Continuing public key infrastructure operation while regenerating a new certification authority keypair and certificate
First Claim
1. A method of continuing operation of a public key infrastructure (PKI), comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:
- establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with one embodiment, continued PKI operation during regenerating a new Certification Authority (CA) keypair and certificate or the like is provided by a root Certification Authority preparing a second CA certificate responsive to a request from a subordinate certification authority. The root Certification Authority and the subordinate certification authority store copies of the second CA certificate for use when the current CA certificate expires. Accordingly, existing trust relationships among a plurality of certificate authorities may be maintained during regeneration, node addition or the like.
53 Citations
29 Claims
-
1. A method of continuing operation of a public key infrastructure (PKI), comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:
-
establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:
-
establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
determining that the first CA certificate is about to expire;
sending a request to the Certification Authority for a new CA certificate; and
storing the new CA certificate for use when the first certificate expires, if the new CA certificate is received. - View Dependent Claims (9)
-
-
10. A method of continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:
-
establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
generating a second keypair K2, having a second public key K2-public and a second private key, K2-private, and wherein the second keypair K2 is not cryptographically related to the first keypair K1;
generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate;
receiving from the requestor a request for a new CA certificate;
preparing a message to the requestor, wherein the message includes the second CA certificate;
signing the message using the first private key K1-private; and
sending the message to the requestor for storing the second certificate for use when the first certificate expires.
-
-
11. A computer-readable medium carrying one or more sequences of instructions for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer-readable medium carrying one or more sequences of instructions for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
determining that the first CA certificate is about to expire;
sending a request to the Certification Authority for a new CA certificate; and
storing the new CA certificate for use when the first certificate expires, if the new CA certificate is received. - View Dependent Claims (19)
-
-
20. An apparatus for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requester, the apparatus comprising:
-
a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27. An apparatus for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requester, the apparatus comprising:
-
a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
determining that the first CA certificate is about to expire;
sending a request to the Certification Authority for a new CA certificate; and
storing the new CA certificate for use when the first certificate expires, if the new CA certificate is received. - View Dependent Claims (28)
-
-
29. An apparatus for continuing operation of a public key infrastructure (PKI), comprising a certification authority (CA) and a requestor, the apparatus comprising:
-
means for establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
means for generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
means for generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate.
-
Specification