ti khoa hc cp trng

Trin khai cc dch v da trn CA

I.

Gii thiu
Ngy nay, vic giao tip qua mng Internet ang tr thnh mt nhu cu cp thit. Cc thng tin truyn trn mng u rt quan trng, nh m s ti khon, thng tin !t... "uy nhin, vi cc th #n tinh vi, nguy c $ %n c&p thng tin qua mng cng ngy cng gia t%ng. 'in giao tip qua Internet ch yu s ()ng giao thc "C *I . +y , giao thc cho ph-p cc thng tin c gi t my t.nh ny ti my t.nh khc thng qua mt ,ot cc my trung gian ho/c cc mng ring $it. Ch.nh 0u ny 1o c hi cho nhng 22k trm22 cng ngh cao c3 th thc hin cc hnh ng phi php. Cc thng tin truyn trn mng u c3 th $ nghe trm (Eavesdropping), gi P o (Tampering), Po danh (Impersonation) .v.v. Cc $in php $o m!t hin nay, chng hn nh (4ng m!t khu, u khng m $o v5 c3 th $ nghe trm ho/c $ (6 ra nhanh ch3ng. 7o v!y, $o m!t, cc thng tin truyn trn Internet ngy nay u c3 8u hng c m ho. "rc khi truyn qua mng Internet, ngi gi m ho thng tin, trong qu tr5nh truyn, (4 c3 22ch/n22 c cc thng tin ny, k trm cng khng th c c v5 $ m ho. 9hi ti .ch, ngi nh!n s s ()ng mt cng c) /c $it gii m. hng php m ho v $o m!t ph: $in nht ang c th gii p ()ng , chng ch s ;7igita, Certi<icate=. >i chng ch s, ngi s ()ng c3 th m ho thng tin t cch hiu qu, chng gi mo ;cho ph-p ngi nh!n kim tra thng tin c3 $ thay :i khng=, xc thc (anh t.nh ca ngi gi. Ngoi ra chng ch s c6n , Eng chng gi?p chng chi ci ngun gc, ng%n ch/n ngi gi chi ci ngun gc ti ,iu m5nh gi. @t cch m h3a ( ,iu m $o an ton 3 , m h3a kh3a cng khai. > ()ng c cch m h3a ny, cn phi c3 mt chng ch s t t: chc qun tr c Ai , nh cung cp chng ch s ; certi<ication authority B CC=.

II. C s h tng kha cng khai

II.1 Khi nim
Dt 9I ;pu$,ic key in<rastructure= cho ph-p ngi s ()ng ca mt mng cng Eng khng $o m!t, chng hn nh Internet, c3 th trao :i ( ,iu v tin mt cch an ton thng qua vic s ()ng mt c/p m kho cng khai v c nh+n c cp pht v s ()ng qua mt nh cung cp chng thc c t.n nhim. Nn tng kho cng khai cung cp mt chng ch s, (4ng 8c minh mt c nh+n ho/c t: chc, v cc Fch v) (anh m)c c3 th ,u tr v khi cn c3 th thu hi cc chng ch s. @/c (4 cc thnh phn c $n ca 9I u c ph: $in, nhng mt s
Trang 1

 ti khoa hc cp Trin khai cc dch v da trn CA tr ngcung cp ang mun a ra nhng chun 9I ring khc $it. @t tiu chun nh

chung v 9I trn Internet cng ang trong qu tr5nh 8+y (ng. Dt c s h tng kho cng khai $ao gmG

Trang 2

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Dt Nh cung cp chng thc s ;CC= chuyn cung cp v 8c minh cc chng ch s. @t chng ch $ao gm kho cng khai ho/c thng tin v kho cng khai. Dt nh qun ,H %ng kH ;#egistration Cuthority ;#C== 3ng vai tr6 nh ngi thm tra cho CC trc khi mt chng ch s c cp pht ti ngi yu cu. Dt ho/c nhiu (anh m)c ni cc chng ch s ;vi kho cng khai ca n3= c ,u gi, ph)c v) cho cc nhu cu tra cu, ,y kho cng khai ca i tc cn thc hin giao (ch chng thc s. Dt h thng qun ,H chng ch.

II.2 Nh cung cp chng thc s CA (C !ti"icat Autho!it#$

"rong cc h thng qun ,H chng thc s ang hot ng trn th gii, Nh cung Ep chng thc s ;Certi<icate authority I CC= , mt t: chc chuyn a ra v qun ,H cc ni (ung 8c thc $o m!t trn mt mng my t.nh, c4ng cc kho cng khai m ho thng tin. 0 mt phn trong C s h tng kho cng khai ;pu$,ic key in<rastructure I 9I=, mt CC s kim sot c4ng vi mt nh qun ,H %ng kH ;#egistration authority I #C= 8c minh thng tin v mt chng ch s m ngi yu cu 8c thc a ra. Nu #C 8c nh!n thng tin ca ngi cn 8c thc, CC sau 3 s a ra mt chng ch. "u thuc vo vic trin khai c s h tng kho cng khai, chng ch s s $ao Am kho cng khai ca ngi s hu, thi hn ht hiu ,c ca chng ch, tn ch s 9u v cc thng tin khc v ch kho cng khai.

