CN112312395A - WAPI certificate centralized distribution method and system - Google Patents
WAPI certificate centralized distribution method and system Download PDFInfo
- Publication number
- CN112312395A CN112312395A CN201910642946.0A CN201910642946A CN112312395A CN 112312395 A CN112312395 A CN 112312395A CN 201910642946 A CN201910642946 A CN 201910642946A CN 112312395 A CN112312395 A CN 112312395A
- Authority
- CN
- China
- Prior art keywords
- certificate
- wlan
- wapi
- equipment
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
The disclosure provides a method and a system for distributing WAPI certificate in a centralized manner, and relates to the field of WAPI technology application. The method comprises the following steps: the method comprises the steps that a WAPI certificate centralized distribution system obtains a WLAN equipment certificate required by WLAN equipment from a WAPI certificate management system, wherein the WLAN equipment certificate comprises a WLAN equipment public key certificate and a private key; and distributing the WLAN equipment certificate and the pre-stored CA public key certificate and AS public key certificate to each WLAN equipment according to the type and the identification of the WLAN equipment so AS to install the corresponding certificate for each WLAN equipment. The method and the device improve the applying and distributing efficiency of the WAPI certificate, so that the WLAN equipment can install the certificate more conveniently, quickly and safely.
Description
Technical Field
The present disclosure relates to the field of application of the WAPI (WLAN Authentication and Privacy Infrastructure) technology, and in particular, to a method and a system for centralized distribution of a WAPI certificate.
Background
With the development of the WAPI technology, in the existing network deployment of the WAPI, a large number of WLAN (Wireless Local Area Networks, public Wireless Local Area Networks) devices need to be installed and updated with secure and effective WAPI certificates. The WLAN device includes a non-centralized control AP (Access Point) device, a centralized control AC (Access Controller) + AP device, and the AP includes a fat AP (non-centralized control AP) and a thin AP (centralized control AP). The WAPI Certificate required by the WLAN device is generated and issued by a CA (Certificate Authority) center of the WAPI Certificate management system.
At present, local network technicians apply for a WAPI certificate from an RA (Registration Authority) center in a mail manner, receive the issued WAPI certificate in a mail manner, and install the WAPI certificate to WLAN equipment. For a local network, the number of WLAN devices is thousands or even tens of thousands, the workload of certificate installation and maintenance is very large, and manual installation is inefficient, unsafe and error-prone.
Disclosure of Invention
The technical problem to be solved by the present disclosure is to provide a method and a system for centralized distribution of a WAPI certificate, which can improve the efficiency of application, distribution and installation of the WAPI certificate and improve the security of the transmission process of the WAPI certificate.
According to one aspect of the disclosure, a method for distributing a WAPI certificate in a centralized manner is provided, which includes: the method comprises the steps that a WAPI certificate centralized distribution system of a wireless local area network authentication and privacy infrastructure obtains a WLAN equipment certificate required by WLAN equipment of a wireless local area network from a WAPI certificate management system, wherein the WLAN equipment certificate comprises a WLAN equipment public key certificate and a private key; and distributing the WLAN equipment certificate, the pre-stored certificate authority CA public key certificate and the pre-stored authentication server AS public key certificate to each WLAN equipment according to the type and the identification of the WLAN equipment so AS to install the corresponding certificate for each WLAN equipment.
In one embodiment, the WAPI certificate centralized distribution system determines whether the expiration time of the current time from the WLAN device certificate validity period is less than a preset time threshold, and if so, sends a certificate update request to the WAPI certificate management system.
In one embodiment, if there are multiple AS devices, the WAPI certificate centralized distribution system matches the AS devices with WLAN devices that apply for WLAN device certificates, so AS to determine corresponding AS public key certificates; and when the WLAN equipment certificate is sent to the WLAN equipment, the corresponding CA public key certificate and the AS public key certificate are sent to the WLAN equipment at the same time.
In one embodiment, when a WLAN device is newly added, a WAPI certificate centralized distribution system initiates a request for a new WLAN device certificate to a WAPI certificate management system, wherein the request for the new WLAN device certificate carries information of the newly added WLAN device, and the WAPI certificate management system generates a WLAN device certificate according to the information of the newly added WLAN device; and/or when the WLAN equipment is changed, the WAPI certificate centralized distribution system initiates a request for changing the WLAN equipment certificate to the WAPI certificate management system, wherein the request for changing the WLAN equipment certificate carries information for changing the WLAN equipment, and the WAPI certificate management system generates the WLAN equipment certificate according to the information for changing the WLAN equipment.
In one embodiment, the WAPI certificate centralized distribution system sets a communication protocol with the WLAN device, wherein the communication protocol includes one or more of a type of WLAN device certificate, a password of the WLAN device certificate, a media access control MAC address of the WLAN device, a WLAN device certificate status change field, a WLAN device certificate status inquiry field, a WLAN device certificate command acceptance status field, and a WLAN certificate serial number SN field.
In one embodiment, the WAPI certificate centralized distribution system performs encryption authentication on a communication channel with the WAPI certificate management system; and/or cryptographically authenticate a communication channel with the WLAN device.
In one embodiment, a WAPI certificate centralized distribution system acquires an AS certificate required by AS equipment from a WAPI certificate management system, wherein the AS certificate comprises an AS public key certificate and a private key; and sending the AS certificate and the pre-stored CA public key certificate to the AS equipment so that the AS equipment can install the AS certificate.
