Communication system, certificate management device, and communication device
The communication system addresses the issue of certificate expiration by using a certificate management device to proactively update certificates, ensuring secure communication through provisional and self-signed certificates, thus preventing communication failures.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- FUJI ELECTRIC CO LTD
- Filing Date
- 2025-05-14
- Publication Date
- 2026-06-17
AI Technical Summary
Existing communication management devices cannot constantly monitor and update certificates of communication devices connected to a network, leading to a risk of communication failure when certificate expiration dates are reached.
A communication system with a communication device and a certificate management device that includes a storage unit, communication unit, control unit, determination unit, and certificate generation unit, allowing for the proactive update of certificates using provisional certificates and self-signed certificates when expiration is detected.
Ensures reliable and timely certificate updates for communication devices, enabling secure communication even after expiration without manual reconfiguration.
Smart Images

Figure 2026098885000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to a technique for updating a certificate set in a communication device connected to a network.
Background Art
[0002] In order to ensure the security of a communication system, a certificate may be set in a communication device connected to a network. However, in many cases, an expiration date is set for the certificate, and the certificate update process is executed periodically or as needed. For this reason, a communication management device that identifies a communication device whose certificate has expired has been proposed (for example, Patent Document 1).
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] The above-described communication management device monitors the certificates of communication devices connected to the network, but cannot constantly monitor the certificates of communication devices connected to the network as needed. For this reason, when the expiration date of the certificate of a communication device has expired when the communication device is connected to the network, there is a possibility that communication cannot be established (or secure communication cannot be established).
[0005] An object according to one aspect of the present invention is to be able to surely update the certificate of a communication device connected to a network as needed.
Means for Solving the Problems
[0006] A communication system according to one aspect of the present invention includes a communication device and a certificate management device. The communication device includes a storage unit for storing a first certificate and a second certificate, a communication unit for connecting to a network and accessing a server system using the first certificate, and a control unit for sending an update request to the certificate management device using the second certificate when the first certificate has expired when the communication unit connects to the network. The certificate management device includes a determination unit for determining the validity of the second certificate upon receiving the update request, and a certificate generation unit for generating a new first certificate and a new second certificate and sending them to the communication device when the determination unit determines that the second certificate is valid.
[0007] A communication device according to another aspect of the present invention includes: a storage unit for storing certificates; a self-signed certificate issuing unit for issuing a self-signed certificate when the validity period of a certificate stored in the storage unit has expired; and a certificate renewal unit for sending a certificate issuance request and the self-signed certificate to a certification authority when the validity period of a certificate stored in the storage unit has expired, and for writing the new certificate to the storage unit when the certification authority issues the new certificate. [Effects of the Invention]
[0008] According to the above-described embodiment, the certificates of communication devices connected to the network can be reliably updated as needed. [Brief explanation of the drawing]
[0009] [Figure 1] This figure shows an example of a communication system according to an embodiment of the present invention. [Figure 2] This figure shows examples of certificates and provisional certificates. [Figure 3] This diagram shows an example of the procedure by which communication equipment accesses a server system. [Figure 4] This flowchart shows an example of the procedure for communication devices to access a server system. [Figure 5] This flowchart shows an example of processing by a certificate management device. [Figure 6] This figure shows an example of the hardware configuration of a certificate management device. [Figure 7] This figure shows an example of a communication system according to the second embodiment. [Figure 8] This figure shows an example of the functional configuration of a control device. [Figure 9] This flowchart shows an example of the processing performed by the detection unit. [Figure 10] This flowchart shows an example of the process for renewing certificates. [Figure 11] This figure shows an example of the functional configuration of the secure processing unit. [Figure 12] This figure shows an example of a communication procedure according to the second embodiment. [Modes for carrying out the invention]
[0010] Figure 1 shows an example of a communication system according to an embodiment of the present invention. The communication system 1 according to an embodiment of the present invention comprises a communication device 10 and a certificate management device 20. The communication device 10 and the certificate management device 20 are each connected to a network 30. However, the communication device 10 is connected to the network 30 as needed. For example, the communication device 10 is connected to the network 30 when transmitting data to the server system 40. In this embodiment, "connect" means becoming capable of communication. It is preferable that the certificate management device 20 is always connected to the network 30.
[0011] Network 30 may be a private network such as a LAN, a public network, or may include both a private and a public network. Furthermore, Network 30 may be a wired network, a wireless network, or may include both a wired and a wireless network. The communication system 1 may also include multiple communication devices 10.
[0012] The communication device 10 includes a storage unit 11, a communication unit 12, and a control unit 13. Note that the communication device 10 may further include other functions not shown in FIG. 1.
[0013] The storage unit 11 stores a certificate and a provisional certificate. The certificate and the provisional certificate are each issued by a certification authority and indicate that the communication device 10 is a reliable or regular device recognized by the certification authority.
