• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Introduction to Device Certificate Kit
2
3<!--Kit: Device Certificate Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @zxz--3-->
6<!--Designer: @lanming-->
7<!--Tester: @PAFT-->
8<!--Adviser: @zengyawen-->
9
10Device Certificate Kit provides the [certificate framework](#certificate-framework) and [certificate management](#certificate-management) capabilities for developers.
11
12## Certificate Framework
13
14The certificate framework provides APIs for parsing and validating digital certificates.
15
16You can use the APIs to parse and validate a certificate, certificate extensions, and a certificate revocation list (CRL), and validate a certificate chain.
17
18The certificate framework module shields the differences between third-party algorithm libraries to make development a more enjoyable experience.
19
20**Scenarios**
21
22The application parses the received certificate or the certificate entered by the user, obtains the basic fields or extension fields of the certificate for display or verification, and uses the CA certificate chain and CRL to verify the certificate validity.
23
24### Working Principles
25
26The system provides the certificate framework, which shields the differences between third-party algorithm libraries. You only need to use the APIs provided by the certificate framework to implement operations on certificates.
27
28![](figures/certificate_framework_architecture.png)
29
30### Related Kits
31
32During the use of certificate framework functionalities, public keys need to be generated and obtained, which depends on [Crypto Architecture Kit](../CryptoArchitectureKit/crypto-architecture-kit-intro.md).
33
34## Certificate Management
35
36The **certManager** module provides system-level certificate management capabilities to ensure certificate security during transmission and storage and prevent unauthorized certificate access and use.
37
38The following capabilities are provided:
39
401. Install, obtain, use, and delete application certificates.
412. Install, obtain, and uninstall user CA certificates.
423. Manage CA certificates on the certificate management page via the provided APIs.
43
44You can use this module to manage and securely use certificates throughout their lifecycle (installation, storage, use, and destruction).
45
46**Scenarios**
47
481. Application certificates: In the scenario of two-way network authentication, the service first installs the application certificates, uses them to sign the service data, then sends the signature together with the certificates to the peer, and finally deletes the certificates.
492. User CA certificates: In the scenario of network connection, the service installs the user CA certificates, uses them to verify the peer identity, and deletes them when the certificates expire or are revoked.
503. Certificate management dialog box: The service calls the provided dialog box API to directly start the certificate management UI, where you can view, install, and delete certificates and credentials.
51
52### Related Kits
53
54During the use of the certificate management functionalities, certificates need to be installed and used, which depends on [Universal Keystore Kit](../UniversalKeystoreKit/huks-overview.md).
55
56## Constraints
57
58Device Certificate Kit does not provide the capabilities of generating or issuing certificates and CRLs. Such capabilities are implemented by a certificate authority (CA) rather than a single application.
59