In one embodiment, the centralized distribution system of the WAPI certificates distributes the WLAN device certificates and the pre-stored CA public key certificates and AS public key certificates to the respective WLAN devices immediately or periodically according to the type and the identification of the WLAN devices.
According to another aspect of the present disclosure, a centralized distribution system for a WAPI certificate is further provided, which includes: the WLAN equipment certificate management system comprises a certificate acquisition unit, a certificate acquisition unit and a certificate management unit, wherein the certificate acquisition unit is configured to acquire a WLAN equipment certificate required by the WLAN equipment from the WAPI certificate management system, and the WLAN equipment certificate comprises a WLAN equipment public key certificate and a private key; and the certificate distribution unit is configured to distribute the WLAN device certificate and the pre-stored certificate authority CA public key certificate and the pre-stored authentication server AS public key certificate to each WLAN device according to the type and the identification of the WLAN device so that each WLAN device installs the corresponding certificate.
In one embodiment, the certificate acquisition unit is further configured to determine whether the current time is less than a preset time threshold from the expiration time of the WLAN device certificate validity period, and if so, send a certificate update request to the WAPI certificate management system.
In one embodiment, the certificate distribution unit is further configured to, if there are multiple AS devices, match the AS devices with WLAN devices applying for WLAN device certificates by the WAPI certificate centralized distribution system, so AS to determine corresponding AS public key certificates; and when the WLAN equipment certificate is sent to the WLAN equipment, the corresponding CA public key certificate and the AS public key certificate are sent to the WLAN equipment at the same time.
In an embodiment, the certificate acquiring unit is further configured to, when a WLAN device is newly added, initiate a request for a certificate of the newly added WLAN device to the WAPI certificate management system, where the request for the certificate of the newly added WLAN device carries information of the newly added WLAN device, and the WAPI certificate management system generates a WLAN device certificate according to the information of the newly added WLAN device; and/or the certificate acquisition unit is also configured to initiate a request for changing the WLAN equipment certificate to the WAPI certificate management system when the WLAN equipment is changed, wherein the request for changing the WLAN equipment certificate carries information for changing the WLAN equipment, and the WAPI certificate management system generates the WLAN equipment certificate according to the information for changing the WLAN equipment.
In one embodiment, the WLAN device comprises a protocol establishing unit configured to set a communication protocol with the WLAN device, wherein the communication protocol comprises one or more of a type of WLAN device certificate, a password of the WLAN device certificate, a media access control, MAC, address of the WLAN device, a WLAN device certificate status change field, a WLAN device certificate status inquiry field, a WLAN device certificate command acceptance status field, and a WLAN certificate sequence number, SN, field.
In one embodiment, the encryption authentication unit is configured to perform encryption authentication on a communication channel with the WAPI certificate management system; and/or cryptographically authenticate a communication channel with the WLAN device.
In one embodiment, the certificate obtaining unit is further configured to obtain an AS certificate required by the AS device from the WAPI certificate management system, where the AS certificate includes an AS public key certificate and a private key; the certificate distribution unit is further configured to send the AS certificate and the pre-stored CA public key certificate to the AS device, so that the AS device installs the AS certificate.
In one embodiment, the certificate distribution unit is configured to distribute the WLAN device certificate and the pre-stored CA public key certificate and AS public key certificate to each WLAN device immediately or periodically according to the type and identification of the WLAN device.
According to another aspect of the present disclosure, a centralized distribution system for a WAPI certificate is further provided, which includes: a memory; and a processor coupled to the memory, the processor configured to perform the method as described above based on instructions stored in the memory.
According to another aspect of the present disclosure, there is also provided a WAPI system, including: a WAPI certificate management system; a WLAN device; and the WAPI certificate centralized distribution system.
According to another aspect of the present disclosure, a computer-readable storage medium is also proposed, on which computer program instructions are stored, which instructions, when executed by a processor, implement the above-described method.
Compared with the prior art, the WAPI certificate centralized distribution system acquires the WLAN equipment certificate required by the WLAN equipment from the WAPI certificate management system, and distributes the WLAN equipment certificate and the pre-stored CA public key certificate and AS public key certificate to each WLAN equipment according to the type and the identification of the WLAN equipment so AS to facilitate each WLAN equipment to install the corresponding certificate, thereby solving the problem that the prior troublesome work of manually applying the WAPI certificate for each WLAN equipment is solved, and the application, distribution and installation efficiency of the WAPI certificate is improved.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 is a flowchart illustrating an embodiment of a centralized distribution method for a WAPI certificate according to the present disclosure.
Fig. 2 is a flowchart illustrating another embodiment of the centralized distribution method for the WAPI certificates according to the present disclosure.
Fig. 3 is a flowchart illustrating another embodiment of the centralized distribution method for the WAPI certificates according to the present disclosure.
Fig. 4 is a schematic diagram of a communication protocol between the centralized distribution system of the WAPI certificates and the WLAN configuration according to the present disclosure.
Fig. 5 is a flowchart illustrating another embodiment of the centralized distribution method for the WAPI certificates according to the present disclosure.
Fig. 6 is a schematic structural diagram of an embodiment of the centralized distribution system for WAPI certificates in the present disclosure.
Fig. 7 is a schematic structural diagram of another embodiment of the centralized distribution system for WAPI certificates in the present disclosure.
Fig. 8 is a schematic structural diagram of another embodiment of the centralized distribution system for WAPI certificates in the present disclosure.
Fig. 9 is a schematic structural diagram of another embodiment of the centralized distribution system for WAPI certificates in the present disclosure.