II.% Chng ch s
II.%.1 Khi nim Chng ch s , mt tp tin 0n t (4ng 8c minh (anh t.nh mt c nh+n, mt my ch, mt cng ty... trn Internet. N3 ging nh $!ng ,i 8e, h chiu, chng minh th hay nhng giy t 8c minh c nh+n. c3 chng minh th, $n phi c c quan Cng Cn s ti cp. Chng ch s Eng v!y, phi (o mt t: chc ng ra chng nh!n nhng thng tin ca $n , ch.nh 8c, c gi , Nh cung cp chng thc s ;Certi<icate Cuthority, vit t&t , CA=. CC phi m $o v tin c!y, chu trch nhim v ch.nh 8c ca chng ch s m m5nh
Trang 3

 ti khoa hc cp tr ng c p.

Trin khai cc dch v da trn CA

"rong chng ch s c3 $a thnh phn ch.nhG "hng tin c nh+n ca ngi c cp. 9ho cng khai ;!"#$ic ke%= ca ngi c cp. Ch kH s ca CC cp chng ch. "hi gian hp ,. &hng tin c nh'n

Trang

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

+y , cc thng tin ca i tng c cp chng ch s, gm tn, quc tch, a ch, 0n thoi, emai,, tn t: chc .v.v. hn ny ging nh cc thng tin trn chng minh th ca m"i ngi. Kho cng khai "rong khi nim m!t m, kho cng khai , mt gi tr c nh cung cp chng ch a ra nh mt kho m ho, kt hp c4ng vi mt kho c nh+n (uy nht c 1o ra t kho cng khai to thnh c/p m kho $t i 8ng. Nguyn ,H hot ng ca kho cng khai trong chng ch s , hai $n giao (ch phi $it kho cng khai ca nhau. Jn C mun gi cho $n J th5 phi (4ng kho cng khai ca $n J m ho thng tin. Jn J s (4ng kho c nh+n ca m5nh thng tin 3 ra. ".nh $t i 8ng trong m ho th hin ch" kho c nh+n c3 th gii m ( ,iu c m ho $!ng kho cng khai ;trong c4ng mt c/p kho (uy nht m mt c nh+n s hu=, nhng kho cng khai khng c3 kh n%ng gii m ,i thng tin, k c nhng thng tin (o ch.nh kho cng khai 3 m ho. +y , /c t.nh cn thit v5 c3 th nhiu c nh+n J,C, 7... c4ng thc hin giao (ch v c3 kho cng khai ca C, nhng C,7... khng th gii m c cc thng tin m J gi cho C (4 cho ch/n $&t c cc g3i thng tin gi i trn mng. Dt cch hiu nm na, nu chng ch s , mt chng minh th nh+n (+n, th5 kho cng khai 3ng vai tr6 nh (anh t.nh ca $n trn giy chng minh th ;gm tn a ch, nh...=, c6n kho c nh+n , gng m/t v (u v+n tay ca $n. Nu coi mt Ku phm , thng tin truyn i, c Lm hoL $!ng a ch v tn ngi nh!n ca Kn, th5 (4 ai 3 c3 (4ng chng minh th ca $n vi m)c ich ,y $u phm ny, h Eng khng c nh+n vin $u 0n giao $u kin v5 nh m/t v (u v+n tay khng ging. Ch k( s ca CA cp chng ch C6n gi , chng ch gc. +y ch.nh , s 8c nh!n ca CC, $o m t.nh ch.nh 8c v hp , ca chng ch. @un kim tra mt chng ch s, trc tin phi kim tra ch kH s ca CC c3 hp , hay khng. "rn chng minh th, +y ch.nh , con Fu 8c nh!n ca Cng Cn "nh ho/c "hnh ph m $n trc thuc. > nguyn t&c, khi kim tra chng minh th, ?ng ra u tin phi , 8em con (u ny, $it chng minh th c3 $ ,m gi hay khng. II.%.2 )i *ch ca chng ch s a$ + ho 0i .ch u tin ca chng ch s , t.nh $o m!t thng tin. 9hi ngi gi
Trang &

 ti khoa hc cp Trin khai cc dch v da trn CA tr ng m ho thng tin $!ng kho cng khai ca $n, ch&c ch&n ch c3 $n mi gii m

c thng tin c. "rong qu tr5nh truyn thng tin qua Internet, (4 c3 c c cc g3i tin m ho ny, k 8u cng khng th $it c trong g3i tin c3 thng tin g5. +y , mt t.nh n%ng rt quan trng, gi?p ngi s ()ng hon ton tin c!y v kh M%ng $o m!t thng tin. Nhng trao :i thng tin cn $o m!t cao, chng hn giao Fch ,in ng+n hng, ng+n hng 0n t, thanh ton $!ng th t.n ()ng, u cn phi c3 chng ch s m $o an ton.

Trang '

