SM2 Automatic Certificate Management Ecosystem (SM2 ACME)

1. Automatic deployment of SSL certificates is an inevitable trend

"ACME" is the abbreviation of Automated Certificate Management Environment, which is an international standard-RFC 8555, which is used to automatically apply for SSL certificates and automatically deploy SSL certificates, including related protocol standards for ACME client and ACME server. At present, major CAs around the world have begun to support the ACME protocol to provide users with automatic SSL certificate management services. The total amount of automated application and deployment of SSL certificates has reached or even exceeded 85% of all SSL certificate applications. It can be seen that this is an inevitable trend because users need to implement https encryption simply and easily.

2. It is MUST to deploy the SM2 SSL certificate, and the automatic deployment of the SM2 SSL certificate is also inevitable

At present, the SSL certificates provided by CA operators who follow the ACME protocol to provide SSL certificates in the market are all RSA/ECC algorithm certificates. However, China Cryptography Law requires that all critical information infrastructures (CII) must deploy the SM2 SSL certificates to deal with the current certain international environment, to ensures that even if the RSA algorithm certificate is revoked or supply-broken, it will not affect the normal encryption operation of important website systems. Since the deployment of SM2 SSL certificates is necessary, it is necessary to implement cryptography reconstruction for systems that do not support SM2 algorithms, which has become a must for all CII system.

However, since https encryption involves multiple systems such as SSL certificates, browsers, Web servers, WAF systems or services, and CDN systems, to implement SM2 HTTPS encryption, the CA system must be able to issue SM2 SSL certificates. Browsers must support SM2 algorithm, the Web server supports the SM2 algorithm and the SM2 SSL certificate, the WAF device or cloud WAF service, and the CDN network system must also support the SM2 algorithm and the SM2 SSL certificate. It is a big project to transform the PKI-based system into an ecological transformation for supporting SM2/SM3/SM4 algorithm. Now some browsers support the SM2 algorithm, including the completely free ZT Browser, and there are already some CA operators that can issue the SM2 SSL certificate. However, the Web server transformation is not so easy, because there is various web server software, including Microsoft's IIS, IBM's WebSphere, Oracle's WebLogic, Apache, Tomcat, and Nginx, etc. Most of these web servers are proprietary software does not provide an interface for transformation at all! Only the open-source Nginx is more convenient to modify to support the SM2 algorithm and SM2 SSL certificate.

That is to say, since the deployment of SM2 SSL certificates is the MUST, since the SM2 transformation of various systems is involved, in order to reduce the cost and cycle of SM2 transformation of each system, it is necessary to realize the automatic deployment of SM2 SSL certificate for https encryption. Yes, it must be inevitable. The SM2 SSL certificate should also have a fully automated deployment solution like the RAS/ECC SSL certificate, providing technical support for the deployment of the SM2 https encryption.

3. Building SM2 automatic certificate management solutions and ecological products

The ACME standard is only for the RSA/ECC SSL certificate automatic deployment, and it does not support the SM2 SSL certificate automatic deployment. To realize SM2 SSL certificate automatic deployment, it is not enough to provide only an automatic certificate management environment (ACME), it must be an SM2 automatic certificate management ecosystem (SM2 ACME) that all related products must supports SM2 algorithm, not just configure one SSL certificate only.

These seven SM2 automatic certificate management ecological products form a self-contained system, forming an application ecosystem that can realize automatic SM2 https encryption, making the website systems and IoT device systems to automatically implement https encryption to meet the cryptography compliance and global trust requirements of different users. In this ecosystem, ZoTrus Cloud SSL System and SM2 ACME Service System provide certificate application, certificate issuance and certificate revocation service, automatically deploy the dual-algorithm dual-SSL certificates by the SM2 ACME Client in Web server, in SM2 HTTPS Automation Gateway, in SM2 HTTPS Automation Cloud Service, to implement adaptive algorithm https encryption. When website visitors access the website using the SM2 browser, the SM2 https encryption is implemented using the SM2 algorithm, and ZT Browser will display the padlock and the SM2 encryption icon . When website visitors access the website using a non-SM2 browser (such as Google Chrome), the ECC algorithm is used to implement https encryption, and Google Chrome will display the padlock only .