Fig. 10 is a schematic structural diagram of an embodiment of the WAPI system of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
The method and the system can build a WAPI certificate centralized distribution system between a WAPI certificate management system and WLAN equipment, and the WAPI certificate centralized distribution system can realize application and distribution of the WAPI certificate.
Fig. 1 is a flowchart illustrating an embodiment of a centralized distribution method for a WAPI certificate according to the present disclosure.
In step 110, the WAPI certificate centralized distribution system obtains WLAN device certificates required by the WLAN device from the WAPI certificate management system.
The WAPI certificate management system comprises an RA center and a CA center. After the CA center generates and issues the WAPI certificate, the WAPI certificate message is sent to the RA center, and the WAPI certificate centralized distribution system obtains the WAPI certificates required by the WLAN devices from the RA center, where the WAPI certificates include a CA certificate, an AS (Authentication Server) certificate, and a WLAN device certificate. The WLAN device certificate includes a WLAN device public key certificate and a private key. The WAPI certificate centralized distribution system stores the CA public key certificate and the AS public key certificate after obtaining the CA public key certificate and the AS public key certificate, and when the WLAN equipment applies for the WAPI certificate, the WAPI certificate centralized distribution system only needs to obtain the WLAN equipment certificate required by the WLAN equipment from the WAPI certificate management system.
In step 120, the WLAN device certificate and the pre-stored CA public key certificate and AS public key certificate are distributed to each WLAN device according to the type and the identifier of the WLAN device, so that each WLAN device installs the corresponding certificate. The types of WLAN devices include non-centralized control type AP and centralized control type AC + AP. The device unique identification information is, for example, a device MAC (Media Access Control) address or a device serial number. The WAPI certificate centralized distribution system can issue the WAPI certificate to the corresponding WLAN equipment according to the equipment type and the equipment MAC address.
In this embodiment, after the central distribution system of the WAPI certificate obtains the WLAN device certificate required by the WLAN device from the WAPI certificate management system, the WLAN device certificate, the pre-stored CA public key certificate and the pre-stored AS public key certificate are distributed to each WLAN device according to the type of the WLAN device and the unique device identifier.
Fig. 2 is a flowchart illustrating another embodiment of the centralized distribution method for the WAPI certificates according to the present disclosure.
In step 210, when a WLAN device is newly added, the WAPI certificate centralized distribution system initiates a request for a new WLAN device certificate to the RA center, where the request for the new WLAN device certificate carries information of the newly added WLAN device. The information of the WLAN device at least includes a MAC address or a serial number, and the information of the WLAN device may further include an IP address, a manufacturer number, a province, a city, a hot spot number, a time of newly adding a device, and the like.
In one embodiment, an operator logs in the central distribution system of the WAPI certificate and inputs information related to the WLAN equipment needing to install the WAPI certificate. The same manufacturer WLAN equipment of the same local network can be added in batches, for example, for the same manufacturer WLAN equipment, except that the MAC address information in the naming rule is different, the information of other input equipment is consistent. The centralized distribution system of the WAPI certificate can apply for WLAN certificate requests singly or in batches.
In step 220, the CA center acquires information of the newly added WLAN device from the RA center, and generates a WLAN device certificate based on the information of the newly added WLAN device.
In step 230, the WAPI certificate centralized distribution system obtains the WLAN device certificate from the RA center. The WLAN equipment certificate carries equipment MAC address or serial number information.
In one embodiment, the WAPI certificate centralized distribution system does not store the WLAN device certificate file, but only records information such as an issuer name, a serial number, a holder name, an issuance date, a certificate validity period, and the like of the certificate; and if the certificate is a PKCS12 certificate, recording the password corresponding to the P12 certificate.
In step 240, the WLAN device certificate is distributed to the corresponding WLAN device through a data channel with the WLAN device according to the type of the WLAN device. The distribution process comprises immediate distribution and timing distribution, wherein the immediate distribution refers to distribution to relevant WLAN equipment immediately after receiving the WAPI certificate, and the timing distribution refers to distribution of the WAPI certificate to the relevant WLAN equipment at set time.
After the WAPI certificate centralized distribution system sends the WLAN equipment certificate to the WLAN equipment, the downloaded WLAN equipment certificate is deleted.
In step 250, the WLAN device installs the WLAN device certificate as required by the device.
In the above embodiment, when a WLAN device is newly added, the WAPI certificate centralized distribution system carries information of the newly added WLAN device to initiate a request for a new WLAN device certificate to the RA center, so that the CA center generates the WLAN device certificate based on the WLAN device information, and after receiving the WLAN device certificate, distributes the WLAN device certificate to the WLAN device according to the type of the WLAN device, thereby improving the efficiency of applying for and installing the certificate for the WLAN device.
Fig. 3 is a flowchart illustrating another embodiment of the centralized distribution method for the WAPI certificates according to the present disclosure.
In step 310, when the WLAN device is changed, the WAPI certificate centralized distribution system initiates a request for changing the WLAN device certificate to the RA center, where the request for changing the WLAN device certificate carries information for changing the WLAN device.
In step 320, the CA center acquires information of the changed WLAN device from the RA center and generates a WLAN device certificate based on the information of the changed WLAN device.
In step 330, the WAPI certificate centralized distribution system obtains the WLAN device certificate from the RA center. The WLAN equipment certificate carries equipment MAC address or serial number information.
In step 340, the WLAN device certificate is distributed to the corresponding WLAN device through a data channel with the WLAN device according to the type of the WLAN device.
In step 350, the WLAN device installs the WLAN device certificate as required by the device.