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

,$ Chng gi mo 9hi $n gi i mt thng tin, c3 th , mt ( ,iu ho/c mt emai,, c3 s ()ng chng ch s, ngi nh!n s kim tra c thng tin ca $n c3 $ thay :i hay khng. Jt k mt s sa :i hay thay th ni (ung ca thng 0p gc u s $ pht hin. a ch mai,, tn (omain... u c3 th $ k 8u ,m gi nh ,a ngi nh!n ,+y ,an virus, %n c&p thng tin quan trng. "uy nhin, chng ch s th5 khng th ,m gi, nn vic trao :i thng tin c3 kNm chng ch s ,un m $o an ton. c$ -c thc 9hi gi mt thng tin kNm chng ch s, ngi nh!n I c3 th , i tc kinh (oanh, 1: chc ho/c c quan ch.nh quyn I s 8c nh rO c (anh t.nh ca $n. C3 ngh#a , (4 khng nh5n thy $n, nhng qua h thng chng ch s m $n v ngi nh!n c4ng s ()ng, ngi nh!n s $it ch&c ch&n 3 , $n ch khng phi , mt ngi khc. Pc thc , mt t.nh n%ng rt quan trng trong vic thc hin cc giao (ch 0n 1 qua mng, cng nh cc th t)c hnh ch.nh vi c quan php quyn. Cc hot ng ny cn phi 8c minh rO ngi gi thng tin s ()ng t cch php nh+n. +y ch.nh , nn tng ca mt Ch.nh ph 0n t, mi trng cho ph-p cng (+n c3 th giao tip, thc hin cc cng vic hnh ch.nh vi c quan nh nc hon ton qua ng. C3 th n3i, chng ch s , mt phn khng th thiu, , phn ct ,Oi ca Ch.nh ph 0n t. .$ Chng chi ci ngun gc 9hi s ()ng mt chng ch s, $n phi chu trch nhim hon ton v nhng thng tin m chng ch s i kNm. "rong trng hp ngi gi chi ci, ph nh!n mt thng tin no 3 khng phi (o m5nh gi ;chng hn mt n /t hng qua mng=, chng ch s m ngi nh!n c3 c s , $!ng chng khng nh ngi gi , tc gi Ea thng tin 3. "rong trng hp chi ci, CC cung cp chng ch s cho hai $n s chu trch nhim 8c minh ngun gc thng tin, chng t$ ngun gc thng tin c Ai. $ Ch k( /)n t Kmai, 3ng mt vai tr6 kh quan trng trong trao :i thng tin hng ngy ca ch?ng ta v5 u 0m nhanh, r v (% s ()ng. Nhng thng 0p c3 th gi i nhanh ch3ng, qua Internet, n nhng khch hng, ng nghip, nh cung cp v cc i tc. "uy nhin, emai, rt (% $ c $i cc hacker. Nhng thng 0p c3 th $ c hay $ gi mo trc khi n ngi nh!n. Q!ng vic s ()ng chng ch s c nh+n, $n s ng%n nga c cc nguy c ny m vRn khng ,m gim nhng ,i th ca emai,. >i chng ch s c nh+n, $n
Trang (

 ti khoa hc cp Trin khai cc dch v da trn CA tr c3ng th to thm mt ch kH 0n t vo emai, nh mt $!ng chng 8c nh!n ca

m5nh. Ch kH 0n t cng c3 cc t.nh n%ng 8c thc thng tin, ton v&n ( ,iu v chng chi ci ngun gc. Ngoi ra, chng ch s c nh+n c6n cho ph-p ngi (4ng c3 th chng thc m5nh Si mt Te$ server thng qua giao thc $o m!t UU0. hng php chng thc ( a

Trang )

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

trn chng ch s c nh gi , tt, an ton v $o m!t hn phng php chng thc truyn thng (a trn m!t khu. "$ 0o m1t 2 ,sit 9hi 1e$site ca $n s ()ng cho m)c .ch thng mi 0n t hay cho nhng )c .ch quan trng khc, nhng thng tin trao :i gia $n v khch hng ca $n c3 th $ ,. trnh nguy c ny, $n c3 th (4ng chng ch s UU0 Uerver $o !t cho 1e$site ca m5nh. Chng ch s UU0 Uerver s cho ph-p $n ,!p cu h5nh 1e$site ca m5nh theo giao thc $o m!t UU0 ;Uecure Uockets 0ayer=. 0oi chng ch s ny s cung cp cho 1e$site ca $n mt nh (anh (uy nht nh!m m $o vi khch hng ca $n S t.nh 8c thc v t.nh hp php ca 1e$site. Chng ch s UU0 Uerver cng cho ph-p trao :i thng tin an ton v $o m!t gia 1e$site vi khch hng, nh+n vin v i tc ca $n thng qua cng ngh UU0 m n:i $!t , cc t.nh n%ngG V "hc hin mua $n $!ng th t.n ()ng. V Jo v nhng thng tin c nh+n nhy cm ca khch hng. V m $o hacker khng th (6 t5m c m!t khu. g$ 3m ,o phn mm Wu $n , mt nh sn 8ut phn mm, ch&c ch&n $n s cn nhng 22con tem chng hng gi22 cho sn phm ca m5nh. +y , mt cng c) khng th thiu trong vic p ()ng h5nh thc s hu $n quyn. Chng ch s Nh pht trin phn mm s cho ph-p $n kH vo cc app,et, script, Aava so<tTare, CctiveP contro,, cc <i,e (ng KPK, CCJ, 700... Nh v!y, thng qua chng ch s, $n s m $o t.nh hp php Eng nh ngun gc 8ut 8 ca sn phm. 'n na ngi (4ng sn phm c3 th 8c thc c $n , nh cung cp, pht hin c s thay :i ca chng tr5nh ;(o v t5nh h$ng hay (o virus ph, $ crack v $n ,!u...=. Xi nhng ,i .ch v $o m!t v 8c thc, chng ch s hin c s ()ng rng ri trn th gii nh mt cng c) 8c minh (anh t.nh ca cc $n trong giao (ch thng mi 0n t. +y , mt nn tng cng ngh mang t.nh tiu chun trn ton Eu, m/c (4 m"i nc c3 mt s ch.nh sch qun ,H chng thc s khc nhau. @"i quc gia u cn c3 nhng CC $n a ch ng v cc hot ng chng thc s trong nc. Nhng ngoi ra, nu mun thc hin "@" vt ra ngoi $in gii, cc quc gia cng phi tu+n theo cc chun cng ngh chung, v thc hin chng thc ch-o, trao :i v cng nh!n cc CC ca nhau.

