1. Field of the Invention
The present invention relates to a server certificate issuing system which issues a server certificate in response to a server certificate request transmitted from a Web server.
2. Description of the Related Art
In order to securely perform Internet communications between a Web server and a Web browser, SSL (Secure Socket Layer) using PKI (Public Key Infrastructure) has been put to practical use. In a communication system in which the SSL has been introduced, since an encryption process is performed by using a server certificate (SSL certificate) issued by a certificate authority (CA) which is a trusted third-party authority, spoofing, tamper, sniffing and the like are prevented and more secure Internet communications are assured.
When the certificate authority issues the server certificate, identification of a person requesting the issuance of the server certificate is important. As an identification method, a server certificate issuing system using domain authentication has been put to practical use (for example, see Japanese Patent Laid-Open No. 2005-506737). In this known identification method, when the issuance of a server certificate is requested, a registration server accesses a database of a domain registration server (Whois information) to contact an approver having an authority to approve the issuance of the server certificate for the above described Web server. Using communicating means such as telephone, e-mails or the like, whether or not the certificate request is approved is verified, and only if the approval from the approver is obtained, the certificate is issued.
Moreover, in the conventional server certificate issuing system, when an application for the issuance of the certificate is made, an applicant generates a PKI key pair, and generates a Certificate Signing Request file (CSR) to make the application for the issuance of the certificate to the registration server.
In the conventional identification method using the domain authentication, a person having the authority to approve the issuance of the certificate is searched based on the Whois information, and the identification is performed based on the approval from the searched approver. However, in an authentication method of an Approver-Email system, merely the approval from the person having the authority to approve is obtained and existence of the Web server for which the certificate is to be issued is not confirmed, which has caused a security problem. Moreover, the identification with the e-mail has a potential risk of causing a security problem in the case where the e-mail has been sniffed or the like. Furthermore, since a registration authority has to access the database of the domain registration server to search the approver, there has been also a disadvantage of a complicated identification task in the registration authority. In addition, confirmation of the approval has to be obtained with the communicating means such as the telephone, which has become a major impediment to automation of the issuance of the certificate.
Furthermore, in the conventional certificate issuing system, a user has to generate the key pair to generate the CSR, which has also been pointed out as a disadvantage of a large procedural burden on the user.