Digital certificate processing method and device

Abstract

The invention provides a digital certificate processing method and device. After a domain name application request carrying a to-be-applied domain name is acquired, the to-be-applied domain name carried in the domain name application request is authorized if the to-be-applied domain name carried in the domain name application request is allowed to be registered, a digital certificate correspondingto the authorized to-be-applied domain name is singed and issued, and therefore an N-stage domain name server can be not only be a domain name administrator but also be a novel CA mechanism for signing and issuing the digital certificate corresponding to the domain name. That is to say, for any stage of domain name server, the domain name server only can sign and issue the digital certificate corresponding to the next-stage domain name administrated by the domain name server, therefore, the power that various stages of domain name servers sign and issue the digital certificates is limited, and the problem that the domain name serves are prone to be attacked due to the fact that the power is too large is solved; and in addition, the digital certificate corresponding to the domain name under each stage of domain name server is related to the root domain name server, trust anchors corresponding to the various stages of domain name servers are all root domain name digital certificates ofthe root domain name servers, and then the uniqueness of the trust anchors is achieved.

Description

technical field [0001] The invention belongs to the technical field of network and information security, and in particular relates to a digital certificate processing method and device. Background technique [0002] At present, the digital certificate is in charge of an authoritative and trusted third party, such as a CA (Certificate Authority, certificate authority), and establishes a secure TLS (Transport Layer Security, secure transport layer protocol) connection or SSL (Secure Sockets Layer) connection between the terminal and the server. , Secure Sockets Layer) connection, the terminal needs to obtain the digital certificate sent by the server and verify the digital certificate. In order to obtain and verify digital certificates, the current common method is to pre-install trusted root certificates on terminals. However, there are currently many CA institutions, so that the number of pre-installed root certificates on terminals is large. For example, the number of pre-i...

AI Technical Summary

Problems solved by technology

In order to obtain and verify digital certificates, the current common method is to pre-install trusted root certificates on terminals. However, there are currently many CA institutions, so that the number of pre-installed root certificates on terminals is large. For example, the number of pre-installed root certificates can reach hundreds. Causes certificate trust anchors to be non-unique

[0003] And at present, CA organizations have too much power to issue digital certificates. Any CA organization can issue digital certificates to any domain name. Once any CA organization issues a digital certificate by mistake due to being attacked or cheated, it can use the wrongly issued digital certificate to pretend to be a domain name. Become the owner of a specific domain name and implement a man-in-the-middle attack

Images