III. &!in khai .ch 45 CA t!6n mi t!ng 2in.o7 8 !4 ! 299%

Trang *

"rn mi trng h 0u hnh 1in(oTs Uerver YDDZ, CC , mt phn mm c t.ch hp s[n.

 ti khoa hc cp trng III.1 Ci :;t .ch 45 CA

Trin khai cc dch v da trn CA

W. C,ick vo Utart Contro, ane, C(( \r #emove rograms. 'p thoi C(( \r #emove rograms 8ut hin.

%ng nh!p vo 1in(oTs Uerver YDDZ vi quyn C(ministrator.

Trang 1+

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Y. C,ick C((*#emove 1in(oTs Components. 'p thoi C((*#emove 1in(oTs Components 8ut hin chn Certi<icate Uervices.

Z. C,ick chn chn 7etai,s. 'p thoi Certi<icate Uervices 8ut hin. ]. Vp thoi cnh $o v thnh vin (omain v rng $uc :i tn my t.nh 8ut hin c,ick Ses.

Trang 11

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

^. "rong trang ,oi CC, c,ick chn Knterprise #oot CC c,ick Ne8t.

_. "rn trang thng tin nh!n ra CC, trong hp Common name, nh tn ca server c,ick ne8t.

Trang 12

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

`. "rn trang Certi<icate 7ata$ase Uettings, ng (Rn m/c nh trong hp Certi<icate (ata$ase $o8 v Certi<icate (ata$ase ,og c,ick Ne8t.

a. *i nh&c (ng Internet In<ormation Uervices 8ut hin c,ick

Ses. X. Kna$,e Cctive Uerver ages ;CU s= c,ick Ses. WD. 9hi qu tr5nh ci /t hon tt c,ick Einish.

III.2 Cc .ch 45 chng ch CA 2in.o7s 8 !4 ! 299% cung cp

Ch k( /)n t< _ ()ng 8c nh!n ngi gi thng 0p, <i,e ho/c ( ,iu khc. Ch kH 0n t khng h" tr $o v ( ,iu khi truyn. Chng thc int !n t< C3 th s ()ng 9I chng thc c,ient v server c thit ,!p ni kt trn internet, v5 v!y server c3 th nh!n (ng my c,ient ni kt n n3 v c,ient c3 th 8c nh!n ni kt ?ng server. 0o m1t I= ( I= 8 cu!it# > I=8 c$< m rng I Uec cho ph-p m h3a v truyn ch kH s, nh!m ng%n ch/n ( ,iu $ , khi truyn trn mng. "rin khai I Uec trn 1in(oTs Uerver YDDZ khng phi (4ng 9I c3 c kh3a m h3a ca n3, nhng
Trang 13

 ti khoa hc cp tr c3ng th (4ng 9I vi m)c .ch ny.

Trin khai cc dch v da trn CA

8 cu! >mai?G Fiao thc eImai, trn internet truyn thng 0p mai, ch $n rO, v5 v!y ni (ung mai, (% (ng c c khi truyn. >i 9I, ngi gi c3 th $o !t eImai, khi truyn $!ng cch m h3a ni (ung mai, (4ng kh3a cng khai ca ngi nh!n. Ngoi ra, ngi gi c3 th kH ,n thng 0p $!ng kh3a ring ca m5nh. 8ma!t ca!. ?ogon< Umart car( , mt ,oi th t.n ()ng. 1in(oTs Uerver YDDZ c3 th (4ng smart car( nh , mt thit $ chng thc. Umart car( cha chng ch ca

Trang 1

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

user v kh3a ring, cho ph-p ngi (4ng ,ogon ti $t k my no trong (oanh nghip vi an ton cao. 8o"t7a! co. signing< 9' thu!t Cuthentico(e ca @icroso<t (4ng chng ch chng thc nhng phn mm ngi (4ng (oTn,oa( v ci /t ch.nh 8c , ca tc gi v khng c chnh sa. 2i! ? ss n t7o!k auth nticationG 9hi ci /t mt 0CN Tire,ess, phi ch&c ch&n b!ng ch ngi (4ng chng thc ?ng th5 mi c ni kt mng v khng c3 ai c3 th nghe ,-n khi giao tip trn Tire,ess. C3 th s ()ng 1in(oTs Uerver YDDZ 9I Ko v mng Tire,ess $!ng cch nh!n (ng v chng thc ngi (4ng trc khi h truy c!p mng.

III.% Cc ?oi CA t!6n 2in.o7s 8 !4 ! 299%

"rn Tin(oTs Uerver YDDZ c3 hai ,oi CCG Ent !p!is < Enterprise CAs c t.ch hp trong (ch v) Cctive 7irectory. Ch?ng > ()ng mRu chng ch, 8ut $n ;pu$,ish= chng ch v C#0s n Cctive 7irectory, > ()ng thng tin trong c s ( ,iu Cctive 7irectory chp nh!n ho/c t chi yu Eu cp pht chng ch t ng. Ji v!y c,ient ca t: chc CC phi truy 8ut n Cctive 7irectory nh!n chng ch, nhiu t: chc CC khng th.ch hp cho vic cp pht chng ch cho cc c,ient $n ngoi t: chc. 8tan.>a?on ,tand-a$one CAs khng (4ng mRu chng ch hay Cctive 7irectoryc ch?ng ,u tr thng tin c)c $ ca n3. 'n na, m/c nh, stan(Ia,one CCs khng t ng p ,i yu cu cp pht chng ch s ging nh enterprise CCs ,m. Su cu ch trong hng i cho ngi qun tr chp nh!n ho/c t chi $!ng tay. 74 ngi (4ng chn to ra mt enterprise CC hay , mt stan(Ia,one CC, u phi ch rO CC , gc ;root= hay cp (i ;su$or(inate=.