[0014] The certificate is an electronic certificate or a digital certificate and includes an issuer, an expiration date, a subject, and a provisional certificate flag, as shown in FIG. 2A. The issuer represents the certification authority that issued the certificate. The expiration date represents the period during which the certificate is valid. The subject represents an entity (here, the communication device 10) that has been certified by the certification authority as being a reliable device. The provisional certificate flag indicates whether the certificate is a provisional certificate. When the certificate is not a provisional certificate, the value of the provisional certificate flag is "0".
[0015] The provisional certificate is issued along with the corresponding certificate and is used, for example, when the expiration date of the corresponding certificate has expired. The provisional certificate includes an issuer, an expiration date / valid period, a subject, a provisional certificate flag, and a serial number, as shown in FIG. 2B. The issuer and the subject are substantially the same in the certificate and the provisional certificate, so the description is omitted. The expiration date / valid period represents the period during which the provisional certificate is valid. When the expiration date is set as the expiration date / valid period, the expiration date of the provisional certificate represents the date and time that is a predetermined period after the expiration date of the corresponding certificate. When the valid period is set as the expiration date / valid period, the valid period of the provisional certificate represents a predetermined period starting from the end of the expiration date of the corresponding certificate. The provisional certificate flag indicates whether the certificate is a provisional certificate, and when the certificate is a provisional certificate, the value of the provisional certificate flag is "1". The serial number is identification information that uniquely identifies the provisional certificates sequentially issued by the certification authority.
[0016] When the communication device 10 performs encrypted communication using a public key, the certificate and the provisional certificate may each include the public key. Also, the certificate and the provisional certificate may each be signed.
[0017] The communication unit 12 is connected to the network 30 and communicates with the server system 40 using a certificate. Also, the communication unit 12 can communicate with the certificate management device 20. When the expiration date of the certificate has expired when the communication unit 12 connects to the network 30, the control unit 13 transmits an update request to the certificate management device 20 using a provisional certificate.
[0018] The certificate management device 20 includes a certificate generation unit 21, a determination unit 22, and a revocation list 23. Note that the certificate management device 20 may further include other functions not shown in FIG. 1.
[0019] The certificate generation unit 21 has the function of a certification authority and issues a certificate and a corresponding provisional certificate. Also, when the certificate management device 20 receives an update request from the communication device 10 and the provisional certificate attached to the update request is valid, it generates a new certificate and a new provisional certificate and transmits them to the communication device 10. The determination unit 22 determines whether or not the provisional certificate attached to the update request received from the communication device 10 is valid. The serial number of the provisional certificate received from the communication device 10 or the provisional certificate itself is registered in the revocation list 23.
[0020] The server system 40 receives and processes the data and / or information transmitted from the communication device 10. At this time, the communication device 10 accesses the server system 40 using a certificate. Then, when the server system 40 recognizes that the communication device 10 is a trustworthy device based on the certificate, it accepts the access.
[0021] FIG. 3 shows an example of the procedure for the communication device 10 to access the server system 40 in the communication system 1. In this embodiment, it is assumed that a trigger to access the server system 40 has occurred in the communication device 10.
[0022] When the communication device 10 detects a trigger that requires access to the server system 40, it determines whether the certificate stored in the storage unit 11 is valid. If the certificate has not expired (i.e., the current time is before the certificate's expiration date), it determines that the certificate is valid. If the certificate is valid, the communication device 10 uses that certificate to access the server system 40. When the server system 40 recognizes that the certificate was issued by a trusted certification authority (in this case, the certificate management device 20), it accepts access from the communication device 10.
[0023] On the other hand, if the current time is after the certificate's expiration date and the certificate has expired, the communication device 10 sends a renewal request to the certificate management device 20. The renewal request requests the issuance of a new certificate. The renewal request is also accompanied by a provisional certificate stored in the storage unit 11. The expiration date of the provisional certificate (or the end date and time of the provisional certificate's validity period) is after the expiration date of the corresponding certificate. Therefore, even if the certificate has expired, the provisional certificate remains valid for a predetermined period from the expiration date of the original certificate.
[0024] The certificate management device 20 determines whether the provisional certificate attached to the renewal request is valid. If the provisional certificate is valid, the certificate management device 20 generates a new certificate and a new provisional certificate for the communication device 10. The expiration date of the new provisional certificate will be a predetermined period after the expiration date of the corresponding new certificate. Alternatively, the validity period of the new provisional certificate will be a predetermined period starting from the expiration date of the corresponding new certificate. The certificate management device 20 then transmits the new certificate and the new provisional certificate to the communication device 10.