In the above embodiment, when the WLAN device is changed, the central distribution system of the WAPI certificate carries information for changing the WLAN device to initiate a request for changing the WLAN device certificate to the RA center, so that the CA center generates the WLAN device certificate based on the WLAN device information, and after receiving the WLAN device certificate, distributes the WLAN device certificate to the WLAN device according to the type of the WLAN device, thereby improving the efficiency of applying for and installing the certificate for the WLAN device.
In one embodiment, a communication Protocol is set between the centralized distribution system of the WAPI certificates and the WLAN settings, and the communication Protocol is, for example, an SNMP (Simple Network Management Protocol) Protocol, as shown in fig. 4, the Protocol defines that the MIB value includes a type field of a WLAN device certificate, a password field of the WLAN device certificate, a MAC address field of the WLAN device, a WLAN certificate status change field, a WLAN certificate status query field, a WLAN certificate command acceptance status field, and a WLAN certificate SN field. The WAPI certificate centralized distribution system sends the WLAN device certificate to the WLAN device through the MIB value defined by the SNMP protocol so that the WLAN device can install the certificate.
In another embodiment of the present disclosure, the communication channel with the WAPI certificate management system is cryptographically authenticated. In order to ensure the security and reliability of the process of applying for and acquiring the WLAN device certificate from the centralized distribution system of the WAPI certificate to the RA center, encryption is required between interfaces of the centralized distribution system of the WAPI certificate to communicate with the RA center, where the encryption algorithm is, for example, MD5 algorithm or 3DES algorithm, and mutual authentication between the interfaces is performed by using the encryption algorithm to ensure that the interfaces are authentic.
In another embodiment of the present disclosure, a communication channel with a WLAN device is cryptographically authenticated. In order to ensure the security and reliability of the WLAN device certificate issuing process by the centralized distribution system of the WAPI certificates to the WLAN device and ensure that the interfaces are trusted, therefore, an interface encryption between the centralized distribution system of the WAPI certificates and the WLAN device communication is required, wherein an encryption algorithm, such as an MD5 algorithm, is used for mutual authentication between the interfaces, and the interface is ensured to be trusted.
In one embodiment, it is determined whether the current time is less than a time threshold from the expiration time of the WLAN device certificate, and if so, a certificate update request is sent to the WAPI certificate management system. For example, at a time of one week away from the expiration time of the WAPI certificate, a certificate update request is sent to the RA center so that the CA center reissues a new certificate, and the WAPI certificate centralized distribution system distributes the new certificate to the WLAN device for certificate update.
Fig. 5 is a flowchart illustrating another embodiment of the centralized distribution method for the WAPI certificates according to the present disclosure. In this embodiment, the WLAN device takes an AP device as an example, that is, a WLAN network needs to add a new centralized control AP device and install a WAPI certificate for the AP device.
At step 510, the information of the AP device is entered in the WAPI certificate centralized distribution system. The information of the AP device includes information such as a MAC address, a device serial number, an IP address, a manufacturer number, a province, a city, a hot spot number, and a time of newly added devices.
The WAPI certificate centralized distribution system stores the CA public key certificate and the AS public key certificate in advance.
In step 520, the WAPI certificate centralized distribution system sends the information of the AP device to the RA center through the encrypted authenticated data channel, and sends a request for obtaining the AP device certificate to the RA center.
In step 530, the CA center generates an AP device certificate according to the information of the AP device. After the RA center accepts the AP device certificate request, the CA center generates and issues a certificate, and then feeds the certificate back to the RA center. Wherein, the RA center informs the WAPI certificate centralized distribution system that the AP equipment certificate has been issued.
In step 540, the WAPI certificate centralized distribution system downloads the AP device certificate of the AP device in the RA center through the encrypted authenticated data channel. The AP device certificate includes a public key certificate and a private key of the AP device. The WAPI certificate centralized distribution system records information such as the name of an issuer of a certificate, a serial number, the name of a holder, the issuance date, the validity period of the certificate and the like, and does not store the AP equipment certificate file.
In step 550, the WAPI certificate centralized distribution system matches the AP device with the AS device. If a plurality of AS devices exist locally, the system automatically matches the AP device with the AS devices, so AS to determine the AS certificate corresponding to the AP device.
In step 560, the WAPI certificate centralized distribution system distributes the AP device certificate, the corresponding AS public key certificate, and the CA public key certificate to the AP device through the data channel of the encryption authentication.
In step 570, the centralized distribution system of the WAPI certificates judges whether the expiration time of the current time from the validity period of the AP device certificate is less than a time threshold, if so, step 520 is executed, otherwise, the subsequent steps are not executed.
For example, the WAPI certificate centralized distribution system sets the certificate validity warning according to the AP device certificate validity period of the AP device, where the warning time is, for example, a specified time of the validity period, and the specified time may be set in actual situations, for example, the last week, the last five days, and the like. When the WAPI certificate centralized distribution system automatically applies for the AP equipment certificate updating request to the RA center and sends related application materials, the RA center re-applies for issuing a new certificate after accepting the request, and the system re-issues the new certificate to the AP equipment for certificate updating after downloading.
In the above embodiment, a WAPI certificate centralized distribution system is established between the WAPI certificate management system and the AP device, and encrypted and authenticated communication channels are respectively established with the WAPI certificate management system and the AP device, so that automatic certificate application and automatic certificate distribution can be performed on a single AP device or a large batch of AP devices, the security and reliability of certificate application and issuing can be ensured, and the working efficiency is improved.
