According to the statistics of Google Certificate Transparency Log System, as of January 06, 2023, there are 792.39 million valid SSL certificates in the world, of which 663.48 million are DV SSL certificates that only validated the domain name control. Among them, there are 564.82 million DV SSL certificates with 90-day period are automatically issued based on ACME standard, accounting for 85.13%. It can be seen from these data that users are very fond of free SSL certificates that are automatically applied for and deployed.
"ACME" is the abbreviation of Automated Certificate Management Environment, which is an international standard-RFC 8555, which is used to automatically apply for SSL certificates and automatically deploy SSL certificates, including related protocol standards for ACME client and ACME server. At present, major CAs around the world have begun to support the ACME protocol to provide users with automatic SSL certificate management services. The total amount of automated application and deployment of SSL certificates has reached or even exceeded 70% of all SSL certificate applications. It can be seen that this is an inevitable trend because users need to implement https encryption simply and easily.
At present, the SSL certificates provided by CA operators who follow the ACME protocol to provide free SSL certificates in the market are all RSA/ECC algorithm certificates. However, China Cryptography Law requires that all critical information infrastructures (CII) must deploy the SM2 SSL certificates to deal with the current certain international environment, to ensures that even if the RSA algorithm certificate is revoked or supply-broken, it will not affect the normal encryption operation of important website systems. Since the deployment of SM2 SSL certificates is necessary, it is necessary to implement cryptography reconstruction for systems that do not support SM2 algorithms, which has become a must for all CII system.
However, since https encryption involves multiple systems such as SSL certificates, browsers, Web servers, WAF systems or services, and CDN systems, to implement SM2 HTTPS encryption, the CA system must be able to issue SM2 SSL certificates. Browsers must support SM2 algorithm, the Web server supports the SM2 algorithm and the SM2 SSL certificate, the WAF device or cloud WAF service, and the CDN network system must also support the SM2 algorithm and the SM2 SSL certificate. It is a big project to transform the PKI-based system into an ecological transformation for supporting SM2/SM3/SM4 algorithm. Now some browsers support the SM2 algorithm, including the completely free ZT Browser, and there are already some CA operators that can issue the SM2 SSL certificate. However, the Web server transformation is not so easy, because there is various web server software, including Microsoft's IIS, IBM's WebSphere, Oracle's WebLogic, Apache, Tomcat, and Nginx, etc. Most of these web servers are proprietary software does not provide an interface for transformation at all! Only the open-source Nginx is more convenient to modify to support the SM2 algorithm and SM2 SSL certificate.
That is to say, since the deployment of SM2 SSL certificates is the MUST, since the SM2 transformation of various systems is involved, in order to reduce the cost and cycle of SM2 transformation of each system, it is necessary to realize the automatic deployment of SM2 SSL certificate for https encryption. Yes, it must be inevitable. The SM2 SSL certificate should also have a fully automated deployment solution like the RAS/ECC SSL certificate, providing technical support for the deployment of the SM2 https encryption.
The ACME standard is only for the RSA/ECC SSL certificate automatic deployment, and it does not support the SM2 SSL certificate automatic deployment. To realize SM2 SSL certificate automatic deployment, it is not enough to provide only an automatic certificate management environment (ACME), it must be an SM2 automatic certificate management ecosystem (SM2 ACME) that all related products must supports SM2 algorithm, not just configure one SSL certificate only.
CerSign Technology and ZoTrus Technology are vigorously building an SM2 automatic certificate management ecosystem, and have successfully developed the core products and systems that must be equipped with the ecosystem, as shown in the figure below, including:
These six SM2 automatic certificate management ecological products form a self-contained system, forming an application ecosystem that can realize automatic SM2 https encryption, making the website systems and IoT device systems to automatically implement https encryption to meet the cryptography compliance and global trust requirements of different users. ZoTrus Technology and CerSign Technology not only provide ecological products and solutions, but also open up this ecosystem, which is convenient for various application providers who need SSL certificates to implement https encryption to access this ecosystem, and quickly realize automatic deployment of SM2 SSL certificates and ECC SSL certificate, realize adaptive algorithm encryption, support all browsers and all devices to realize https encryption.