[0025] The communication device 10 stores the new certificate and the new provisional certificate received from the certificate management device 20 in the storage unit 11. At this time, the certificate and provisional certificate stored in the storage unit 11 are overwritten by the new certificate and the new provisional certificate, respectively. In other words, the certificate (and the corresponding provisional certificate) is updated.
[0026] The communication device 10 accesses the server system 40 using the new certificate. When the server system 40 recognizes that the new certificate was issued by a trusted certificate authority (in this case, the certificate management device 20), it accepts access from the communication device 10.
[0027] Thus, if the certificate of the communication device 10 has expired when it initiates communication, the communication device 10 can obtain a new certificate by sending an update request with a provisional certificate to the certificate management device 20. In other words, even if the certificate of the communication device 10 has expired when it initiates communication, the communication device 10 can update its certificate by proactively initiating the update procedure. Therefore, in the communication system 1, which connects the communication device 10 to the network 30 as needed, even if the certificate of the communication device 10 has expired, the communication device 10 can access the server system 40 using the new certificate without requiring the administrator of the communication system 1 to reconfigure the certificate.
[0028] Figure 4 is a flowchart illustrating an example of the procedure when the communication device 10 accesses the server system 40. It is assumed that the storage unit 11 stores certificates and provisional certificates issued by the certificate management device 20.
[0029] In S1, the communication device 10 monitors the trigger for initiating communication. For example, in a case where a processing procedure is set to send data to the server system 40 at 9:00 a.m. every day, the communication device 10 can detect the trigger for initiating communication by monitoring the clock. Once the trigger for initiating communication is detected, the communication device 10 proceeds to S2.
[0030] In S2, the control unit 13 determines whether the certificate stored in the storage unit 11 is valid. In this embodiment, the control unit 13 determines whether the certificate stored in the storage unit 11 has expired. Specifically, the control unit 13 compares the current time with the certificate's expiration date. If the certificate has expired, the communication device 10 proceeds to S3.
[0031] In S3, the control unit 13 uses the provisional certificate stored in the storage unit 11 to send an update request to the certificate management device 20. The update request asks the certificate management device 20 to issue a new certificate. The update request is also sent to the certificate management device 20 with a provisional certificate attached.
[0032] In S4, the communication device 10 awaits a new certificate issued by the certificate management device 20. Upon receiving the new certificate and the new provisional certificate, the communication device 10 proceeds to S5. On the other hand, if the new certificate and the new provisional certificate cannot be received from the certificate management device 20, error handling is performed. In error handling, for example, an alarm is sent to the administrator of the communication system 1.
[0033] When the communication device 10 receives a new certificate and a new provisional certificate, in S5, the control unit 13 replaces the certificate stored in the storage unit 11 with the new certificate received from the certificate management device 20. Also, in S6, the control unit 13 replaces the provisional certificate stored in the storage unit 11 with the new provisional certificate received from the certificate management device 20. In other words, the certificate and provisional certificate are updated.
[0034] In S7, the communication unit 12 accesses the server system 40 using the certificate stored in the storage unit 11. That is, if the certificate stored in the storage unit 11 at the start of communication was valid (S2: Yes), the communication unit 12 accesses the server system 40 using that certificate. On the other hand, if the certificate stored in the storage unit 11 at the start of communication was not valid (S2: No), the communication unit 12 accesses the server system 40 using a new certificate received from the certificate management device 20. The server system 40 accepts access from the communication device 10 once it recognizes that the certificate was issued by a trusted certification authority (in this case, the certificate management device 20).
[0035] Thus, if the communication device 10's certificate proving its own legitimacy has expired at the start of communication, it can autonomously obtain a new certificate from the certificate management device 20. Therefore, even if the certificate has expired, it can still perform the necessary communication.
[0036] Figure 5 is a flowchart illustrating an example of the processing performed by the certificate management device 20. It is assumed that the communication device 10 holds the certificates and provisional certificates issued by the certificate management device 20.
[0037] In S11, the certificate management device 20 waits for an update request to be sent from the communication device 10. Upon receiving the update request, the certificate management device 20 proceeds to S12. If the certificate has expired, the communication device 10 sends an update request with a provisional certificate in S3, as shown in Figure 4.
[0038] In S12, the determination unit 22 determines whether a legitimate provisional certificate is attached to the received renewal request. At this time, the determination unit 22 may determine that a legitimate provisional certificate is attached to the received renewal request if, for example, the issuer shown in Figure 2 is the certificate management device 20 itself and the provisional certificate flag is 1.