In another embodiment of the invention, a WAPI certificate centralized distribution system acquires an AS certificate required by AS equipment from a WAPI certificate management system, wherein the AS certificate comprises an AS public key certificate and a private key; and then sending the AS certificate and the pre-stored CA public key certificate to the AS equipment so that the AS equipment can install the AS certificate.
Fig. 6 is a schematic structural diagram of an embodiment of the centralized distribution system for WAPI certificates in the present disclosure. The system includes a certificate acquisition unit 610 and a certificate distribution unit 630.
The certificate acquisition unit 610 is configured to acquire a WLAN device certificate required by the WLAN device from the WAPI certificate management system, where the WLAN device certificate includes a WLAN device public key certificate and a private key. When a WLAN device is newly added, the certificate acquisition unit 610 initiates a request for a new WLAN device certificate to the RA center by the WAPI certificate centralized distribution system, where the request for the new WLAN device certificate carries information of the newly added WLAN device; when the WLAN equipment is changed, the WAPI certificate centralized distribution system initiates a request for changing the WLAN equipment certificate to the RA center, wherein the request for changing the WLAN equipment certificate carries information for changing the WLAN equipment.
The information of the WLAN device at least includes a MAC address or a serial number, and the information of the WLAN device may further include an IP address, a manufacturer number, a province, a city, a hot spot number, a time of newly adding a device, and the like.
The certificate acquisition unit 610 is further configured to determine whether the expiration time of the current time from the validity period of the WLAN device certificate is less than a time threshold, and if so, send a certificate update request to the WAPI certificate management system.
The certificate distribution unit 620 is configured to distribute the WLAN device certificate and the pre-stored CA public key certificate and AS public key certificate to the respective WLAN devices according to the type and identification of the WLAN devices, so that each WLAN device installs a corresponding WAPI certificate. The types of WLAN devices include non-centralized control type AP and centralized control type AC + AP. The WAPI certificate centralized distribution system can issue the WAPI certificate to the corresponding WLAN equipment according to the equipment unique identifier.
In the embodiment, after the central distribution system of the WAPI certificate acquires the WLAN equipment certificate required by the WLAN equipment from the WAPI certificate management system, the WLAN equipment certificate, the pre-stored CA public key certificate and the pre-stored AS public key certificate are distributed to each WLAN equipment according to the type of the WLAN equipment and the unique equipment identifier, so that the problem that the conventional method applies for each WLAN equipment manually to apply for the WAPI certificate is solved, the application and distribution efficiency of the WAPI certificate is improved, and the safety of the transmission process of the WAPI certificate is improved.
In another embodiment of the present disclosure, the system further includes a protocol establishing unit (not shown) configured to set a communication protocol with the WLAN device, wherein the communication protocol includes a type field of the WLAN device certificate, a password field of the WLAN device certificate, a MAC address field of the WLAN device, a WLAN certificate status change field, a WLAN certificate status inquiry field, a WLAN certificate command acceptance status field, a WLAN certificate SN field, and the like. The WAPI certificate centralized distribution system sends the WAPI certificate to the WLAN equipment according to the field in the communication protocol so that the WLAN equipment can install the certificate.
In another embodiment of the present disclosure, the system further comprises an encryption authentication unit (not shown) configured to perform encryption authentication on a communication channel with the WAPI certificate management system; and performing encryption authentication on a communication channel with the WLAN device.
In order to ensure the security of the process of applying for the RA center by the central distribution system of the WAPI certificate, acquiring the WAPI certificate, and issuing the WAPI certificate to the WLAN device, encryption is required between interfaces of the central distribution system of the WAPI certificate communicating with the RA center, and encryption of interfaces between the central distribution system of the WAPI certificate and the WLAN device communicating. The encryption algorithm is, for example, MD5 algorithm or 3DES algorithm, and mutual authentication between the interfaces is performed by using the encryption algorithm to ensure that the interfaces are authentic.
In another embodiment of the present disclosure, the certificate obtaining unit 610 is further configured to obtain, from the WAPI certificate management system, an AS certificate required by the AS device, where the AS certificate includes an AS public key certificate and a private key; the certificate distribution unit 620 is further configured to send the AS certificate and the pre-stored CA public key certificate to the AS device, so that the AS device installs the AS certificate.
In the above embodiment, a description is given of a centralized distribution system of a WAPI certificate, where functions implemented by each unit may be implemented by an integrated module, for example, as shown in fig. 7, a certificate acquisition unit 610 may be implemented by a certificate acceptance application function module 710, where the certificate acceptance application function module 710 may not store a device certificate file, and only records information such as an issuer name, a serial number, a holder name, an issuance date, and a certificate validity period of a certificate of the certificate; if the certificate is a PKCS12 certificate, a password and the like corresponding to the P12 certificate are recorded, and the module can realize batch operation in a file or execl mode.
The certificate distribution unit 620, such as the certificate distribution management module 720 in fig. 7, may send an alarm if the certificate message issued by the RA is checked to be incorrect after receiving the certificate message.
The centralized distribution system of the WAPI certificate may further include an equipment management function module 730 and a statistical query function module 740, in addition to the certificate acceptance application function module 710 and the certificate distribution management module 720.
The device management function module 730 can manage and maintain the device information of the application and installation certificate, input the device related information when the WLAN device is newly added, and perform batch new addition on the WLAN devices of the same manufacturer in the same local network. The MAC address of the newly added device can be bound to the certificate, and query conditions such as the MAC address, the city, the manufacturer number, the time of the newly added device, and the like are set, so that the statistical query function module 740 queries information of the related newly added device.
