GM/T 0037-2014 English PDF (GMT0037-2014)
GM/T 0037-2014 English PDF (GMT0037-2014)
Regular price
$160.00 USD
Regular price
Sale price
$160.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0037-2014
Historical versions: GM/T 0037-2014
Preview True-PDF (Reload/Scroll if blank)
GM/T 0037-2014: Certificate authority system test specification
GM/T 0037-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44642-2014
Certificate authority system test specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope .. 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations .. 6
5 Test object ... 6
6 Test Outline ... 6
7 Test environment .. 6
8 Test content ... 7
8.1 Site .. 7
8.2 Network ... 7
8.3 Post and access management ... 9
8.4 Security management ... 10
8.5 System initialization ... 10
8.6 System functions .. 10
8.7 System performance .. 13
8.8 Data backup and recovery ... 14
8.9 Third-party security products ... 14
8.10 Entry into root .. 15
8.11 Certificate format ... 15
8.12 Certificate chain.. 15
8.13 Algorithm ... 15
8.14 Protocol ... 15
8.15 Documents ... 15
9 Test method .. 15
9.1 Site ... 15
9.2 Network .. 16
9.3 Management of posts and authorization ... 17
9.4 Security management ... 18
9.5 System initialization ... 18
9.6 System functions .. 18
9.7 System performance .. 20
9.8 Data backup and recovery ... 20
9.9 Third-party security products ... 20
9.10 Entry into root .. 21
9.11 Certificate format ... 21
9.12 Certificate chain.. 21
9.13 Algorithm ... 21
9.14 Protocol ... 21
9.15 Documents ... 21
10 Qualification determination ... 21
10.1 Item qualification determination ... 21
10.2 Product qualification determination ... 22
Appendix A ... 23
A.1 Test objective ... 23
A.2 Physical areas and network structure of certificate authority system .. 23
A.3 Hardware and software configuration of certificate authority system ... 23
A.4 Module and function of certificate authority system ... 23
A.5 Test content ... 23
Appendix B ... 31
B.1 The network structure of CA when RA adopts C/S mode ... 31
B.2 the network structure of CA when RA adopts B/S mode .. 31
B.3 The connection between CA and remote RA .. 32
Appendix C ... 33
C.1 Certificate authority system computer room layout ... 33
C.2 Certificate authority system computer room placement diagram ... 33
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this Standard
may be the subject of patent rights. The issuing authority shall not be held
responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of
Cryptography Industry Standardization Technical Committee.
Drafting organizations of this Standard. Changchun Jida Zhengyuan
Information Technology Co., Ltd., Shanghai Gale Software Co., Ltd., National
Information Security Engineering Technology Research Center, Beijing Haitai
Fangyuan Science and Technology Co., Ltd.
Main drafters of this Standard. Liu Ping, Gao Li, Tian Jingqi, Jiang Yulin, Zhang
Baoxin, Li Weiping, Zhao Lili, Zhu Guoxin, Yuan Feng, Tan Wuzheng, an
Xiaojiang, Zhang Wantao, Wu Chenghua.
Certificate authority system test specification
1 Scope
This Standard specifies the test contents and methods of certificate authority system.
This standard is applicable to provide electronic authentication service for electronic
signature and the inspection of development or building of certificate authentication
service operation system in accordance with GM/T 0034-2014. It can also provide
reference for the inspection of other certification systems.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GM/T0014 Digital certificate authentication system cryptography protocol
specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/T 0034-2014 Specifications of cryptograph and related security technology for
certification system based on SM2 cryptographic algorithm
3 Terms and definitions
The following terms and definitions apply to this document.
3.1 Certificate authentication system; CA
A system that manages the entire life cycle of digital certificates such as issuing,
distributing, updating, and revoking them.
3.2 Registration authority; RA
The main function of registration authority that manages the entire process of digital
certificate registration. It is also known as registration system.
3.3 CA certificate
A certificate issued to a CA. It can be issued by the CA to itself or by another CA.
