Continuing public key infrastructure operation while regenerating a new certification authority keypair and certificate

US 20060047951A1
Filed: 08/27/2004
Published: 03/02/2006
Est. Priority Date: 08/27/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of continuing operation of a public key infrastructure (PKI), comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:

establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;

generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and

generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;

wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and

wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one embodiment, continued PKI operation during regenerating a new Certification Authority (CA) keypair and certificate or the like is provided by a root Certification Authority preparing a second CA certificate responsive to a request from a subordinate certification authority. The root Certification Authority and the subordinate certification authority store copies of the second CA certificate for use when the current CA certificate expires. Accordingly, existing trust relationships among a plurality of certificate authorities may be maintained during regeneration, node addition or the like.

53 Citations

View as Search Results

29 Claims

1. A method of continuing operation of a public key infrastructure (PKI), comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:
- establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
  
  generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
  
  wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
  
  wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as recited in claim 1, further comprising the steps of:
    - receiving from the requestor a request for a new CA certificate;
      
      preparing a message to the requester, wherein the message includes the second CA certificate;
      
      signing the message using the first private key K1-private; and
      
      sending the message to the requestor for storing the second certificate for use when the first certificate expires.
  - 3. A method as recited in claim 2, further comprising the steps of:
    - receiving from a requestor a request for a new local certificate, wherein the request has been signed with the requestor'"'"'s first private key rK1-private;
      
      wherein the request includes the first certificate signed with the Certification Authority'"'"'s first private key K1-private and wherein the request is enveloped using the CA'"'"'s second public key K2-public;
      
      automatically generating a new local certificate having a validity period L3 that begins at the start of the second validity period L2 of the second CA certificate;
      
      signing the local certificate using the second private key K2-private; and
      
      sending the local certificate to the requestor for storing the local certificate for use when the requestor'"'"'s current local certificate expires.
  - 4. A method as recited in claim 3, wherein the request comprises a first data layer in PKCS#10 format that is signed with the requestor'"'"'s second private key rK2-private key and a second data layer in PKCS#7 format comprising a local certificate signed by the CA with the Certificate Authority'"'"'s first private key K1-private, wherein the local certificate comprises the requestor'"'"'s first public key rK1-public.
  - 5. A method as recited in claim 1, further comprising the steps of:
    - determining that the first CA certificate is expired; and
      
      exchanging the second CA certificate for the first CA certificate at expiration of the first CA certificate.
  - 6. A method as recited in claim 2, wherein preparing a message to the requestor comprises:
    - preparing a PKCS#7 message containing the second CA certificate and signed with the first private key K1-private.
  - 7. A method as recited in claim 1, wherein the second keypair K2 is cryptographically unrelated to the first keypair K1.

8. A method of continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:
- establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  determining that the first CA certificate is about to expire;
  
  sending a request to the Certification Authority for a new CA certificate; and
  
  storing the new CA certificate for use when the first certificate expires, if the new CA certificate is received.
- View Dependent Claims (9)
- - 9. A method as recited in claim 8, further comprising:
    - determining that a current local certificate is about to expire;
      
      sending a request to the Certification Authority for a new local certificate, wherein the request has been signed with the requestor'"'"'s first private key rK1-private;
      
      wherein the request includes the first certificate signed with the Certification Authority'"'"'s first private key K1-private and wherein the request is enveloped using the CA'"'"'s second public key K2-public; and
      
      storing the new local certificate for use when the current local certificate expires, if the new local certificate is received.

10. A method of continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, the method comprising the computer-implemented steps of:
- establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  generating a second keypair K2, having a second public key K2-public and a second private key, K2-private, and wherein the second keypair K2 is not cryptographically related to the first keypair K1;
  
  generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
  
  wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
  
  wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate;
  
  receiving from the requestor a request for a new CA certificate;
  
  preparing a message to the requestor, wherein the message includes the second CA certificate;
  
  signing the message using the first private key K1-private; and
  
  sending the message to the requestor for storing the second certificate for use when the first certificate expires.

11. A computer-readable medium carrying one or more sequences of instructions for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
  
  generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
  
  wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
  
  wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. A computer-readable medium as recited in claim 11, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of:
    - receiving from the requestor a request for a new CA certificate;
      
      preparing a message to the requester, wherein the message includes the second CA certificate;
      
      signing the message using the first private key K1-private; and
      
      sending the message to the requestor for storing the second certificate for use when the first certificate expires.
  - 13. A computer-readable medium as recited in claim 12, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of:
    - receiving from a requestor a request for a new local certificate, wherein the request has been signed with the requestor'"'"'s first private key rK1-private;
      
      wherein the request includes the first certificate signed with the Certification Authority'"'"'s first private key K1-private and wherein the request is enveloped using the CA'"'"'s second public key K2-public;
      
      automatically generating a new local certificate having a validity period L3 that begins at the start of the second validity period L2 of the second CA certificate;
      
      signing the local certificate using the second private key K2-private; and
      
      sending the local certificate to the requestor for storing the local certificate for use when the requestor'"'"'s current local certificate expires.
  - 14. A computer-readable medium as recited in claim 13, wherein the request comprises a first data layer in PKCS#10 format that is signed with the requestor'"'"'s second private key rK2-private key and a second data layer in PKCS#7 format comprising a local certificate signed by the CA with the Certificate Authority'"'"'s first private key K1-private, wherein the local certificate comprises the requestor'"'"'s first public key rK1-public.
  - 15. A computer-readable medium as recited in claim 11, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of:
    - determining that the first CA certificate is expired; and
      
      exchanging the second CA certificate for the first CA certificate at expiration of the first CA certificate.
  - 16. A computer-readable medium as recited in claim 12, wherein the instructions for preparing a message to the requestor further comprise instructions for carrying out the steps of:
    - preparing a PKCS#7 message containing the second CA certificate and signed with the first private key K1-private.
  - 17. A computer-readable medium as recited in claim 11, wherein the second keypair K2 is cryptographically unrelated to the first keypair K1.