The statistical query function module 740 can implement a statistical query function for relevant device data, certificate data, and service processing records. For example, relevant device information can be retrieved by retrieving specified conditions such as device information, so that current device information query is realized; related certificate information can be retrieved through specified conditions such as retrieval certificate information and the like, and current certificate information query is achieved, wherein the retrieval certificate information comprises specified certificate normal, combined certificate valid starting time, ending time, certificate subject items and the like; the module can also realize operation inquiry, such as inquiry on operations submitted by various administrators; the method can also inquire the major level alarm generated by the system; in addition, the module can also realize log query or equipment query, such as query on an operation log at a specified time, query on login time of an administrator, or query on system problems generated by the system.
The centralized distribution system of the WAPI certificate further comprises an RA interface 750 for information interaction with the RA center and a WLAN device interface 760 for information interaction with each WLAN device. In addition, the system includes a business management interface 770 and a system management interface 780, which are not further described herein.
Fig. 8 is a schematic structural diagram of another embodiment of the centralized distribution system for WAPI certificates in the present disclosure. The system includes a memory 810 and a processor 820, wherein: the memory 810 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory is used to store instructions in the embodiments corresponding to fig. 1-5. Processor 820 is coupled to memory 810 and may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 820 is configured to execute instructions stored in the memory.
In one embodiment, as also shown in FIG. 9, the system 900 includes a memory 910 and a processor 920. Processor 920 is coupled to memory 910 by a BUS 930. The system 900 may also be coupled to an external storage device 950 via a storage interface 940 for facilitating retrieval of external data, and may also be coupled to a network or another computer system (not shown) via a network interface 960, which will not be described in detail herein.
In the embodiment, the data instruction is stored in the memory, and the instruction is processed by the processor, so that the application and distribution efficiency of the WAPI certificate is improved.
Fig. 10 is a schematic structural diagram of an embodiment of the WAPI system of the present disclosure. The WAPI system includes a WAPI certificate management system 1010, WLAN devices 1020, and a WAPI certificate centralized distribution system 1030. The centralized distribution system 1030 of the WAPI certificates is described in detail in the above embodiments.
The WAPI certificate management system 1010 includes an RA center 1011 and a CA center 1012, where the RA center 1011 receives a request for obtaining WLAN device certificates sent by the centralized distribution system 1030 of the WAPI certificates, and sends WLAN device information carried in the request for obtaining WLAN device certificates to the CA center 1012, and the CA center 1012 generates WLAN device certificates according to the WLAN device information, and returns the WLAN device certificates to the RA center 1011, so that the centralized distribution system 1030 of the WAPI certificates obtains the WLAN device certificates from the RA center 1011. The WLAN device 1020 is an AP type device or an AC + AP type device, and performs certificate installation after acquiring the WLAN device certificate, the CA public key certificate, and the AS public key certificate from the centralized distribution system 1030 of the WAPI certificate.
In the embodiment, the tedious work of manually applying for, installing or updating the WAPI certificate for each WLAN device is solved, the installation and application efficiency of the WAPI certificate is improved, and the application and distribution safety and reliability of the WAPI device certificate are improved.
In another embodiment, a computer-readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of the method in the corresponding embodiments of fig. 1-5. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (19)
1. A method for distributing WAPI certificate in a centralized way comprises the following steps:
the method comprises the steps that a WAPI certificate centralized distribution system of a wireless local area network authentication and privacy infrastructure obtains a WLAN equipment certificate required by WLAN equipment of a wireless local area network from a WAPI certificate management system, wherein the WLAN equipment certificate comprises a WLAN equipment public key certificate and a private key;
and distributing the WLAN equipment certificate, the pre-stored certificate authority CA public key certificate and the pre-stored certificate authority AS public key certificate to each WLAN equipment according to the type and the identification of the WLAN equipment so AS to install the corresponding certificate for each WLAN equipment.
2. The method of claim 1, further comprising:
the WAPI certificate centralized distribution system judges whether the expiration time of the current time and the WLAN equipment certificate validity period is less than a preset time threshold value, and if so, sends a certificate updating request to the WAPI certificate management system.
3. The method of claim 1, wherein,
if a plurality of AS equipment exist, the WAPI certificate centralized distribution system matches the AS equipment with WLAN equipment applying for WLAN equipment certificates so AS to determine corresponding AS public key certificates;
and when the WLAN equipment certificate is sent to the WLAN equipment, sending the corresponding CA public key certificate and AS public key certificate to the WLAN equipment.
4. The method of claim 1, further comprising:
when WLAN equipment is newly added, the WAPI certificate centralized distribution system initiates a request for newly adding WLAN equipment certificates to the WAPI certificate management system, wherein the request for newly adding WLAN equipment certificates carries information of the newly added WLAN equipment, and the WAPI certificate management system generates WLAN equipment certificates according to the information of the newly added WLAN equipment; and/or
When WLAN equipment is changed, the WAPI certificate centralized distribution system initiates a WLAN equipment certificate changing request to the WAPI certificate management system, wherein the WLAN equipment certificate changing request carries information for changing the WLAN equipment, and the WAPI certificate management system generates a WLAN equipment certificate according to the information for changing the WLAN equipment.