[0039] In steps S13-S14, the determination unit 22 determines the validity of the provisional certificate attached to the received renewal request. Specifically, in S13, the determination unit 22 checks whether the provisional certificate has expired. Specifically, if the current time (i.e., the time when the certificate management device 20 received the renewal request) is before the expiration date of the provisional certificate, it is determined that the provisional certificate has not expired. Alternatively, if the current time is within the validity period of the provisional certificate, it is determined that the provisional certificate has not expired. Next, in S14, the determination unit 22 checks whether the provisional certificate is registered in the revocation list 23. If the provisional certificate has not expired and is not registered in the revocation list 23, the determination unit 22 determines that the provisional certificate is valid.
[0040] If the provisional certificate is valid, the certificate generation unit 21 generates a new certificate and a new provisional certificate for the communication device 10 in S15-S16. The contents of the new certificate and the new provisional certificate may be substantially the same as the certificate and provisional certificate stored in the communication device 10 when the certificate management device 20 receives the renewal request. However, the expiration date / validity period of the new certificate and the new provisional certificate will be newly set. In addition, the serial number of the new provisional certificate will also be newly set.
[0041] In S17, the certificate management device 20 transmits the new certificate and the new provisional certificate to the communication device 10. The communication device 10 is waiting for the new certificate and the new provisional certificate in S4 as shown in Figure 4. After this, in S18, the certificate generation unit 21 registers the provisional certificate attached to the received renewal request in the revocation list 23. At this time, for example, the serial number of the provisional certificate is registered in the revocation list 23.
[0042] If a provisional certificate is not attached to the renewal request (S12: No), if the provisional certificate has expired at the time of receipt of the renewal request, if the time of receipt of the renewal request is outside the validity period of the provisional certificate (S13: No), or if the provisional certificate is registered in the revocation list 23 (S14: No), a new certificate will not be generated and error handling will be performed. In error handling, for example, an alarm will be sent to the administrator of communication system 1. In this case, the administrator of communication system 1 may renew the certificate (and provisional certificate) of communication device 10.
[0043] Furthermore, as described above, the revocation list 23 registers the provisional certificate that was attached to the renewal request when the certificate generation unit 21 generates a new certificate in response to the renewal request. In other words, the revocation list 23 registers the provisional certificate used when the communication device 10 requested a new certificate. On the other hand, if the provisional certificate attached to the renewal request is registered in the revocation list 23 when the renewal request is received, the certificate generation unit 21 will not generate a new certificate. That is, the certificate management device 20 will issue a new certificate only once for the certificate of the communication device 10 when its validity period expires. Therefore, security related to the certificate is protected.
[0044] <Hardware Configuration> Figure 6 shows an example of the hardware configuration of the certificate management device 20. The certificate management device 20 is implemented by a computer 100 which includes a processor 101, memory 102, storage device 103, input / output device 104, recording medium reader 105, and communication interface 106.
[0045] The processor 101 executes the certificate management program stored in the storage device 103. The execution of the certificate management program by the processor 101 provides the functions of the certificate generation unit 21 and the determination unit 22 shown in Figure 1. Memory 102 is used as the workspace for the processor 101. Storage device 103 stores the certificate management program and other programs. The revocation list 23 may be stored in either memory 102 or storage device 103.
[0046] The input / output device 104 may include input devices such as a keyboard, mouse, touch panel, and microphone. The input / output device 104 may also include output devices such as a display device and speaker. The recording medium reader 105 can acquire data and information recorded on the recording medium 110. The recording medium 110 is a removable recording medium that can be attached to and detached from the computer 100. The recording medium 110 can be implemented, for example, by semiconductor memory, a medium from which signals can be read by optical action, or a medium from which signals can be read by magnetic action. The certificate management program may be provided from the recording medium 110 to the computer 100. The communication interface 106 provides the function of connecting to a network. When the certificate management program is stored on the program server 120, the computer 100 may acquire the certificate management program from the program server 120.
[0047] The communication device 10 may include a processor 101, memory 102, storage device 103, input / output device 104, recording medium reader 105, and communication interface 106, similar to the certificate management device 20. In this case, the storage unit 11 is implemented, for example, by the storage device 103. Furthermore, the processor 101 executes a communication program, thereby providing the functions of the control unit 13 shown in Figure 1.
[0048] <Second Embodiment> In factory automation, control devices such as programmable logic controllers (PLCs) collect information from various sensors and control manufacturing equipment, conveying equipment, inspection equipment, and so on. In recent years, with the advancement of ICT (Information and Communication Technology), control devices are connected to various external devices via networks, and are therefore expected to be exposed to a variety of threats.
[0049] One measure to protect control devices from anticipated threats is encrypted communication, and digital certificates are sometimes used in this encrypted communication. However, digital certificates generally have an expiration date. Therefore, if a digital certificate expires, encrypted communication becomes impossible.
[0050] Figure 7 shows an example of a communication system according to the second embodiment. The communication system 2 according to the second embodiment includes a control device 50, a field device 61, a higher-level management device 62, a support device 63, and a server 64. The communication system 2 may also include other devices not shown in Figure 7.
