Method for on-line querying certificate state of certificate serial number on basis of step-by-step design

Abstract

The invention aims to disclose a method for on-line querying the certificate state of a certificate serial number on the basis of a step-by-step design, when a digital certificate is issued, the certificate serial number is generated step by step; when the certificate state is applied or on-line queried by a user, the certificate serial number and an issuer characteristic value are sent to an on-line certificate state query server, the on-line certificate state query server receives the data, the serial number is restored step by step, the maximum sequence number in the serial number of the certificate which is issued by an issuer is queried in a buffer memory for comparison, and according to the comparison result, the new data is decided to be loaded into the buffer memory for secondary comparison to obtain the comparison result; and the on-line query performance of the certificate state can be greatly optimized in a large-scale public key infrastructure (PKI), and a way is paved for popularizing and using the digital certificate, so the purpose of the invention is realized.

Description

technical field [0001] The invention relates to an online query method, in particular to an online certificate status query method based on certificate serial numbers designed in segments and applicable to the PKI / PMI field. Background technique [0002] With the promotion of PKI / PMI technology, the application of digital certificates has been gradually integrated into daily life, the capacity of certificates issued by public key infrastructure management agencies has gradually expanded, and the scope of certificate applications has become wider and wider. The requirements for online status inquiries are also getting higher and higher. [0003] The current status of the certificate can be checked in the following ways: [0004] 1. On the certificate issuing node on LDAP, query the certificate status. Since there is no DN value of the certificate in the standard certificate status query request, it is impossible to use the inherent advantages of LDAP to perform high-speed qu...

AI Technical Summary

Problems solved by technology

[0004] 1. On the certificate issuing node on LDAP, query the certificate status. Since there is no DN value of the certificate in the standard certificate status query request, it is impossible to use the inherent advantages of LDAP to perform high-speed query. It can only be retrieved based on the serial number. After more than 100,000, the performance drops greatly

[0005] 2. Download the blacklist on LDAP, and only deal with the abolished state. Since the blacklist is not real-time, the timeliness is very poor. At the same time, for the serial number that is not in the blacklist, it is impossible to determine whether it is issued by the issuer. This leaves a loophole for forgery

[0006] 3. Query directly in the release database, which has high timeliness, but as the capacity increases, querying each issue serial number will lead to a great drop in external service performance

[0007] From the above points, it can be seen that the current online certificate status query method has performance bottlenecks in large-scale applications, which will hinder the promotion and application of digital certificates for businesses that require timeliness

Images