III.@ Cp pht 4 Aun ?* cc chng ch s

III.@.1 Cp pht t:ng (Auto>En!o??m nt$ CutoIKnro,,ment cho ph-p c,ient yu cu t ng v nh!n chng ch s t CC m khng cn s can thip ca ngi qun tr. (4ng CutoIKnro,,ment th5 phi c3 (omain chy 1in(oTs Uerver YDDZ, mt enterprise CC chy trn 1in(oTs Uerver YDDZ v c,ient c3 th chy 1in(oTs P ro<essiona,. 0u khin tin tr5nh CutoI Knro,,ment $!ng s phi hp ca group po,icy v mRu chng ch s. D/c nh, Froup o,icy \$dects ;F \s= cho ph-p CutoIKnro,,ment cho tt c cc ngi (4ng v my t.nh n!m trong (omain. ci /t, $n m ch.nh sch ci /t CutoIKnro,,ment, n!m trong th m)c 1in(oTs Uettingse Uercurity Uettingse u$,ic 9ey o,icies trong c Y no(e Computer Con<iguration v bser Con<iguration ca Froup o,icy \$dect K(itor. 'p thoi Cutoenro,,ment Uettings roperties 8ut hin, Kn c3 th cm hon ton autoIenro,,ment cho cc i tng s ()ng F \ ny. Jn Eng c3 th cho ph-p cc i tng thay :i ho/c c!p nh!t
Trang 1&

 ti khoa hc cp tr chng ng ch s ca ch?ng

t cch t ng.

Trin khai cc dch v da trn CA

Trang 1'

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Dt k' thu!t khc $n c3 th (4ng 0u khin autoIenro,,ment , 8+y (ng mRu chng ch c3 8c nh /c t.nh ca kiu chng ch s rO rng. qun ,H mRu chng ch s, $n (4ng mRu chng ch s c3 s[n ; Certi<icate "emp,ates snapIin=, nh h5nh Fi. U ()ng cng c) ny, $n c3 th ch rO thi gian hiu ,c v thi gian gia hn Ea ,oi chng ch s chn, chn (ch v) m h3a ;cryptographic= cung cp cho ch?ng. 74ng ta$ Uecurity, $n cng c3 th ch rO nhng user v group c ph-p yu Eu chng ch s (4ng mRu ny.

Trang 1(

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

9hi c,ient yu cu mt chng ch s, CC kim tra /c t.nh i tng Cctive 7irectory ca c,ient quyt nh ,iu c,ient c3 quyn ti thiu c nh!n chng ch khngf. Nu c,ient c3 quyn th.ch hp th5 CC s cp pht chng ch s mt cch t ng. III.@.2 Cp pht khng t:ng (+anua? En!o??m nt$ Utan(Ia,one CCs khng th (4ng autoIenro,,ment, v5 v!y khi mt stan(Ia,one CC nh!n yu cu v chng ch s t c,ient, n3 s ,u tr nhng yu cu 3 vo trong mt hng i cho ti khi ngi qun tr quyt nh ,iu c3 cp pht chng ch s hay khngf. gim st v 8 ,H cc yu cu vo, ngi qun tr (4ng Certi<ication Cuthority conso,e, nh h5nh sauG

"rong Certi<ication Cuthority conso,e, tt c yu cu cp pht chng ch s 8ut hin trong th m)c en(ing #equest. Uau khi nh gi thng tin trong m"i yu cu, ngi qun tr c3 th chn chp nh!n ;issue= hay t chi yu cu. Ngi qun tr Eng c3 th 8em /c t.nh ca vic cp pht chng ch v thu hi chng ch khi cn. III.@.% Cc cch #6u cu cp pht CA III.4.3.1 S d ng Certificates Snap-in: Certi<icate UnapIin , mt cng c) (4ng 8em v qun ,H chng ch ca mt user ho/c computer c) th. @n h5nh ch.nh ca snapIin $ao gm nhiu th m)c cha tt c 9ng m)c chng ch s c ch nh cho user ho/c computer. Nu t: chc ca ngi (4ng s ()ng enterprise CCs, Certi<icate UnapIin cng cho ph-p ngi (4ng yu cu v thay :i chng ch s $!ng cch (4ng Certi<icate #equest 1igar( v Certi<icate
Trang 1)

 ti khoa hc cp tr ng #eneTa, 1igar(.

Trin khai cc dch v da trn CA

Trang 1*

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

III.4.3.2 Yu c u cp ph t th!ng "ua #e$ %#e$ &nro''ment( 9hi $n ci /t Certi<icate Uervices trn my t.nh chy 1in(oTs Uerver YDDZ, ngi (4ng c3 th chn ci /t mo(u,e Certi<icate Uervices 1e$ Knro,,ment Uupport. hot ng mt cch ?ng &n, mo(u,e ny yu cu ngi (4ng phi ci /t IIU trn my t.nh trc. Chn mo(u,e ny trong qu tr5nh ci /t Certi<icate Uervices to ra trang 1e$ trn my t.nh chy CC, nhng trang 1e$ ny cho ph-p ngi (4ng gi yu cu cp chng ch s yu cu m h chn.

