ef:37:03:2c:0b: 60:ec:8e:50:28:49:9f:c4:4b:77:f4:ac:bc:c5:79: c4:67:7c:01:97:7e:19:7c:d9:71:d5:fd:8b:95:ad: 0d:5e:db:b7:4f Exponent: 65537 (0x10001) Attributes: .4.1.3 :5.0.2195.2 .4.1.3 :unable to print attribute Requested Extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation X509v3 Extended Key Usage: TLS Web Client Authentication Signature Algorithm: sha1WithRSAEncryption 10:ab:09:23:af:6a:32:d1:0e:00:2d:14:c3:b7:63:59:47:46: 43:6b:b9:b0:82:9b:55:26:81:e2:5c:16:cc:20:d7:46:71:19: 6f:c2:59:43:e5:47:90:b8:19:7a:de:82:77:32:4f:d6:08:82: 7f:c0:36:19:23:ef:bc:78:49:b7证书的文本格式Certificate: Data: Version: 1 (0x0) Serial Number: 7 (0x7) Signature Algorithm: md5WithRSAEncryption Issuer: C=CN, ST=Beijing, L=Beijing, O=PKU, OU=Infor, CN=Goldtech/Email=shihao_100 Validity Not Before: Mar 28 04:53:00 2002 GMT Not After : Apr 27 04:53:00 2002 GMT Subject: C=CN, ST=Beijing, L=Beijing, O=Peking University, OU=Information Department/Email=rererererer, CN=rere Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:b1:e7:90:14:fa:6c:8d:72:b7:7e:cf:39:35:1b: 8f:8f:3e:f1:fd:92:d6:6e:e3:be:ef:37:03:2c:0b: 60:ec:8e:50:28:49:9f:c4:4b:77:f4:ac:bc:c5:79: c4:67:7c:01:97:7e:19:7c:d9:71:d5:fd:8b:95:ad: 0d:5e:db:b7:4f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 10:cf:e4:ad:3c:f5:cf:ee:05:ba:94:58:ec:f1:23:24:d9:89: 8a:9a:01:59:41:e6:e0:d6:87:6a:62:7f:92:8c:45:21:88:dc: fd:b2:1d:14:c5:65:e9:50:8f:f3:cc:39:44:fb:ea:04:20:76: 3b:ab:14:ec:6e:68:3f:8c:34:32:61:09:f8:6a:68:17:c8:f5: 54:24:e6:da:90:dd:f7:f5:74:61:80:bf:96:b3:89:47:6a:29: 81:ae:db:e9:f1:35:58:5d:d4:d1