3.1 SM2 ACME Service System, ZoTrus Cloud SSL system, SM2 SSL certificate and ECC SSL certificate

ZoTrus Cloud SSL system is responsible for docking with the SM2 ACME Service System, issuing both SM2 SSL certificates and ECC SSL certificates for end users. The SM2 ACME Service System is responsible for connecting with the SM2 ACME Client, accepting identity verification, certificate application and certificate revocation application from the ACME Client, and responsible for returning the issued dual SSL certificates issued by the ZoTrus Cloud SSL system after completing the domain name validation to the SM2 ACME Client, the ACME Client can automatically deploy the received dual SSL certificate in the Web server, in SM2 HTTPS Automation Gateway, in SM2 HTTPS Automation Cloud Service.

Please note that the ACME Service System does not just issue SM2 SSL certificate. After the ACME server receives the SSL certificate application from the ACME Client, it will issue 3 SSL certificates to the ACME Client by default, one ECC algorithm SSL certificate, one SM2 signature SSL certificate and one SM2 encryption SSL certificate, not just SM2 SSL certificate for users. The 3 SSL certificates are used for the SM2 ACME Client automatically deploying in Web server, to realize the adaptive encryption algorithm https encryption, to meet the requirement for cryptography compliance and global trust application.

3.2 SM2 Certificate Transparency Log System

ZoTrus SM2 Certificate Transparency Log System is responsible for providing the SM2 certificate transparency log service for the ZoTrus Cloud SSL System when issuing the SM2 SSL certificate and returning the certificate transparency signature data (SCT) of the submitted precertificate of SM2 SSL certificate to ZoTrus Cloud SSL System, ZoTrus Cloud SSL System embeds the SCT data into the SM2 SSL certificate and then delivers it to the SM2 ACME Service System.

ZoTrus Cloud SSL System will simultaneously submit the ECC signing request to Sectigo CA system to get the issued ECC SSL certificate with SCT data which meets the browsers requirement and deliver the issued ECC SSL certificate together with the SM2 SSL certificate to the SM2 ACME Service System.

3.3 SM2 ACME client - SM2cerBot

With reference to the ACME international standard, it not only realizes the automatic application for SM2 SSL certificates and ECC SSL certificates, but also integrates the SM2 algorithm support module into the Web server, allowing users to implement certificate application, certificate deployment and SM2 algorithm support with one click. Once certificates are installed successfully, it will keep working to make sure that the system is working normally, and will automatically complete the renewal of the certificate 3 days in advance to ensure the uninterrupted https encryption of the website, ensure the continuous and reliable operation of the business system, and will not fail due to manual negligence risk of business interruption due to no renewal of expired certificates.

Please note that the ACME Client is not only responsible for applying for and deploying SM2 SSL certificates. The ACME Client submits the SM2 SSL certificate and ECC SSL certificate request to the ACME server at the same time. After receiving the issued SM2 SSL certificate and ECC SSL certificate, three SSL certificates will be deployed at the same time, one ECC algorithm SSL certificate, one SM2 signature SSL certificate and one SM2 encryption SSL certificate, not only deployed with the SM2 SSL certificate, but 3 SSL certificates are used for adaptive encryption algorithms to implement https encryption to meet the cryptography compliance and global trust application requirements.

3.4 SM2 HTTPS Automation Gateway

ZoTrus SM2 HTTPS Automation Gateway is an https hardware gateway that supports automatic configuration of dual SSL certificates to implement https encryption by the build-in SM2 ACME client, enabling users to implement SM2 https encryption with zero reconstruction, and it is compatible with international algorithm https encryption. The extremely high HTTPS encryption performance and fast offloading performance not only eliminates the need to upgrade the existing Web server and install an SSL certificate on the Web server, but also greatly reduces the http burden of the Web server and bears all the HTTPS encryption burden, making the current Web server can be better dedicated to serving the business system, making the business system run more smoothly.