The item test environment is the actual environment of the certificate authority system.
8 Test content
8.1 Site
8.1.1 Engineering construction
Engineering construction shall meet the requirements of physical security in 8.5 of
GM/T 0034-2014.
8.1.2 Physical areas
The physical area of certificate authority system shall be divided into public area,
service area, management area and core area.
The storage and distribution server of certificate/ certificate logoff list, the LDAP / OCSP
query server (if there is an OCSP query server) and the connected cryptographic
machine, the registration management server and the connected cryptographic
machine, intrusion detection or intrusion prevention detection equipment, vulnerability
scanning equipment shall be located in server area; registration management terminal,
registration audit terminal, certificate/ certificate logoff list generation and issuance
management terminal, intrusion detection or intrusion prevention management
console shall be located in the management area; the generation and issuance server
of certificate/ certificate logoff list and the connected cryptographic machine, database
server, the safe-box keeping key backup materials and media shall be placed in the
core area; Firewall shall be placed between each of the areas. See Appendix C.
The core area shall be the shielded computer room. The shielding effect shall meet the
requirements of 8.5.2.5 in GM/T0034-2014.
The sequence of entering each area is. the management area, service area, core area.
The device's name in the system shall be labeled at a prominent location on the
devices placed in each area, such as issuance server, registration server, etc.
Monitoring probe, fire probe and access control system shall be set up in each area;
and monitor room shall be set up to monitor each area in real time.
This article applies to item test only.
8.2 Network
8.2.1 Network structure
b) There shall be corresponding response strategies for security events detected by
vulnerability scanning;
c) The vulnerability repository shall be updated in a timely manner.
8.2.2.4 Virus control
The main security strategies for the virus control configured for the system are.
a) Deploy antivirus products to key servers and operations, management terminals;
b) There shall be corresponding response strategies for security events detected by
antivirus products;
c) The virus repository shall be updated in a timely manner.
8.2.2.5 Cryptographic machine
The cryptographic machine shall be connected to the server via an independent
physical port.
The cryptographic machine shall be the product approved...
Get QUOTATION in 1-minute: Click GM/T 0037-2014
Historical versions: GM/T 0037-2014
Preview True-PDF (Reload/Scroll if blank)
GM/T 0037-2014: Certificate authority system test specification
GM/T 0037-2014
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 44642-2014
Certificate authority system test specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope .. 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations .. 6
5 Test object ... 6
6 Test Outline ... 6
7 Test environment .. 6
8 Test content ... 7
8.1 Site .. 7
8.2 Network ... 7
8.3 Post and access management ... 9
8.4 Security management ... 10
8.5 System initialization ... 10
8.6 System functions .. 10
8.7 System performance .. 13
8.8 Data backup and recovery ... 14
8.9 Third-party security products ... 14
8.10 Entry into root .. 15
8.11 Certificate format ... 15
8.12 Certificate chain.. 15
8.13 Algorithm ... 15
8.14 Protocol ... 15
8.15 Documents ... 15
9 Test method .. 15
9.1 Site ... 15
9.2 Network .. 16
9.3 Management of posts and authorization ... 17
9.4 Security management ... 18
9.5 System initialization ... 18
9.6 System functions .. 18
9.7 System performance .. 20
9.8 Data backup and recovery ... 20
9.9 Third-party security products ... 20
9.10 Entry into root .. 21
9.11 Certificate format ... 21
9.12 Certificate chain.. 21
9.13 Algorithm ... 21
9.14 Protocol ... 21
9.15 Documents ... 21
10 Qualification determination ... 21
10.1 Item qualification determination ... 21
10.2 Product qualification determination ... 22
Appendix A ... 23
A.1 Test objective ... 23
A.2 Physical areas and network structure of certificate authority system .. 23
A.3 Hardware and software configuration of certificate authority system ... 23
A.4 Module and function of certificate authority system ... 23
A.5 Test content ... 23
Appendix B ... 31
B.1 The network structure of CA when RA adopts C/S mode ... 31
B.2 the network structure of CA when RA adopts B/S mode .. 31
B.3 The connection between CA and remote RA .. 32
Appendix C ... 33
C.1 Certificate authority system computer room layout ... 33
C.2 Certificate authority system computer room placement diagram ... 33
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this Standard
may be the subject of patent rights. The issuing authority shall not be held
responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of
Cryptography Industry Standardization Technical Committee.
Drafting organizations of this Standard. Changchun Jida Zhengyuan
Information Technology Co., Ltd., Shanghai Gale Software Co., Ltd., National
Information Security Engineering Technology Research Center, Beijing Haitai
Fangyuan Science and Technology Co., Ltd.
Main drafters of this Standard. Liu Ping, Gao Li, Tian Jingqi, Jiang Yulin, Zhang
Baoxin, Li Weiping, Zhao Lili, Zhu Guoxin, Yuan Feng, Tan Wuzheng, an
Xiaojiang, Zhang Wantao, Wu Chenghua.
Certificate authority system test specification
1 Scope
This Standard specifies the test contents and methods of certificate authority system.
This standard is applicable to provide electronic authentication service for electronic
signature and the inspection of development or building of certificate authentication
service operation system in accordance with GM/T 0034-2014. It can also provide
reference for the inspection of other certification systems.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
GM/T0014 Digital certificate authentication system cryptography protocol
specification
GM/T 0015 Digital certificate format based on SM2 algorithm
GM/T 0034-2014 Specifications of cryptograph and related security technology for
certification system based on SM2 cryptographic algorithm
3 Terms and definitions
The following terms and definitions apply to this document.
3.1 Certificate authentication system; CA
A system that manages the entire life cycle of digital certificates such as issuing,
distributing, updating, and revoking them.
3.2 Registration authority; RA
The main function of registration authority that manages the entire process of digital
certificate registration. It is also known as registration system.
3.3 CA certificate
A certificate issued to a CA. It can be issued by the CA to itself or by another CA.
The item test environment is the actual environment of the certificate authority system.
8 Test content
8.1 Site
8.1.1 Engineering construction
Engineering construction shall meet the requirements of physical security in 8.5 of
GM/T 0034-2014.
8.1.2 Physical areas
The physical area of certificate authority system shall be divided into public area,
service area, management area and core area.
The storage and distribution server of certificate/ certificate logoff list, the LDAP / OCSP
query server (if there is an OCSP query server) and the connected cryptographic
machine, the registration management server and the connected cryptographic
machine, intrusion detection or intrusion prevention detection equipment, vulnerability
scanning equipment shall be located in server area; registration management terminal,
registration audit terminal, certificate/ certificate logoff list generation and issuance
management terminal, intrusion detection or intrusion prevention management
console shall be located in the management area; the generation and issuance server
of certificate/ certificate logoff list and the connected cryptographic machine, database
server, the safe-box keeping key backup materials and media shall be placed in the
core area; Firewall shall be placed between each of the areas. See Appendix C.
The core area shall be the shielded computer room. The shielding effect shall meet the
requirements of 8.5.2.5 in GM/T0034-2014.
The sequence of entering each area is. the management area, service area, core area.
The device's name in the system shall be labeled at a prominent location on the
devices placed in each area, such as issuance server, registration server, etc.
Monitoring probe, fire probe and access control system shall be set up in each area;
and monitor room shall be set up to monitor each area in real time.
This article applies to item test only.
8.2 Network
8.2.1 Network structure
b) There shall be corresponding response strategies for security events detected by
vulnerability scanning;
c) The vulnerability repository shall be updated in a timely manner.
8.2.2.4 Virus control
The main security strategies for the virus control configured for the system are.
a) Deploy antivirus products to key servers and operations, management terminals;
b) There shall be corresponding response strategies for security events detected by
antivirus products;
c) The virus repository shall be updated in a timely manner.
8.2.2.5 Cryptographic machine
The cryptographic machine shall be connected to the server via an independent
physical port.
The cryptographic machine shall be the product approved...