Management of SSL/TLS certificates

US 20050074124A1
Filed: 08/13/2004
Published: 04/07/2005
Est. Priority Date: 08/15/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for operating a certificate management and renewal system for automatically renewing digital certificates in a managed network, the management and renewal system including network facilities for electronic communication over a network, the management and renewal system being configured to communicate with a plurality of servers utilizing the network facilities, each of those servers including at least one digital certificate stored thereon and further configured to provide a service to client devices, the method comprising the steps of:

monitoring the expiration status of certificates stored to the plurality of servers;

detecting the expiration of a certificate stored to the plurality of servers within a specified period of time;

identifying a managed server corresponding to a detected expiring digital certificate;

communicating with the managed server, the communicating causing the managed server to generate a certificate signing request and return the request to the managing device;

transmitting a generated and received certificate signing request to a certificate authority;

receiving a certificate signed by a certificate authority generated from a certificate signing request;

identifying a destination managed server corresponding to a received certificate signed by a certificate authority;

installing a received certificate signed by a certificate authority to an identified destination managed server; and

configuring an identified destination managed server to use a private key corresponding to an installed certificate.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are several digital certificate discovery and management systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

63 Citations

View as Search Results

16 Claims

1. A method for operating a certificate management and renewal system for automatically renewing digital certificates in a managed network, the management and renewal system including network facilities for electronic communication over a network, the management and renewal system being configured to communicate with a plurality of servers utilizing the network facilities, each of those servers including at least one digital certificate stored thereon and further configured to provide a service to client devices, the method comprising the steps of:
- monitoring the expiration status of certificates stored to the plurality of servers;
  
  detecting the expiration of a certificate stored to the plurality of servers within a specified period of time;
  
  identifying a managed server corresponding to a detected expiring digital certificate;
  
  communicating with the managed server, the communicating causing the managed server to generate a certificate signing request and return the request to the managing device;
  
  transmitting a generated and received certificate signing request to a certificate authority;
  
  receiving a certificate signed by a certificate authority generated from a certificate signing request;
  
  identifying a destination managed server corresponding to a received certificate signed by a certificate authority;
  
  installing a received certificate signed by a certificate authority to an identified destination managed server; and
  
  configuring an identified destination managed server to use a private key corresponding to an installed certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. A method according to claim 1, wherein said instructions are further executable to revoke a certificate for which expiration was detected.
  - 3. A method according to claim 1, wherein said instructions are further executable to achieve the functions of:
    - generating a new asymmetric key pair; and
      
      installing a generated private key of a new asymmetric key pair to an identified destination managed server; and
      
      wherein a generated certificate signing request includes a generated public key of a new asymmetric key pair.
  - 4. A method according to claim 1, wherein said instructions are further executable to install a received certificate signed by a certificate authority by a network interface provided by a web interface of a web server installed to an identified destination managed server.
  - 5. A method according to claim 1, wherein said instructions are further executable to install a received certificate signed by a certificate authority by a shell interface to an identified destination managed server.
  - 6. A method according to claim 1, wherein said instructions are further executable to install a received certificate signed by a certificate authority by an agent program installed to an identified destination managed server.
  - 7. A method according to claim 1, wherein said instructions are further executable to restart a destination server program.
  - 8. A method according to claim 1, wherein said instructions are further executable to restart a destination server computer.
  - 9. A method according to claim 1, wherein said instructions are further executable to notify an administrator to restart a destination server program or destination server computer.
  - 10. A method according to claim 1, wherein said instructions are further executable to confirm the installation of a received certificate to a destination server following the performance of a set of installation steps.
  - 11. A method according to claim 10, wherein said instructions are further executable to generate an alert to an administrator if the installation of a received certificate to a destination server is not confirmed.
  - 12. A method according to claim 1, wherein said instructions are further executable to achieve the functions of:
    - informing an administrator of a certificate for which expiration has been detected;
      
      prior to said transmitting, requesting approval to renew a certificate for which expiration has been detected; and
      
      receiving, in response to a request for approval, an indication from an administrator that a certificate is to be renewed.
  - 13. A method according to claim 1, wherein said instructions are further executable to achieve the functions of:
    - following said receiving a certificate signed by a certificate authority, informing an administrator of that renewed certificate;
      
      prior to said installing, requesting approval to install a renewed certificate received from a certificate authority; and
      
      receiving, in response to a request for approval, an indication from an administrator that a renewed certificate is to be installed.
  - 14. A method according to claim 1, wherein said instructions are further executable to store a received certificate signed by a certificate authority to a backup storage device.