18. A computer-readable medium carrying one or more sequences of instructions for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requestor, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  determining that the first CA certificate is about to expire;
  
  sending a request to the Certification Authority for a new CA certificate; and
  
  storing the new CA certificate for use when the first certificate expires, if the new CA certificate is received.
- View Dependent Claims (19)
- - 19. A computer-readable medium as recited in claim 18, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to carry out the steps of:
    - determining that a current local certificate is about to expire;
      
      sending a request to the Certification Authority for a new local certificate, wherein the request has been signed with the requestor'"'"'s first private key rK1-private;
      
      wherein the request includes the first certificate signed with the Certification Authority'"'"'s first private key K1-private and wherein the request is enveloped using the CA'"'"'s second public key K2-public; and
      
      storing the new local certificate for use when the current local certificate expires, if the new local certificate is received.

20. An apparatus for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requester, the apparatus comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
  
  generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
  
  wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
  
  wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. An apparatus as recited in claim 20, further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - receiving from the requestor a request for a new CA certificate;
      
      preparing a message to the requester, wherein the message includes the second CA certificate;
      
      signing the message using the first private key K1-private; and
      
      sending the message to the requestor for storing the second certificate for use when the first certificate expires.
  - 22. An apparatus as recited in claim 21, further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - receiving from a requestor a request for a new local certificate, wherein the request has been signed with the requestor'"'"'s first private key rK1-private;
      
      wherein the request includes the first certificate signed with the Certification Authority'"'"'s first private key K1-private and wherein the request is enveloped using the CA'"'"'s second public key K2-public;
      
      automatically generating a new local certificate having a validity period L3 that begins at the start of the second validity period L2 of the second CA certificate;
      
      signing the local certificate using the second private key K2-private; and
      
      sending the local certificate to the requestor for storing the local certificate for use when the requestor'"'"'s current local certificate expires.
  - 23. A apparatus as recited in claim 22, wherein the request comprises a first data layer in PKCS#10 format that is signed with the requestor'"'"'s second private key rK2-private key and a second data layer in PKCS#7 format comprising a local certificate signed by the CA with the Certificate Authority'"'"'s first private key K1-private, wherein the local certificate comprises the requestor'"'"'s first public key rK1-public.
  - 24. An apparatus as recited in claim 20, further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - determining that the first CA certificate is expired; and
      
      exchanging the second CA certificate for the first CA certificate at expiration of the first CA certificate.
  - 25. An apparatus as recited in claim 21, wherein the instructions for preparing a message to the requestor further comprise instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - preparing a PKCS#7 message containing the second CA certificate and signed with the first private key K1-private.
  - 26. An apparatus as recited in claim 20, wherein the second keypair K2 is cryptographically unrelated to the first keypair K1.

27. An apparatus for continuing operation of a public key infrastructure (PKI) comprising a certification authority (CA) and a requester, the apparatus comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  determining that the first CA certificate is about to expire;
  
  sending a request to the Certification Authority for a new CA certificate; and
  
  storing the new CA certificate for use when the first certificate expires, if the new CA certificate is received.
- View Dependent Claims (28)
- - 28. An apparatus as recited in claim 27, further comprising instructions which, when executed by the processor, cause the processor to carry out the steps of:
    - determining that a current local certificate is about to expire;
      
      sending a request to the Certification Authority for a new local certificate, wherein the request has been signed with the requestor'"'"'s first private key rK1-private;
      
      wherein the request includes the first certificate signed with the Certification Authority'"'"'s first private key K1-private and wherein the request is enveloped using the CA'"'"'s second public key K2-public; and
      
      storing the new local certificate for use when the current local certificate expires, if the new local certificate is received.

29. An apparatus for continuing operation of a public key infrastructure (PKI), comprising a certification authority (CA) and a requestor, the apparatus comprising:
- means for establishing a trust relationship between the requestor and the certification authority based upon a first CA certificate produced by the CA and signed using a first private key K1-private of a first keypair K1, and having a first validity period L1;
  
  means for generating a second keypair K2, having a second public key K2-public and a second private key, K2-private; and
  
  means for generating a future valid second CA certificate signed with a second private key K2-private of the second keypair K2, and having a second validity period L2;
  
  wherein an issuer name and a subject name of the first CA certificate and an issuer name and a subject name of the second CA certificate are substantially identical; and
  
  wherein the second validity period L2 begins substantially concurrently with expiration of the first validity period of the first CA certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Pritikin, Max, Reilly, Michael, Nourse, Andrew, Simu, Adina, Chao, Wei-Chun

Application Number

US10/929,079
Publication Number

US 20060047951A1
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 9/007   involving hierarchical stru...

H04L 9/3263   involving certificates, e.g...

Continuing public key infrastructure operation while regenerating a new certification authority keypair and certificate

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Continuing public key infrastructure operation while regenerating a new certification authority keypair and certificate

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links