The figure below is a schematic diagram of the connection of various products in the entire SM2 SSL certificate automatic management ecology. ZoTrus Cloud SSL System and SM2 ACME Service System provide certificate application, certificate issuance and certificate revocation service, websites will automatically deploy dual-algorithm dual-SSL certificates by the SM2 ACME Client to implement adaptive algorithm https encryption. The left part of the figure below is the SM2 https encryption system. When website visitors access the website using the SM2 browser, the SM2 https encryption is implemented using the SM2 algorithm, and ZT Browser will display the padlock and the SM2 encryption icon . And the SM2 CRL service provides the SM2 certificate revocation query service for the SM2 SSL certificate, and the SM2 Certificate Transparency Log System provides the SM2 certificate transparency service for the SM2 SSL certificate. The right part of the figure below is the ECC algorithm https encryption system. When website visitors access the website using a non-SM2 browser (such as Google Chrome), the ECC algorithm is used to implement https encryption, and Google Chrome will display the padlock only . And the ECC CRL service provides ECC certificate revocation query services for ECC SSL certificates, and the ECC Certificate Transparency Log System provides ECC certificate transparency services for ECC SSL certificates.
ZoTrus Cloud SSL system is responsible for docking with the SM2 ACME Service System, issuing both SM2 SSL certificates and ECC SSL certificates for end users. The SM2 ACME Service System is responsible for connecting with the SM2 ACME Client, accepting identity verification, certificate application and certificate revocation application from the ACME Client, and responsible for returning the issued dual SSL certificates issued by the ZoTrus Cloud SSL system after completing the domain name validation to the SM2 ACME Client, the ACME Client can automatically deploy the received dual SSL certificate in the Web server.
Please note that the ACME Service System does not just issue SM2 SSL certificate. After the ACME server receives the SSL certificate application from the ACME Client, it will issue 3 SSL certificates to the ACME Client by default, one ECC algorithm SSL certificate, one SM2 signature SSL certificate and one SM2 encryption SSL certificate, not just SM2 SSL certificate for users. The 3 SSL certificates are used for the SM2 ACME Client automatically deploying in Web server, to realize the adaptive encryption algorithm https encryption, to meet the requirement for cryptography compliance and global trust application.
ZoTrus SM2 Certificate Transparency Log System is responsible for providing the SM2 certificate transparency log service for the ZoTrus Cloud SSL System when issuing the SM2 SSL certificate and returning the certificate transparency signature data (SCT) of the submitted precertificate of SM2 SSL certificate to ZoTrus Cloud SSL System, ZoTrus Cloud SSL System embeds the SCT data into the SM2 SSL certificate and then delivers it to the SM2 ACME Service System.
ZoTrus Cloud SSL System will simultaneously submit the ECC signing request to Sectigo CA system to get the issued ECC SSL certificate with SCT data which meets the browsers requirement and deliver the issued ECC SSL certificate together with the SM2 SSL certificate to the SM2 ACME Service System.
ZoTrus SM2 Certificate Revocation List Service system provides certificate revocation query services for the SM2 SSL certificates issued by the ZoTrus Cloud SSL System. If the SM2 ACME Service System receives a certificate revocation application from the SM2 ACME Client, it will submit the revocation request to the ZoTrus Cloud SSL System after completing the verification, and the ZoTrus Cloud SSL System will re-sign the revocation list and publish it to ZoTrus SM2 certificate revocation list service system takes effect. Since all the certificates delivered to the end user are dual certificates, the certificate revocation application will revoke the ECC SSL certificate at the same time and publish it to the related certificate revocation list service system.
