AUTOMATED CERTIFICATE MANAGEMENT
First Claim
1. A computer-implemented method for automatically generating and sharing security certificates, the method comprising:
- generating one or more certificates for token signing and encryption in a server farm;
encrypting the certificates using a key securely shared among servers in the server farm;
publishing the certificates at a location available to each server in the server farm;
listening for requests to access published certificates; and
upon receiving a request to access a certificate,processing the received request to access a certificate; and
replying to the processed request with the requested certificate,wherein the preceding steps are performed by at least one processor.
2 Assignments
0 Petitions
Accused Products
Abstract
A certificate management system provides automated management of certificate lifecycles and certificate distribution. Rather than depend upon an administrator to manually distribute and manage certificates, the system self-generates certificates, distributes the certificates to appropriate servers or other parties, and transitions from old certificates to new certificates in a well-defined manner that avoids breaking functionality. After generating one or more certificates, the system securely shares certificates in a way that parties that use them can find the new certificates without an administrator manually distributing the certificates. When it is time to update certificates, the system generates new certificates and shares the new certificates in a similar way. During a transition period, the system provides a protocol by which both old and new certificates can be used to perform authenticated access to resources, so that the transition from an old to a new certificate does not break services.
-
Citations
20 Claims
-
1. A computer-implemented method for automatically generating and sharing security certificates, the method comprising:
-
generating one or more certificates for token signing and encryption in a server farm; encrypting the certificates using a key securely shared among servers in the server farm; publishing the certificates at a location available to each server in the server farm; listening for requests to access published certificates; and upon receiving a request to access a certificate, processing the received request to access a certificate; and replying to the processed request with the requested certificate, wherein the preceding steps are performed by at least one processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer system for automatically managing certificates shared by multiple servers, the system comprising:
-
a processor and memory configured to execute software instructions; a certificate generation component configured to generate one or more certificates for token signing and encryption; a certificate publishing component configured to publish new certificates created by the certificate generation component to make the certificates available to other servers with which the system communicates; a certificate retrieval component configured to retrieve new certificates shared by the certificate publishing component; a certificate update component configured to add primary certificates retrieved from the certificate publishing component to a certificate store local to a server in the server farm; a certificate expiration component configured to remove expired certificates from the system and promotes secondary replacement certificates to primary certificates; and a certificate store configured to store certificates generated by the certificate generation component. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer-readable storage medium comprising instructions for controlling a computer system to periodically update certificates used for communication between servers, wherein the instructions, when executed, cause a processor to perform actions comprising:
-
detecting pending expiration of a certificate for token signing or encryption; generating a new certificate to replace the expiring certificate; identifying the new certificate as a secondary certificate, such that servers retrieving the certificate will continue to use existing certificates as well as accepting requests that use the new certificate; publishing the new certificate at a location available to each server in a server farm; and upon detecting that a transition period has ended, promoting the new certificate from a secondary certificate to a primary certificate to complete replacement of the expiring certificate with the new certificate; and removing the expired certificate from a certificate store. - View Dependent Claims (19, 20)
-
Specification