Trang 2+

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Fiao (in 1e$ Knro,,ment Uupport c (4ng cho ngi s ()ng $n ngoi ho/c $n trong mng truy 8ut n stan(Ia,one CCs. >5 stan(Ia,one server khng (4ng Ru chng ch s, c,ient gi yu cu $ao gm tt c cc thng tin cn thit v chng ch s v thng tin v ngi s ()ng chng ch s. 9hi c,ient yu cu chng ch s (4ng giao (in 1e$ Knro,,ment Uupport, ch?ng c3 th chn t (anh sch ,oi chng ch c nh ngh#a trc ho/c to ra chng ch cao cp $!ng cch ch rO tt c cc thng tin yu cu trong <orm 1e$I$ase(.

Trang 21

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

III.@.@ &hu hi chng ch s C3 vi nguyn nh+n cnh $o cho ngi qun tr thu hi chng ch. Nu nh kh3a ring ; private key= $ ,, ho/c ngi (4ng tri ph-p ,i ()ng truy 8ut n CC, th!m ch. nu $n mun cp pht chng ch (4ng tham s khc nh , kh3a (i hn, $n phi c thu hi chng ch trc 3. @t CC (uy tr5 mt C#0 ;Certi<icate #evocation 0ist=. Knterprise CCs 8ut $n C#0s ca ch?ng trong c s ( ,iu Cctive 7irectory, v5 v!y c,ient c3 th truy 8ut ch?ng (4ng giao thc truyn thng Cctive (irectory chun, gi , 0ightTeight 7irectory Cccess rotoco, ;07C =. @t stan(Ia,one CC ,u tr C#0 ca n3 nh , mt <i,e trn #a c)c $ ca server, v5 v!y c,ient truy 8ut (4ng giao thc truyn thng Internet nh 'yperte8t "rans<er rotoco, ;'"" = or Ei,e "rans<er rotoco, ;E" =. D"i chng ch s cha ng (Rn ti 0m ph+n phi ca CC cho C#0s. C3 th >a :i ng (Rn ny trong Certi<ication Cuthority conso,e $!ng cch hin th hp thoi roperties cho CC, c,ick vo ta$ K8tension. 9hi mt ng ()ng chng thc c,ient ang (4ng chng ch s, n3 kim tra 0m ph+n phi C#0 nh rO trong chng ch >, ch&c ch&n r!ng chng ch s khng $ thu hi. Nu C#0 khng c3 ti 0m ph+n phi nh rO ca n3, ng ()ng t chi chng ch. Q!ng cch chn th m)c #evoke( Certi<icates trong Certi<ication Cuthority conso,e v sau 3 hin th hp thoi roperties ca n3, $n c3 th ch rO $ao ,+u th5 Trang 22

 ti khoa hc cp Trin khai cc dch v da trn CA tr ng nn 8ut $n mt C#0 mi, v cng cu h5nh CC 8ut $n (e,ta CC

C#0s.@t

Trang 23

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

(e,ta C#0 , mt (anh sch tt c cc chng ch thu hi t khi C#0 cui c4ng 8ut Kn. "rong t: chc vi s ,ng chng ch s ,n, s ()ng C#0s thay v5 C#0s c $n c3 th ,u mt s ,n.

IB. &!in khai mt s .ch 45 mng s .5ng CA

IB.1 Cch 45 2 , s .5ng 88)
UU0IUercue Uocket 0ayer, , mt giao thc m h3a cung cp s truyn thng an ton trn Internet nh Te$ $roTsing, eImai,.UU0 cung cp s chng thc ti cc 0m cui ca kt ni, knh truyn thng ring t trn Internet $!ng cch m h3a. "hng thng ch c3 Uerver , c chng thc, c3 ngh#a , ch c3 ngi (4ng cui ;ngi > ()ng, ng ()ng, h= $it rO m5nh ang in3i chuynj vi ai. ( mc $o m!t cao 9n, c hai ph.a u phi $it nhau, chng thc ,Rn nhau. Chng thc ,Rn nhau yu Eu (4ng h tng kh3a cng khaiI 9I. W= @ h5nh (ch v)G

@y 1e$ Uerver c cu h5nh (ch v) Te$ s ()ng UU0 $!ng cch nh!n chng ch t CC service. Y= ku h5nh (ch v)G `i 1e$ server yu cu cp pht chng chG
Trang 2

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Qc WG @ IIU, c,ick chut phi vo Te$site cn cu h5nh UU0, chn ta$ 7irectory Uecurity, chn Uerver Certi<icate

Qc YG Chn to mi mt chng ch

Trang 2&

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Nhn Ne8t, chn repare <or #equest noT, $ut sen( it ,ater v ,u yu cu cp pht 8ung <i,e

Trang 2'

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Qc ZG @ Internet K8p,orer, gO vo c ch ca CC Uervice yu cu cp pht chng ch qua Te$

Trang 2(

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Chn #equest a Certi<icate v chn ,"#mit a certi.icate re/"est #% "sing a #ase' -encoded C0C or !1C, 21+ .i$e, or s"#mit a rene3a$ re/"est #% "sing a #ase-' encoded !1C, 2( .i$eG

D <i,e yu cu trn v copy ni (ung v (n vo Uave( #equestG

Wu CC Uervice khng cp pht t ng th5 vo my CC cp pht;Issue= cho chng ch va yu cu.