ZoTrus SM2 HTTPS Automation Gateway has a built-in ACME client, which automatically connects to the ZoTrus Cloud SSL System to complete the application and automatic configuration of dual SSL certificate, which greatly reduces the workload of IT administrators and completely avoids business interruption caused by forgetting to renew SSL certificates. ZoTrus SM2 HTTPS Automation Gateway, once and for all, high-performance, and uninterrupted, provides high-speed https encryption services for the Website system, adaptive encryption algorithm, to meet the requirements of cryptography compliance, cyber security compliance and global trust.

3.5 SM2 HTTPS Automation Cloud Service

ZoTrus SM2 HTTPS Automation Cloud Service, also known as Website Security Cloud Service, is an https encryption service based on Alibaba Cloud WAF/CDN system that supports SM2 ACME Service to automatically configure SM2 SSL certificate and ECC SSL certificate to realize adaptive algorithm https encryption. There is no need to purchase cloud WAF/CDN service separately, and there is no need to apply for an SSL certificate from CA separately and manually configure the SSL certificate to cloud WAF/CDN for use. Customer only need to use SM2 HTTPS Automation Cloud Service, and only need to do three domain name resolutions to change the original website into the source of CDN+WAF, and it is cheaper and easier to complete the SM2 https encryption, and easily realize the four-in-one website security of https encryption, cloud WAF protection, CDN distribution and website trusted identity certification at the same time.

ZoTrus SM2 HTTPS Automation Cloud Service is very suitable for customers who neither want nor can install the SM2 ACME Client software on the existing web server, and do not want to purchase and locally deploy hardware SM2 Gateway device, only need one domain name resolution and get SM2 https encryption and cloud WAF protection.

3.6 ZT Browser

ZT Browser is currently the only completely free SM2 browser in the world that supports the SM2 Certificate Transparency. After users successfully install the SM2 ACME Client, deploy the SM2 HTTPS/WAF Gateway, or enable the SM2 HTTPS Automation Cloud Service, it is strongly recommended to download and use ZT Browser to verify the deployment effect of dual SSL certificate. ZT Browser will use SM2 algorithm to realize the https encryption. And it is recommended that users use other browsers to compare the implementation effect, other browsers that do not support the SM2 algorithm and SM2 certificate transparency can only use the ECC algorithm to implement https encryption.

4. Localized Deployment of SM2 SSL Certificate Automatic Management System

The SM2 Automatic Certificate Management System can not only solve the problem of automatic management of SM2 SSL certificates and ECC SSL certificates for a single website, but also is especially suitable for organizations and Internet companies that have a large number of servers that need to deploy SSL certificates, especially for e-government cloud platform, there are thousands or even tens of thousands of website systems that need to deploy SSL certificates, especially the deployment of SM2 SSL certificates to meet the cryptography compliance requirements.

By deploying the SM2 HTTPS/WAF Gateway, e-government cloud platform, public cloud and private cloud platform of large enterprises can automatically deploy double SSL certificates for thousands or tens of thousands of websites, without affecting the normal operation of the existing system, with zero reconstruction, automatically implement https encryption of adaptive encryption algorithm. It is recommended to deploy the SM2 Automatic Certificate Management System locally on the local cloud platform, and to customize and develop some supporting systems according to the specific requirements of the cloud platform, so that it can achieve full automation, zero reconstruction, zero maintenance, and zero affective and seamless switching from http to https, realizing https encryption for all website system for cryptography compliance and globally trusted.

Click here to learn more details, and welcome organizations interested in implementing automatic management of SSL certificates for localized deployment to contact us to customize the implementation plan for you.