.png)
.png)
.png)
.png)
Public Key Infrastructure (PKI)
PKI (Public Key Infrastructure) is an information system based on public key cryptography that implements functions such as the publication, management, and revocation of digital certificates, and provides corresponding services to users. Various entities utilize PKI to achieve identity authentication during communication processes while ensuring the confidentiality, integrity, and non-repudiation of communication data.
The typical framework of PKI mainly includes components such as CA (Certification Authority), RA (Registration Authority), certificate repository, key management, and OCSP (Online Certificate Status Protocol) services, as shown in Figure 1:
Figure 1: Typical PKI Frame
The main functions of each component are as follows:
1. RA: Interacts with the User, receives the CSR (Certificate Signing Request), and sends the CSR to the CA. Once the CA completes the certificate issuance, the RA sends the issued User certificate to the User.
2. CA: Issues the corresponding certificate based on the CSR, publishes the CRL (Certificate Revocation List) for the revoked certificate, and then stores the certificate and CRL in the certificate repository;
3. Certificate Repository Component: Provides services such as storage and search for certificates and CRLs.
4. Key Management Component: Provides management functions for the generation, storage, distribution, import and export, usage, backup, recovery, archiving, and destruction of various keys in PKI.
5. OCSP Service: It is an optional component that, if the PKI supports OCSP functionality, allows for the reception and response of OCSP requests through this component.
CSR, Digital Certificates, and CRLs are important types of data in PKI. CSR typically follows the PKCS#10 standard, while Digital Certificates and CRLs usually adhere to the X.509 standard. Their detailed structural formats are defined as follows:
1. Format of CSR:
Figure 2: CSR Format
In this context, the certificationRequestInfo Field is the main part of the CSR, which mainly includes subjectPKInfo (User Public Key), subject (Username), and other information. The signatureAlgorithm Field specifies the algorithm used by the User to sign the certificationRequestInfo, and the signature Field contains the digital signature of certifieRequestInfo Field.
2. Format of Digital Certificate:
Figure 3: Digital Certificate Format
In this context, the tbsCertificate Field is the main part of the Digital Certificate, which mainly includes the certificate serial number, CA name, Validity Period of the certificate, certificate subject name, Public Key of the certificate, and other information, as shown in Figure 4. The signatureAlgorith Field specifies the algorithm used by the CA to sign the tbsCertificate Field, and the signatureValue Field contains the digital signature of tbsCertificate Field.
Figure 4: tbsCertificate Format
3. The format of the Certificate Revocation List (CRL):
Figure 5: CRL Format
In this context, the tbsCertList Field is the main part of the CRL, which mainly includes information such as the CA name, the issuance time of this CRL, the next issuance time of the CRL, and the list of revoked certificates, with its structure shown in Figure 6. The signatureAlgorithm Field specifies the algorithm used by the CA to sign the tbsCertList Field, and contains the digital signature of tbsCertList Field.
Figure 6: tbsCertList Format
Currently, PKI is widely applied in scenarios such as Cloud Service, Internet of Things (IoT), and Blockchain, ensuring the security and trustworthiness of these services. Although PKI faces challenges such as high deployment complexity and difficulties in certificate Life Cycle management, these issues are gradually being overcome with technological advancements. The continuous development of PKI will lay a solid foundation for building a more secure and trusted digital world.
The analyses and discussions in the article are intended to share industry dynamics and technical practices. If any issue involving intellectual property rights arises, please do not hesitate to contact us. We will handle your concerns and make necessary adjustments in accordance with relevant laws and regulations.