5. The method of any of claims 1-4, further comprising:
the WAPI certificate centralized distribution system sets a communication protocol with the WLAN equipment, wherein the communication protocol comprises one or more of the type of the WLAN equipment certificate, the password of the WLAN equipment certificate, the MAC address of the WLAN equipment, the state change field of the WLAN equipment certificate, the state inquiry field of the WLAN equipment certificate, the command acceptance state field of the WLAN equipment certificate and the SN field of the WLAN certificate serial number.
6. The method of any of claims 1-4, further comprising:
the WAPI certificate centralized distribution system carries out encryption authentication on a communication channel with the WAPI certificate management system; and/or
And carrying out encryption authentication on a communication channel with the WLAN equipment.
7. The method of any of claims 1-4, further comprising:
the WAPI certificate centralized distribution system acquires an AS certificate required by AS equipment from the WAPI certificate management system, wherein the AS certificate comprises an AS public key certificate and a private key;
and sending the AS certificate and the pre-stored CA public key certificate to AS equipment so that the AS equipment can install the AS certificate.
8. The method according to any one of claims 1 to 4,
the WAPI certificate centralized distribution system immediately distributes the WLAN equipment certificate and the prestored CA public key certificate and AS public key certificate or distributes the WLAN equipment certificate to each WLAN equipment at regular time according to the type and the identification of the WLAN equipment.
9. A centralized distribution system for WAPI certificates, comprising:
the WLAN equipment certificate management system comprises a certificate acquisition unit, a certificate acquisition unit and a certificate management unit, wherein the certificate acquisition unit is configured to acquire a WLAN equipment certificate required by a WLAN equipment from the WAPI certificate management system, and the WLAN equipment certificate comprises a WLAN equipment public key certificate and a private key;
and the certificate distribution unit is configured to distribute the WLAN device certificate and the pre-stored certificate authority CA public key certificate and the pre-stored authentication server AS public key certificate to each WLAN device according to the type and the identification of the WLAN device so that each WLAN device installs the corresponding certificate.
10. The system of claim 9, wherein,
the certificate acquisition unit is further configured to determine whether the expiration time of the current time from the validity period of the WLAN device certificate is less than a preset time threshold, and if so, send a certificate update request to the WAPI certificate management system.
11. The system of claim 9, wherein,
the certificate distributing unit is also configured to match the AS equipment with WLAN equipment applying for WLAN equipment certificate by the WAPI certificate centralized distributing system if a plurality of AS equipment exist so AS to determine the corresponding AS public key certificate; and when the WLAN equipment certificate is sent to the WLAN equipment, sending the corresponding CA public key certificate and AS public key certificate to the WLAN equipment.
12. The system of claim 9, wherein,
the certificate acquisition unit is further configured to initiate a new WLAN device certificate request to the WAPI certificate management system when a WLAN device is newly added, wherein the new WLAN device certificate request carries information of the newly added WLAN device, and the WAPI certificate management system generates a WLAN device certificate according to the information of the newly added WLAN device; and/or
The certificate acquisition unit is further configured to initiate a request for changing the WLAN device certificate to the WAPI certificate management system when the WLAN device is changed, where the request for changing the WLAN device certificate carries information for changing the WLAN device, and the WAPI certificate management system generates the WLAN device certificate according to the information for changing the WLAN device.
13. The system of any of claims 9-12, further comprising:
a protocol establishing unit configured to set a communication protocol with the WLAN device, wherein the communication protocol includes one or more of a type of WLAN device certificate, a password of the WLAN device certificate, a Media Access Control (MAC) address of the WLAN device, a WLAN device certificate status change field, a WLAN device certificate status inquiry field, a WLAN device certificate command acceptance status field, and a WLAN certificate Serial Number (SN) field.
14. The system of any of claims 9-12, further comprising:
an encryption authentication unit configured to perform encryption authentication on a communication channel with the WAPI certificate management system; and/or perform encryption authentication on a communication channel with the WLAN device.
15. The system of any of claims 9-12,
the certificate acquisition unit is further configured to acquire an AS certificate required by AS equipment from the WAPI certificate management system, wherein the AS certificate comprises an AS public key certificate and a private key;
the certificate distribution unit is further configured to send the AS certificate and a pre-stored CA public key certificate to an AS device so that the AS device installs the AS certificate.
16. The system of any of claims 9-12,
the certificate distribution unit is configured to distribute the WLAN device certificate and the pre-stored CA public key certificate and AS public key certificate to each WLAN device immediately or periodically according to the type and the identification of the WLAN device.
17. A centralized distribution system for WAPI certificates, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the method of any of claims 1-8 based on instructions stored in the memory.
18. A WAPI system comprising:
a WAPI certificate management system;
a WLAN device; and
the centralized distribution system for WAPI certificates of any of claims 9-17.
19. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910642946.0A CN112312395B (en) | 2019-07-17 | 2019-07-17 | WAPI certificate centralized distribution method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910642946.0A CN112312395B (en) | 2019-07-17 | 2019-07-17 | WAPI certificate centralized distribution method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112312395A true CN112312395A (en) | 2021-02-02 |
| CN112312395B CN112312395B (en) | 2023-03-31 |
Family
ID=74329307
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910642946.0A Active CN112312395B (en) | 2019-07-17 | 2019-07-17 | WAPI certificate centralized distribution method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112312395B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116249114A (en) * | 2023-03-24 | 2023-06-09 | 深圳市智开科技有限公司 | WAPI certificate authentication method and system |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564127A (en) * | 2004-03-26 | 2005-01-12 | 中兴通讯股份有限公司 | Access authenitcation method of radio local neet mobile terminal |
| CN101018411A (en) * | 2007-02-16 | 2007-08-15 | 西安西电捷通无线网络通信有限公司 | A certificate roaming authentication method based on WAPI |
| CN101018174A (en) * | 2007-03-15 | 2007-08-15 | 北京安拓思科技有限责任公司 | Network system and method for obtaining the public key certificate for WAPI |
| CN101030908A (en) * | 2007-02-06 | 2007-09-05 | 西安西电捷通无线网络通信有限公司 | Method for applying for certificate in wireless LAN WAPI safety mechanism |
| CN101136743A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Digital certificate updating method and system |
| CN101483866A (en) * | 2009-02-11 | 2009-07-15 | 中兴通讯股份有限公司 | WAPI terminal certificate managing method, apparatus and system |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN101800984A (en) * | 2010-01-14 | 2010-08-11 | 宇龙计算机通信科技(深圳)有限公司 | Method and server terminal for obtaining WAPI certification and WAPI authentication system |
| CN101969639A (en) * | 2010-10-19 | 2011-02-09 | 广州杰赛科技股份有限公司 | Multi-certificate and multi-certification mode combined access authentication method and system |
| CN102833744A (en) * | 2012-06-28 | 2012-12-19 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for obtaining wireless LAN authentication and privacy Infrastructure (WAPI) certificate |
-
2019
- 2019-07-17 CN CN201910642946.0A patent/CN112312395B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564127A (en) * | 2004-03-26 | 2005-01-12 | 中兴通讯股份有限公司 | Access authenitcation method of radio local neet mobile terminal |
| CN101136743A (en) * | 2006-08-31 | 2008-03-05 | 普天信息技术研究院 | Digital certificate updating method and system |
| CN101030908A (en) * | 2007-02-06 | 2007-09-05 | 西安西电捷通无线网络通信有限公司 | Method for applying for certificate in wireless LAN WAPI safety mechanism |
| WO2008098496A1 (en) * | 2007-02-06 | 2008-08-21 | China Iwncomm Co., Ltd. | Application method for certificate in wapi safety mechanism of wireless local area network |
| CN101018411A (en) * | 2007-02-16 | 2007-08-15 | 西安西电捷通无线网络通信有限公司 | A certificate roaming authentication method based on WAPI |
| CN101018174A (en) * | 2007-03-15 | 2007-08-15 | 北京安拓思科技有限责任公司 | Network system and method for obtaining the public key certificate for WAPI |
| CN101483866A (en) * | 2009-02-11 | 2009-07-15 | 中兴通讯股份有限公司 | WAPI terminal certificate managing method, apparatus and system |
| CN101754203A (en) * | 2009-12-25 | 2010-06-23 | 宇龙计算机通信科技(深圳)有限公司 | Method, device and network system for obtaining WAPI certificate |
| CN101800984A (en) * | 2010-01-14 | 2010-08-11 | 宇龙计算机通信科技(深圳)有限公司 | Method and server terminal for obtaining WAPI certification and WAPI authentication system |
| CN101969639A (en) * | 2010-10-19 | 2011-02-09 | 广州杰赛科技股份有限公司 | Multi-certificate and multi-certification mode combined access authentication method and system |
| CN102833744A (en) * | 2012-06-28 | 2012-12-19 | 宇龙计算机通信科技(深圳)有限公司 | Method and system for obtaining wireless LAN authentication and privacy Infrastructure (WAPI) certificate |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116249114A (en) * | 2023-03-24 | 2023-06-09 | 深圳市智开科技有限公司 | WAPI certificate authentication method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112312395B (en) | 2023-03-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8438391B2 (en) | Credential generation management servers and method for communications devices and device management servers | |
| CN107784223B (en) | Computer arrangement for transmitting a certificate to an instrument in a device | |
| CN102739623B (en) | Authorization method and terminal device | |
| CA2827175C (en) | Dynamically configurable online data update system | |
| WO2015176465A1 (en) | Account management method and apparatus | |
| JP2016531516A (en) | Secure installation of encryption enable software on electronic devices | |
| JPWO2018070242A1 (en) | In-vehicle gateway, key management device | |
| CN103001965A (en) | Method for updating server certificates and servers | |
| US9954848B1 (en) | Central cryptographic management for computer systems | |
| EP2899666A1 (en) | Policy-based secure communication with automatic key management for industrial control and automation systems | |
| US10623952B2 (en) | Method and apparatus for authorizing management for embedded universal integrated circuit card | |
| CN112187470B (en) | Internet of things certificate distribution method, device and system, storage medium and electronic device | |
| CN111814131B (en) | Method and device for equipment registration and configuration management | |
| CN110716441B (en) | Method for controlling intelligent equipment, intelligent home system, equipment and medium | |
| CN106535089B (en) | Machine-to-machine virtual private network | |
| CN109120419B (en) | Upgrading method and device for ONU version of optical network unit and storage medium | |
| CN109818774A (en) | Automatic sensing asset acquisition device, method and computer readable storage medium | |
| CN112312395B (en) | WAPI certificate centralized distribution method and system | |
| US20220150323A1 (en) | User profile distribution and deployment systems and methods | |
| CN106773797B (en) | A kind of information processing method, system and management platform | |
| CN108684039B (en) | Automatic management method for AC cluster | |
| CN114157470A (en) | Token management method and device | |
| US8689355B1 (en) | Secure recovery of credentials | |
| CN105447346A (en) | Distributed high-availability license authentication method oriented to cloud operating system | |
| CN112398642A (en) | Updating method of quantum key distribution network equipment and related server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |