11. Rights Issuer Certification
As a prerequisite for issuing a Rights Issuer certificate for the Service Provider, it is assumed that the Service Provider has already generated a Rights Issuer RSA key pair in an environment that satisfies the security requirements stipulated by the Rights Issuer Robustness Rules, another prerequisite is for the Service Provider to have fulfilled the Exhibit G of the Service Provider Agreement and to have communicated it to CMLA.. After that has been done, the first time certification and subsequent re-certifications are done as defined below.
1.
Service Provider creates
self-signed DER encoded PKCS#10 certificate request [PKCS#10], burns a DVD-R
containing the request, and sends the DVD-R to CMLA. This request SHALL be
signed using sha-1WithRSAEncryption as defined in [RFC3279].
The file naming convention is “Rights_Issuer_*_##.p10”, where * is replaced with the Service Provider’s name and ## is replaced with a two digit number. The Service Provider also submits the Rights
Issuer Certificate ordering form to CMLA via signed email and the original via
regular courier. . This ordering form will include the SHA1 hash
of the public key (PKCS#1 RSAPublicKey structure in the subjectPublicKey field)
inside the PKCS#10 request PKCS#10 file (20 bytes, encoded in hexadecimal).
2. CMLA will review and verify each request submitted. After verification, CMLA generates an invoice.
3. The Invoice is sent via email and hard copy to the Service Provider.
4. Service Provider makes payment on invoice.
5.
Upon receipt of payment on
invoice, CMLA processes order and responds.
Order processing includes the verification of the hash value provided in
the Rights Issuer Certificate ordering form to the hash value calculated over
the to be certified public key. If none of the verifications fail CMLA creates,
according to the certificate request, a Rights Issuer Certificate and delivers
it with the corresponding Rights Issuer CA Certificate to the Service Provider
in a DVD-R.
The file naming convention for the Rights Issuer Certificate is “Rights_Issuer_*_##.der”, where * is replaced with the Service Provider’s name and ## is replaced with the two digit number. The file
contains the DER encoding of the Rights Issuer Certificate
The file naming convention for the Rights Issuer CA Certificate is “Rights_Issuer_CA_Certs.der”. The file contains the DER encoding of the Rights Issuer CA
Certificate.
6. CMLA registers into certificate database necessary information such as the certificate issued by the RI CA, request data, and certificate delivery data.
CMLA Root CA Certificates are delivered to Service Providers in the same way as to the Client Adopters (check chapter 10.1 step 2 for details).
출처: CMLA Technical Specification V1.31-20101209
아 이거 퍼오는거 불법같은데 하도 답답해서 ㅠ