Trang 2)

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

>o ,i trang Te$ yu cu CC, chn 7oTn,oa( Certi<icate ti chng ch v a c cp pht v.

Qc ]G Muay tr ,i IIU, chn !rocess the pending re/"est and insta$$ the certi.icate Import chng ch va c3 c trn.

Chn K(it, chn #equire secure channe,;UU0= cu h5nh cho Te$ site (4ng UU0 khi c3 yu cu kt ni. Trang 2*

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Z= @inh ha kt quG Fi s ta c3 trang Te$ vi ni (ung sau c /t ti Te$ server v c,ient s kt Mi $!ng giao thc '"" 8em trang Te$ ny.

Trang 3+

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

9hi khng (4ng UU0, nu (4ng cc cng c) $&t g3i ( ,iu ta c3 th 8em c ni (ung, c6n khi (4ng UU0 ( ,iu s c m h3a v khng 8em c (4 $&t c g3i tin.

Trang 31

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

IB.2 Cch 45 I=8 c

I UecIInternet rotoco, Uecurity, , mt giao thc c thit k $o v ( ,iu K!ng ch k. 0n t v m h3a trc khi truyn i.I Uec m h3a cc thng tin trong g3i tin I theo cch 3ng g3i n3, nn ngay c khi $&t c cc g3i tin s khng c c ni (ung $n trong. 7o I Uec hot ng tng mng nn I Uec to mt knh m h3a ,in t)c gia cc 0m kt ni;en(ItoIen(=, ngh#a , khi ( ,iu c m h3a my gi th5 ch c gii m khi ti my nh!n. I Uec rotoco,G a= I Cuthentication 'ea(erIC'G khng m h3a ( ,iu trong g3i tin I , m ch m h3a phn hea(er. C' cung cp cc (ch v) $o m!t c $n, ( ,iu c3 th c c khi $&t g3i tin, nhng ni (ung th5 khng th thay :i

Trang 32

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

$= I Kncapsu,ating Uecurity ay,oa(IKU G m h3a ton $ ni (ung g3i tin I , ng%n khng cho ngi nghe ,-n c3 th c c ni (ung khi g3i tin (i chuyn trn mng. KU cung cp cc (ch v) chng thc, m $o ton v&n v m h3a ( ,iu.

W= @ h5nh (ch v)G

Trang 33

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

"rong m h5nh trn, E" server , my t.nh cung cp cc (ch v) truyn <i,e trong ng, c,ient s kt ni vo server ny (oTn,oa( v up,oa( cc <i,e ( ,iu."rc khi cc c,ient to kt ni th5 phi qua mt qu tr5nh chng thc, m $o an ton trong qu tr5nh ny, cng nh cho ni (ung ca cc <i,e ( ,iu, ta s t.ch hp vi (ch S) CC.@y CC Uervice s cung cp cc chng ch thc hin chng thc gia E" server v cc c,ient. ,m c 0u ny th5 my cung cp (ch v) CC cng 3ng vai tr6 , 7omain Contro,er, cp cc chng ch t ng cho cc my khi c3 yu cu. Y= "rin khai (ch v)G hn ny tr5nh $y mt s $c thit ,!p ch.nh sch I Uec c3 s ()ng CC cho m h5nh $n trn. Ch.nh sch ny to ti m "i my c3 yu cu truyn thng $!ng I Uec. Qc WG "rong ca s: chng tr5nh I Uecurity o,icy, to mt ch.nh sch mi

Qc YG Chn Ne8t thm mt ,u!t mi, trong ta$ #u,e chn C(( thm mt (anh sch cc yu cu ,c trn giao thc I ;I Ei,ter 0ist=

Trang 3

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Qc ZG Chn C(( thm cc ,u!t theo yu cu cn ,c. Fi s +y ta thit ,!p ,u!t ,c giao thc E" khi chng thc gia my hin ti vi tt cc my khc

Trang 3&

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

"rong Erom this port, nh!p gi tr YW, +y , c:ng m E" s (4ng chng thc ngi (4ng.

Qc ]G Nhn o9 n ca s: Ei,ter Cction, chn #equire Uecurity yu cu > ()ng I Uec $t c khi no cn chng thc E" .

Trang 3'

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Qc ^G Chn phng php chng thc, chn cch chng thc $!ng CC, nhn n?t JroTse (Rn CC ca m h5nh mng trn.

Qc _G >i ch.nh sch va to, chn Cssign ch.nh sch c p ()ng. Z= @inh ha kt quG Fi s t c,ientW kt ni vo E" Uerver, khi khng (4ng I Uec ta s $it c username v passTor( khi ngi (4ng chng thc nu $&t c cc g3i ( ,iu ny.

Trang 3(

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Trang 3)

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

9hi s ()ng I Uec, cc g3i tin s c m h3a v khng c c ni (ung.

IB.% Cch 45 B=N

> NI>irtua, rivate NetTork, , mt mng ring (4ng mng cng cng;Internet= kt ni cc 0m ho/c ngi s ()ng ti mng 0CN trung t+m. > N cho ph-p truyn ( ,iu gia hai my t.nh s ()ng mi trng mng cng Eng ging nh cch c3 mt ng kt ni ring gia hai my ny. to mt kt ni 0m 0m;pointItoIpoint=, ( ,iu c 3ng g3i;encapsu,ate=, $ao $c;Trap= vi t hea(er cung cp cc thng tin nh tuyn. gi ,!p mt knh truyn ring, ( ,iu s c m h3a.

