Method and system for checking revocation status of digital certificate in virtual environment

Abstract

The invention discloses a method and a system for checking the revocation status of a digital certificate in a virtual environment. The method comprises the following steps: (1) multiple client virtual machines are created on a host machine, and a certificate revocation list manager is arranged in a virtual machine monitor of the host machine; (2) a certificate relying party in each client virtual machine issues a certificate revocation status check service request to the certificate revocation list manager; and (3) the certificate revocation list manager locally queries whether there is a corresponding CRL file according to the certificate revocation status check service request: (a) if there is a corresponding CRL file, the certificate revocation list manager returns the CRL file to the certificate relying parties in the client virtual machines, or the certificate revocation list manager queries whether there is a corresponding certificate serial number in the CRL file and then returns a query result; and (b) if there is no corresponding CRL file, the certificate revocation list manager downloads and verifies a corresponding CRL file and returns the CRL file, or the certificate revocation list manager queries whether there is a corresponding certificate serial number in the CRL file and then returns a query result. By adopting the method and the system, the query efficiency is greatly improved.

Description

technical field [0001] The invention relates to the field of computer security, in particular to a method and a system for checking the revocation state of a digital certificate in a virtualized environment. Background technique [0002] On the basis of public key cryptography, PKI (Public Key Infrastructure) mainly solves the problem of who the key belongs to, that is, key authentication. PKI implements key authentication services by issuing digital certificates from a digital certificate certification authority (CA: Certification Authority), that is, publishing information about who the public key belongs to, so that various security services such as digital signatures on the network have basic security Assure. [0003] As a third-party digital certificate certification center, CA is an entity trusted by both communication parties in the PKI system, and it is responsible for issuing digital certificates. A digital certificate (referred to as a certificate) binds the publ...

AI Technical Summary

Problems solved by technology

However, sometimes, the download method of CRL is not written in the certificate, and the certificate relying party needs to manually configure each machine one by one, which is troublesome.

Moreover, sometimes, although the download method of CRL has been written in the certificate, this method is not supported by the computer system of some certificate relying parties. For example, the LDAP protocol may not be supported by all certificate relying parties.

As mentioned above, these will bring complexity to the design and implementation of the PKI client, and will also bring confusion to the application system and users

In addition, the certificate relying party starts to download the CRL after receiving the certificate. Considering that the CRL file may be relatively large (sometimes, exceeding 1M bytes), it will cause delays (because the follow-up can only be performed after the CRL is downloaded. step work)