[0051] The control device 50 is an example of a communication device that communicates with external devices via a network, and in this embodiment, it is implemented by a PLC, for example. The control device 50 collects data / information from field devices 61 and controls the operation of the field devices 61. The control device 50 performs sequence control, batch control, process control, etc., on the corresponding field devices 61. The field devices 61 are various devices installed in the factory (e.g., manufacturing equipment, conveying equipment, inspection equipment, etc.) and are controlled by the control device 50. The control device 50 and the field devices 61 are connected to each other by a local area network (LAN), for example.
[0052] The higher-level management device 62 relays communication between the control device 50 and the Certificate Authority (CA) 70. The higher-level management device 62 is not an essential component of the communication system 2, and the control device 50 may access the Certificate Authority 70 without going through the higher-level management device 62. The support device 63 sets the necessary information for the control device 50. The server 64 collects and stores various data / information from the control device 50. The server 64 may also analyze the data / information collected from the control device 50 and display the results according to user instructions.
[0053] The Certificate Authority 70 issues certificates in response to requests from devices connected to the network. In the example shown in Figure 7, the Certificate Authority 70 issues a certificate in response to a request from the control device 50. The Certificate Authority 70 may also issue certificates in response to requests from field devices 61, higher-level management devices 62, support devices 63, or servers 64. The certificate includes information representing the issuer, expiration date, and subject, as explained with reference to Figure 2. In cases where the communication system 2 employs public-key cryptography, the certificate may also include the subject's public key.
[0054] In the communication system 2 configured as described above, the control device 50 obtains its own certificate from the certification authority 70 before initiating communication. Then, when initiating communication, or along with the communication data, the control device 50 sends this certificate to the communication partner. This allows the communication partner to determine whether or not the control device 50 is a trustworthy device. After this, secure communication is performed.
[0055] However, certificates have an expiration date. After the certificate expires, the control device 50 cannot perform secure communication. Therefore, the control device 50 according to the second embodiment is equipped with a function to request the issuance of a new certificate from the certification authority 70 and obtain a new certificate if the certificate has expired.
[0056] Figure 8 shows an example of the functional configuration of the control device 50. As shown in Figure 8, the control device 50 comprises a control unit 51, a communication processing unit 52, a secure processing unit 53, a detection unit 54, a certificate renewal unit 55, and a self-signed certificate issuance unit 56. Note that the control device 50 may also have other functions not shown in Figure 8.
[0057] The control unit 51 controls the operation of the control device 50. For example, the control unit 51 configures the control device 50 according to instructions and / or information provided by the support device 63. The control unit 51 generates instructions related to communication with other devices connected to the network by executing an application program. For example, the control unit 51 collects data / information from the field device 61, sends operation instructions to the field device 61, and sends data / information to the server 64 by giving instructions to the communication processing unit 52.
[0058] The communication processing unit 52 performs communication with other devices connected to the network according to instructions given by the control unit 51. At this time, the communication processing unit 52 may send data encrypted by the secure processing unit 53, or it may forward encrypted received data to the secure processing unit 53 for decryption. The communication processing unit 52 may also send a certificate to the communication partner as needed. However, if the certificate has expired, the control device 50 cannot perform secure communication. Therefore, the communication processing unit 52 requests the detection unit 54 to confirm whether the certificate is valid or not.
[0059] The secure processing unit 53 has a secure area, within which the storage unit 53a is implemented. The storage unit 53a stores the certificate of the control device 50 and the key for encrypted communication. In other words, the certificate and key are managed in the secure area. The secure area is an area that cannot be accessed from outside the control device 50. The certificate is issued by the certification authority 70 and indicates that the control device 50 is a trusted or legitimate device. However, if the certificate has expired, the secure processing unit 53 may temporarily manage a self-signed certificate, as described later. The key is, for example, a private key (or a public key and private key pair) in cases where public key cryptography is implemented. The secure processing unit 53 also performs certificate expiration management, certificate authenticity assurance, and key concealment, as will be explained later.
[0060] When the control device 50 initiates communication, the detection unit 54, in response to a request from the communication processing unit 52, checks whether the certificate stored in the storage unit 53a of the secure processing unit 53 is valid. If the certificate is valid, the communication processing unit 52 retrieves the certificate from the secure processing unit 53. On the other hand, if the certificate has expired and is not valid, the detection unit 54 requests the certificate renewal unit 55 to renew the certificate.
[0061] When the certificate renewal unit 55 receives a request for certificate renewal from the detection unit 54, it requests the self-signed certificate issuance unit 56 to issue a self-signed certificate. The self-signed certificate issuance unit 56 then issues a self-signed certificate for the control device 50. In other words, the self-signed certificate issuance unit 56 functions as a certification authority. Here, it is preferable that the self-signed certificate issued by the self-signed certificate issuance unit 56 includes information representing the issuer, expiration date, and subject, similar to a certificate issued by the certification authority 70. However, the issuer and subject of the self-signed certificate issued by the self-signed certificate issuance unit 56, and both are the control device 50 itself.
[0062] When the self-signed certificate issuing unit 56 issues a self-signed certificate for the control device 50, the certificate renewal unit 55 writes the self-signed certificate to the storage unit 53a. However, the certificate renewal unit 55 cannot directly access the secure area. Therefore, the certificate renewal unit 55 passes the self-signed certificate and the certificate renewal request to the secure processing unit 53. The secure processing unit 53 then updates the certificate stored in the storage unit 53a to the self-signed certificate.
[0063] Furthermore, the certificate renewal unit 55 sends a certificate issuance request to the certification authority 70 requesting the issuance of a new certificate. Specifically, the certificate renewal unit 55 requests the communication processing unit 52 to send the certificate issuance request to the certification authority 70. At this time, the secure processing unit 53 has updated the certificate previously stored in the storage unit 53a to a self-signed certificate. Therefore, when the communication processing unit 52 sends the certificate issuance request to the certification authority 70, it attaches the self-signed certificate issued by the self-signed certificate issuance unit 56.
[0064] When the Certificate Authority 70 receives a certificate issuance request from the control unit 50, it authenticates the self-signed certificate attached to the certificate issuance request. In this embodiment, the Certificate Authority 70 determines that the issuer and subject of the self-signed certificate are trustworthy entities. If so, the Certificate Authority 70 issues a new certificate that certifies the control unit 50. Here, the issuer and subject of the new certificate are the Certificate Authority 70 and the control unit 50, respectively. The Certificate Authority 70 then sends the new certificate to the source of the certificate issuance request (i.e., the control unit 50).
[0065] In the control device 50, the certificate renewal unit 55 obtains a new certificate issued by the certification authority 70. The certificate renewal unit 55 then writes the new certificate to the storage unit 53a. However, as mentioned above, the certificate renewal unit 55 cannot directly access the secure area. Therefore, the certificate renewal unit 55 passes the new certificate and the certificate renewal request to the secure processing unit 53. The secure processing unit 53 then updates the self-signed certificate stored in the storage unit 53a with the new certificate.
[0066] In this way, when the control device 50 detects that the certificate has expired at the start of communication, it issues a self-signed certificate. The control device 50 can then use this self-signed certificate to request a certificate from the certification authority 70, thereby obtaining a new certificate. In other words, even if the control device 50's certificate has expired, the control device 50 can perform encrypted communication using the certificate (and private key) without requiring any renewal work by the system administrator.
[0067] Figure 9 is a flowchart showing an example of the processing of the detection unit 54. In this example, in S21, the detection unit 54 waits for a confirmation request sent from the communication processing unit 52. The confirmation request asks for confirmation of whether the certificate managed by the secure processing unit 53 is valid or not.
[0068] When a verification request is received, the detection unit 54 requests the secure processing unit 53 in S22 to verify whether the certificate is valid or not. Here, the secure processing unit 53 checks whether the certificate stored in the storage unit 53a is valid or not in response to the request from the detection unit 54. Specifically, the secure processing unit 53 checks whether the certificate has expired or not.
[0069] In S23, the detection unit 54 receives a confirmation result from the secure processing unit 53 indicating whether the certificate is valid or not. If the certificate is not valid, the detection unit 54 requests the certificate renewal unit 55 to renew the certificate in S24. If the certificate is valid, the process in S24 is skipped.
[0070] Thus, when the control device 50 starts communication, the detection unit 54 checks whether the certificate is valid in response to a request from the communication processing unit 52. If the certificate is not valid, the detection unit 54 requests the certificate renewal unit 55 to renew the certificate. The detection unit 54 may also periodically (for example, once a day) execute the processes S22 to S24 shown in Figure 9.
[0071] Figure 10 is a flowchart showing an example of the processing performed by the certificate renewal unit 55. This flowchart is executed when the certificate renewal unit 55 receives a renewal request from the detection unit 54.
[0072] In S31-S32, the Certificate Renewal Unit 55 requests the Self-Signed Certificate Issuance Unit 56 to issue a self-signed certificate. The Self-Signed Certificate Issuance Unit 56 then issues the self-signed certificate in response to the request from the Certificate Renewal Unit 55.
[0073] When a self-signed certificate is obtained, the certificate renewal unit 55 requests the secure processing unit 53 to save the self-signed certificate in S33. The secure processing unit 53 then writes the self-signed certificate to the storage unit 53a in response to the request from the certificate renewal unit 55. At this time, the secure processing unit 53 updates the expired certificate with a self-signed certificate.
[0074] In S34, the certificate renewal unit 55 requests the certification authority 70 to issue a certificate. Specifically, the certificate renewal unit 55 asks the communication processing unit 52 to send the certificate issuance request to the higher management device 62. The communication processing unit 52 then sends the certificate issuance request to the higher management device 62. At this time, along with the certificate issuance request, the communication processing unit 52 also sends the certificate managed by the secure processing unit 53 to the higher management device 62. Here, the certificate managed by the secure processing unit 53 has been updated with a self-signed certificate issued by the self-signed certificate issuance unit 56. Therefore, in this case, the certificate issuance request and the self-signed certificate are sent to the higher management device 62.
[0075] The higher-level management device 62 sends a certificate issuance request and a self-signed certificate to the certification authority 70. If the certification authority 70 determines that the entity certified by the self-signed certificate is trustworthy, it issues a new certificate. This new certificate is sent to the control unit 50 via the higher-level management device 62.
[0076] In S35, the certificate renewal unit 55 awaits the new certificate issued by the certification authority 70. Once the new certificate is obtained, in S36, the certificate renewal unit 55 requests the secure processing unit 53 to save the new certificate. The secure processing unit 53 then writes the new certificate to the storage unit 53a in response to the request from the certificate renewal unit 55. At this time, the secure processing unit 53 updates the self-signed certificate to the new certificate.
[0077] Furthermore, the certificate renewal unit 55 executes a predetermined error handling process if it fails to obtain a self-signed certificate. The certificate renewal unit 55 also executes a predetermined error handling process if it fails to obtain a new certificate from the certification authority 70.
[0078] Thus, when a certificate has expired, the certificate renewal unit 55 instructs the self-signed certificate issuing unit 56 to issue a self-signed certificate. The certificate renewal unit 55 then uses this self-signed certificate to request the certificate authority 70 to issue a new certificate. Once the certificate renewal unit 55 obtains the new certificate, it requests the secure processing unit 53 to renew the certificate. The secure processing unit 53 then responds to the request from the certificate renewal unit 55 by renewing the expired certificate (or self-signed certificate) with the new certificate.
[0079] Figure 11 shows an example of the functional configuration of the secure processing unit 53. As shown in Figure 11, the secure processing unit 53 comprises an interface unit 53X and a secure processing execution unit 53Y. The interface unit 53X comprises an API (Application Programming Interface) function group, a non-secure area I / F, and a secure area I / F. The secure processing execution unit 53Y comprises a secure processing function group and a storage unit 53a. The API function group and the non-secure area I / F are implemented in the non-secure area. The secure area I / F, the secure processing function group, and the storage unit 53a are implemented in the secure area. The non-secure area and the secure area can be switched using, for example, secure area switching instructions (ARMv7: MCR, MRC instructions) provided by the processor.
[0080] Interface unit 53X provides an interface for calling secure area processing from non-secure area. The API function group is an API for programs (encryption, decryption, etc.) executed in the secure area. The non-secure area I / F requests processing of the secure area API from the secure area I / F. The secure area I / F returns the processing result from the secure area to the non-secure area I / F.
[0081] The secure processing unit 53Y performs the following processing in response to a request from the interface unit 53X. Specifically, the secure processing unit 53Y performs encryption / decryption processing using the key within the secure area without outputting the key to the non-secure area. The secure processing unit 53Y also guarantees the authenticity of the certificate. Furthermore, the secure processing unit 53Y generates a genuine random number using the key.
[0082] Figure 12 shows an example of a communication procedure according to the second embodiment. In this embodiment, the control device 50 holds a certificate C1 issued by the certification authority 70. The certificate C1 is stored in the storage unit 53a of the secure processing unit 53.
[0083] When the control device 50 transmits data to a communication partner (e.g., a field device 61, a server 64, etc.), it attaches certificate C1 to the data. This allows the communication partner to verify that the data source (i.e., the control device 50) is a trusted entity.
[0084] Subsequently, the control device 50 will assume that certificate C1 has expired. The control device 50 will then attempt to send data to the communication partner with certificate C1 having expired. In this case, when the control device 50 confirms that certificate C1 has expired, it will issue a self-signed certificate. The control device 50 will then update certificate C1 stored in the storage unit 53a with the self-signed certificate.
[0085] Next, the control device 50 sends a certificate issuance request to the certification authority 70 requesting the issuance of a new certificate. At this time, the communication processing unit 52 sends the certificate stored in the storage unit 53a to the certification authority 70 along with the certificate issuance request. Here, the certificate stored in the storage unit 53a has been updated to a self-signed certificate. Therefore, the control device 50 sends the certificate issuance request and the control device 50's self-signed certificate to the certification authority 70. The certificate issuance request and the self-signed certificate are sent to the certification authority 70, for example, via the higher-level management device 62.
[0086] When the Certificate Authority 70 receives a certificate issuance request from the control device 50, it verifies whether the control device 50 is a trusted entity based on the contents of the certificate attached to the certificate issuance request (i.e., the self-signed certificate of the control device 50). In this embodiment, it is determined that the control device 50 is a trusted entity. In this case, the Certificate Authority 70 issues a new certificate (hereinafter referred to as Certificate C2) that certifies the control device 50 and sends it to the control device 50.
[0087] When the control device 50 receives certificate C2 issued by the certification authority 70, it updates the self-signed certificate stored in the storage unit 53a with certificate C2. Subsequently, when the control device 50 sends data to the communication partner, certificate C2 is attached to the data. Therefore, the communication partner can confirm that the control device 50 is a trusted entity by receiving certificate C2.
[0088] The control device 50 can be implemented by the computer 100 shown in Figure 6, similar to the certificate management device 20. However, in the control device 50, the functions of the communication processing unit 52, secure processing unit 53, detection unit 54, certificate renewal unit 55, and self-signed certificate issuance unit 56 are provided by the processor 101 executing a control program stored in the storage device 103. [Explanation of Symbols]
[0089] 1. Communication System 10. Communication equipment 11 Preservation Department 12 Communications Department 13 Control Unit 20 Certificate Management Device 21 Certificate Generation Section 22 Judgment section 23 Expired List 50 Control device 51 Control Unit 52 Communication Processing Unit 53 Secure Processing Unit 53a Storage section 54 Detection unit 55 Certificate Renewal Section 56 Self-Signed Certificate Issuance Department 70 Certificate Authority (CA)
Claims
1. A communication system comprising communication equipment and a certificate management device, The aforementioned communication equipment is A storage unit for storing the first certificate and the second certificate, A communication unit that connects to the network and accesses the server system using the first certificate, The system includes a control unit that, when the communication unit connects to the network and the first certificate has expired, uses the second certificate to send a renewal request to the certificate management device, The certificate management device is A determination unit that determines the validity of the second certificate upon receiving the aforementioned renewal request, The system includes a certificate generation unit that, when the determination unit determines that the second certificate is valid, generates a new first certificate and a new second certificate and transmits them to the communication device. A communication system characterized by the following features.
2. The expiration date of the second certificate is later than the expiration date of the first certificate. The expiration date of the new second certificate is later than the expiration date of the new first certificate. The communication system according to feature 1.
3. The validity period of the second certificate is a predetermined period that begins from the expiration of the validity period of the first certificate. The validity period of the new second certificate is a predetermined period that begins from the expiration of the validity period of the new first certificate. The communication system according to feature 1.
4. In the aforementioned communication device, The control unit replaces the first certificate and the second certificate stored in the storage unit with the new first certificate and the new second certificate received from the certificate management device, respectively. The communication unit accesses the server system using the new first certificate. The communication system according to feature 1.
5. In the aforementioned certificate management device, If the second certificate has expired at the time of receiving the renewal request, or if the time of receiving the renewal request is outside the validity period of the second certificate, the determination unit determines that the second certificate is not valid. The certificate generation unit does not generate the new first certificate or the new second certificate. The communication system according to feature 1.
6. The certificate management device further includes a revocation list for registering the second certificate whose validity has been determined by the determination unit, In the aforementioned certificate management device, If the second certificate is registered in the revocation list when the renewal request is received, the determination unit determines that the second certificate is not valid. The certificate generation unit does not generate the new first certificate or the new second certificate. The communication system according to feature 1.
7. A determination unit determines the validity of the second certificate when it receives a renewal request from a communication device that includes a communication unit that accesses the server system using the first certificate and a control unit that sends a renewal request using the second certificate when the first certificate has expired. The system includes a certificate generation unit that, when the determination unit determines that the second certificate is valid, generates a new first certificate and a new second certificate and transmits them to the communication device. A certificate management device characterized by the following features.
8. A storage section for storing certificates, When the expiration date of the certificate stored in the aforementioned storage unit has passed, the self-signed certificate issuing unit issues a self-signed certificate, A certificate renewal unit sends a certificate issuance request and the self-signed certificate to the certification authority when the expiration date of the certificate stored in the storage unit has expired, and writes the new certificate to the storage unit when the certification authority issues the new certificate. A communication device equipped with the following features.
9. The communication device further includes a detection unit that checks whether the certificate stored in the storage unit has expired, either at the start of communication or periodically thereafter. The communication device according to feature 8.
10. The certificate renewal unit writes the new certificate to the storage unit, thereby updating the certificate stored in the storage unit to the new certificate. The communication device according to feature 8.