Trang 3*

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

W= @ h5nh (ch v)G

"rong m h5nh ny, (ch v) > N s c trin khai ti v%n ph6ng 0t, ngi (4ng ni khc nh ' Ni "p ' Ch. @inh c3 th kt ni, truy c!p cc ti nguyn $n trong mng 0CN ti 0t. Fiao thc > N s ()ng 0Y" *I Uec, chng thc K!ng chng ch s (o CC. Y= "rin khai (ch v)G hn ny s gii th.ch chc n%ng v tr5nh $y mt s cu h5nh quan trng mt cc my t.nh trong m h5nh trn. a. 7omain Contro,,erG hot ng nh mt trung t+m 0u khin, cung cc (ch v) ph+n gii tn min;7NUI7omain Name Uystem=, cp pht a ch I ng ;7'C I7yamic 'ost Con<iguration rotoco,=. ng thi +y cng , CC server ni cp pht cc chng ch theo yu cu. $. 1e$ UerverG cung cp (ch v) 1e$site cho ngi (4ng. c. ICUG , my qun ,H ngi s ()ng truy c!p t 8a, #C7IbU ;#emote Cccess 7ia,Iin bser Uervice=. s ()ng (ch v) phi c ci /t trc. ci /t ICU chn Contro, ane,IlC(( an( #emove rogramIl1in(oT ComponentIlNetTork Uervices Il Internet Cuthentication Uerivce.

Trang +

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

D chng tr5nh ICU, to mi mt #C7IbU c,ient v mt ch.nh sch ch nh nh3m ho/c ngi (4ng no c ph-p truy c!p t 8a. m "hm #C7IbU c,ientG

m "hm ch.nh sch mi, qui nh cho nhng ngi (4ng trong nh3m > Nbsers c truy c!p.
Trang 1

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

(. > N UerverG , my ch > N, nh!n yu cu kt ni t $n ngoi.

Trang 2

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Dt s cu h5nh ch.nhG Qc WG@ chng tr5nh #outing an( #emote Ccces, chn Con<igure an( Kna$,e #outing an( #emote Cccess. Qc YGChn #emote Cccess;(ia,Iup or > N=

Qc ZG Chn > N

Trang 3

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Qc ]G Nh!p a ch #C7IbU server

Qc _G"rong phn 7'C #e,ay Cgent, nh!p a ch ca my cung cp (ch v) 7'C

Trang

 ti khoa hc cp trng

Trin khai cc dch v da trn CA

Z= `o kt ni t cc my ngi (4ng ngoi mng Qc WG to kt ni mng ,oi > N

Qc YG @ kt ni, nh!p username v passTor( ca ngi (4ng c ph-p truy E!p

Qc ZG Chn chn Connect.

roperties, chn ,oi > N , 0Y" *I Uec. Nhn \9 v

Trang &

B. Kt Au 4 hng pht t!in

B.1 Kt Au
"hng qua vic thc hin ti, nh3m t5m hiu cc kin thc c $n v c s 9 tng kh3a cng khaiI 9I, mt m h5nh ang c s ()ng rt nhiu cho vic truyn thng trn mng hin nay. "5m hiu v trin khai (ch v) CC, mt thnh phn quan trng ca 9I, trn mi trng 1in(oTs Uerver YDDZ. Cui c4ng , t.ch hp c (ch v) CC vo mt s (ch v) mng khc to nn cc (ch v) c3 t.nh $o !t cao. Cc m h5nh (ch v) trn c thc hin gi ,!p trong mi trng mng 0CN. Wu c s h tng mng tt hn, s c3 th trin khai trn phm vi ,n hn vi mi trng Internet th!t. Ngoi ra, c3 th t5m hiu thm t.ch hp cc (ch v) trn trong mi trng 0inu8.

B.2 Dng pht t!in

I. Fii thiu............................................................................................................. W II. k s h tng kh3a cng khai ............................................................................ W II.W 9hi nim .................................................................................................. W II.Y Nh cung cp chng thc s CC ;Certi<icate Cuthority= ............................ Y II.Z Chng ch s .............................................................................................. Y II.Z.W 9hi nim ........................................................................................... Y II.Z.Y *i .ch ca chng ch s ..................................................................... Z III. "rin khai (ch v) CC trn mi trng 1in(oT Uerver YDDZ............................ ^ III.W Ci /t (ch v) CC ..................................................................................... ^ III.Y Cc (ch v) chng ch CC 1in(oTs Uerver YDDZ cung cp ....................... a III.Z Cc ,oi CC trn 1in(oTs Uerver YDDZ ..................................................... X III.] kp pht v qun ,. cc chng ch s .......................................................... X III.].W kp pht t ng ;CutoIKnro,,ment= ................................................... X III.].Y kp pht khng t ng ;@anua, Knro,,ment= .................................. WW III.].Z Cc cch yu cu cp pht CC .......................................................... WW III.].Z.W _ ()ng Certi<icates UnapIinG ....................................................... WW III.].Z.Y Su cu cp pht thng qua 1e$ ;1e$ Knro,,ment= .................... WY III.].] "hu hi chng ch s ......................................................................... W] I>. "rin khai mt s (ch v) mng s ()ng CC ................................................... W^ I>.W 2ch v) 1e$ s ()ng UU0 ....................................................................... W^ I>.Y 2ch v) I Uec .......................................................................................... YZ I>.Z 2ch v) > N............................................................................................ YX >. .t qu v hng pht trin ............................................................................ Z_ >.W .t qu..................................................................................................... Z_ >.Y Vng pht trin ...................................................................................... Z_

9EC )EC