With reference to the ACME international standard, it not only realizes the automatic application for SM2 SSL certificates and ECC SSL certificates, but also integrates the SM2 algorithm support module into the Web server, allowing users to implement certificate application, certificate deployment and SM2 algorithm support with one click. Once certificates are installed successfully, it will keep working to make sure that the system is working normally, and will automatically complete the renewal of the certificate 3 days in advance to ensure the uninterrupted https encryption of the website, ensure the continuous and reliable operation of the business system, and will not fail due to manual negligence risk of business interruption due to no renewal of expired certificates.
Please note that the ACME Client is not only responsible for applying for and deploying SM2 SSL certificates. The ACME Client submits the SM2 SSL certificate and ECC SSL certificate request to the ACME server at the same time. After receiving the issued SM2 SSL certificate and ECC SSL certificate, three SSL certificates will be deployed at the same time, one ECC algorithm SSL certificate, one SM2 signature SSL certificate and one SM2 encryption SSL certificate, not only deployed with the SM2 SSL certificate, but 3 SSL certificates are used for adaptive encryption algorithms to implement https encryption to meet the cryptography compliance and global trust application requirements.
ZT Browser is currently the only SM2 browser that supports the SM2 certificate transparency. After users successfully install the SM2 ACME Client and finish the SSL certificate deployment, it is strongly recommended to download and use ZT Browser to verify the deployment effect of dual SSL certificate. ZT Browser will use SM2 algorithm to realize the https encryption. And it is recommended that users use other browsers to compare the implementation effect, other browsers that do not support the SM2 algorithm and SM2 certificate transparency can only use the ECC algorithm to implement https encryption.
It is recommended that users purchase OV SSL certificates or EV SSL certificates, or buy ZoTrus Website Security Cloud Service, and the address bar of ZT Browser will be displayed as a green address bar, which will enhance online trust and facilitate more online business.
ZoTrus SM2 HTTPS Automation Gateway is an https security gateway that supports automatic configuration of dual SSL certificates to implement https encryption by the build-in SM2 ACME client, enabling users to implement SM2 https encryption with zero reconstruction, and it is compatible with international algorithm https encryption. The extremely high HTTPS encryption performance and fast offloading performance not only eliminates the need to upgrade the existing Web server and install an SSL certificate on the Web server, but also greatly reduces the http burden of the Web server and bears all the HTTPS encryption burden, making the current Web server can be better dedicated to serving the business system, making the business system run more smoothly.
ZoTrus SM2 HTTPS Automation Gateway has a built-in ACME client, which automatically connects to the ZoTrus Cloud SSL System to complete the application and automatic configuration of dual SSL certificate, which greatly reduces the workload of IT administrators and completely avoids business interruption caused by forgetting to renew SSL certificates. ZoTrus SM2 HTTPS Automation Gateway, once and for all, high-performance, and uninterrupted, provides high-speed https encryption services for the Website system, adaptive encryption algorithm, to meet the requirements of cryptography compliance, cyber security compliance and global trust.
The SM2 Automatic Certificate Management System can not only solve the problem of automatic management of SM2 SSL certificates and ECC SSL certificates for a single website, but also is especially suitable for organizations and Internet companies that have a large number of servers that need to deploy SSL certificates, especially for e-government cloud platform, there are thousands or even tens of thousands of website systems that need to deploy SSL certificates, especially the deployment of SM2 SSL certificates to meet the cryptography compliance requirements.
How to automatically deploy dual algorithm SSL certificate for thousands or tens of thousands of websites without affecting the normal operation of existing systems, and automatically implement adaptive encryption algorithms https encryption, it needs to deploy the SM2 Automatic Certificate Management System locally on the local cloud platform, and customize and develop some supporting systems according to the specific requirements of the cloud platform, so that it can achieve full automation, zero reconstruction, zero maintenance, and zero affective and seamless switching from http to https, realizing https encryption for all website system for cryptography compliance and globally trusted.
Click here to learn more details, and welcome organizations interested in implementing automatic management of SSL certificates for localized deployment to contact us to customize the implementation plan for you.