15. A method for operating a certificate management and renewal system for automatically renewing digital certificates in a managed network, the management and renewal system including network facilities for electronic communication over a network, the management and renewal system being configured to communicate with a plurality of servers utilizing the network facilities, each of those servers including at least one digital certificate stored thereon and further configured to provide a service to client devices, the method comprising the steps of:
- receiving an address range corresponding to a network or network portion to be scanned;
  
  contacting network devices within the received address range, said contacting further intended to initiate the transmission of a digital certificate from each of the contacted network devices to said certificate discovery system;
  
  for each contacted network device transmitting a digital certificate, receiving the digital certificate;
  
  for each received digital certificate, creating a certificate record containing a certificate identification, wherein the certificate identification contains sufficient information to identify the received digital certificate and the network device from where it was transmitted;
  
  storing created certificate records in a certificate database;
  
  monitoring the expiration status of certificates stored to the plurality of servers;
  
  detecting the expiration of a certificate stored to the plurality of servers within a specified period of time;
  
  identifying a managed server corresponding to a detected expiring digital certificate;
  
  communicating with the managed server, the communicating causing the managed server to generate a certificate signing request and return the request to the managing device;
  
  transmitting a generated and received certificate signing request to a certificate authority;
  
  receiving a certificate signed by a certificate authority generated from a certificate signing request;
  
  identifying a destination managed server corresponding to a received certificate signed by a certificate authority;
  
  installing a received certificate signed by a certificate authority to an identified destination managed server; and
  
  configuring an identified destination managed server to use a private key corresponding to an installed certificate.

16. A method for operating a certificate management and renewal system for automatically renewing digital certificates in a managed network, the management and renewal system including network facilities for electronic communication over a network, the management and renewal system being configured to communicate with a plurality of servers utilizing the network facilities, each of those servers including at least one digital certificate stored thereon and further configured to provide a service to client devices, the method comprising the steps of:
- receiving an address range corresponding to a network or network portion to be scanned, contacting network devices within the received address range, said contacting further intended to initiate the transmission of a digital certificate from each of the contacted network devices to said certificate discovery system, for each contacted network device transmitting a digital certificate, receiving the digital certificate, for each received digital certificate, creating a certificate record containing a certificate identification, wherein the certificate identification contains sufficient information to identify the received digital certificate and the network device from where it was transmitted, storing created certificate records in a certificate database, monitoring the expiration status of certificates stored to the plurality of servers, detecting the expiration of a certificate stored to the plurality of servers within a specified period of time, receiving, in response to a request for approval, an indication from an administrator that a certificate is to be renewed or installed, identifying a managed server corresponding to a detected expiring digital certificate, communicating with the managed server, the communicating causing the managed server to generate a new asymmetric key pair, the communicating further causing the managed server to generate a certificate signing request and return the request to the managing device, transmitting a generated and received certificate signing request to a certificate authority, receiving a certificate signed by a certificate authority generated from a certificate signing request, identifying a destination managed server corresponding to a received certificate signed by a certificate authority, installing a received certificate signed by a certificate authority to an identified destination managed server, the installing being performed by accessing the identified destination managed server using a corresponding object of said authentication objects, the installing utilizing a protocol selected from the group of a shell interface, an agent interface and a network interface provided by a web interface of a web server, configuring an identified destination managed server to use a private key corresponding to an installed certificate, performing a restart action selected from the group of commanding an identified destination managed server to perform a restart, commanding an identified destination managed server to restart and notifying an administrator to restart a destination server program or destination server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imcentric Incorporated, Venafi,Inc.
Original Assignee
Imcentric Incorporated
Inventors
Thornton, Russell S., Seegmiller, Jayson, Hodson, Benjamin

Application Number

US10/918,667
Publication Number

US 20050074124A1
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/04   for providing a confidentia...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

Management of SSL/TLS certificates

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Management of SSL/TLS certificates

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links