Key rotation with external workflows
First Claim
1. A computer-implemented method, comprising:
- generating, by a computing system for a client, a keypair for distribution to a computing resource of the computing system over an internal network to the computing system, the computing resource accessible to the client over an external network to the computing system, the keypair unavailable to the client for use on the computing resource until activation of the keypair based at least in part on a workflow;
the keypair generated based at least in part on a security policy specifying a time-based rotation of keypairs within the computing system;
selecting, by the computing system, a workflow template for the workflow based at least in part on a class of the keypair, the workflow template defined for the class of the keypair based at least in part on input of an administrator of the computing system, the workflow template specifying actions within the computing system to complete the activation of the keypair based at least in part on the class of the keypair;
performing, by the computing system, the actions within the computing system to complete the workflow;
associating, by the computing system, the keypair with an active status based at least in part on completion of the workflow;
distributing, by the computing system based at least in part on the active status, the keypair to the computing resource over the internal network without sending the keypair to the client, the keypair distributed to the computing resource as a non-preferred keypair, the distributing comprising replacing, for the client, an existing keypair with the keypair based at least in part on the time-based rotation;
receiving, by the computing system from the computing resource, an acknowledgement about receipt of the keypair by the computing resource; and
providing, by the computing system to the computing resource and based at least in part on the acknowledgment, instructions about using the keypair for the client as a preferred keypair, the keypair becoming available to the client on the computing resource over the external network based at least in part on the keypair being the preferred keypair.
1 Assignment
0 Petitions
Accused Products
Abstract
A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.
-
Citations
18 Claims
-
1. A computer-implemented method, comprising:
-
generating, by a computing system for a client, a keypair for distribution to a computing resource of the computing system over an internal network to the computing system, the computing resource accessible to the client over an external network to the computing system, the keypair unavailable to the client for use on the computing resource until activation of the keypair based at least in part on a workflow;
the keypair generated based at least in part on a security policy specifying a time-based rotation of keypairs within the computing system;selecting, by the computing system, a workflow template for the workflow based at least in part on a class of the keypair, the workflow template defined for the class of the keypair based at least in part on input of an administrator of the computing system, the workflow template specifying actions within the computing system to complete the activation of the keypair based at least in part on the class of the keypair; performing, by the computing system, the actions within the computing system to complete the workflow; associating, by the computing system, the keypair with an active status based at least in part on completion of the workflow; distributing, by the computing system based at least in part on the active status, the keypair to the computing resource over the internal network without sending the keypair to the client, the keypair distributed to the computing resource as a non-preferred keypair, the distributing comprising replacing, for the client, an existing keypair with the keypair based at least in part on the time-based rotation; receiving, by the computing system from the computing resource, an acknowledgement about receipt of the keypair by the computing resource; and providing, by the computing system to the computing resource and based at least in part on the acknowledgment, instructions about using the keypair for the client as a preferred keypair, the keypair becoming available to the client on the computing resource over the external network based at least in part on the keypair being the preferred keypair. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computing system, comprising:
-
one or more processors; one or more non-transitory computer-readable storage media bearing instructions that, upon execution with the one or more processors, cause the computing system to at least; generate, for a client, a secret for distribution within the computing system over an internal network to the computing system, the computing system accessible to the client over an external network to the computing system, the secret unavailable to the client for use until activation of the secret based at least in part on a workflow, the secret generated based at least in part on a security policy, the security policy defining a time-based rotation of secrets based at least in part on input of an administrator of the computing system; select a workflow template for the workflow based at least in part on a class of the secret, the workflow template defined for the class of the secret based at least in part on the input of the administrator, the workflow template specifying actions within the computing system to complete the activation of the secret based at least in part on the class of the secret; perform the actions within the computing system to complete the workflow; associate the secret with an active status based at least in part on completion of the workflow template; distribute, based at least in part on the status state, the secret within the computing system over the internal network without sending the secret to the client, the secret distributed as a non-preferred secret; and enable the secret to be used in response to an acknowledgement about the secret from a computing resource of the computing system by at least providing instructions to the computing resource about using the secret as a preferred secret, the secret becoming available to the client at the computing system over the external network based at least in part on the secret being the preferred secret. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, upon execution with one or more processors of a computing system, cause the computing system to at least:
-
generate, for a client, a key for distribution within the computing system over an internal network to the computing system, the computing system accessible to the client over an external network to the computing system, the key unavailable to the client for use until activation of the key, the key generated based at least in part on a security policy specifying a time-based rotation of keys within the computing system; select a workflow template to activate the key based at least in part on a class of the key, the workflow template defined for the class of the key based at least in part on input of an administrator of the computing system, the workflow template specifying actions within the computing system to complete the activation of the key based at least in part on the class of the key; perform the actions within the computing system based at least in part on the workflow template; associate the key with an active status based at least in part on the actions of the workflow template being performed; distribute, based at least in part on the active status, the key within the computing system over the internal network without sending the key to the client, the key distributed as a non-preferred key, the distributing comprising replacing, for the client, an existing key with the key based at least in part on the time-based rotation; and enable the key to be used in response to an acknowledgement about the key from a resource of the computing system by at least providing instructions to the resource about using the key as a preferred key, the key becoming available to the client at the computing system over the external network based at least in part on the key being the preferred key. - View Dependent Claims (16, 17, 18)
-
Specification