AUTOMATED CERTIFICATE MANAGEMENT

US 20110219227A1
Filed: 03/08/2010
Published: 09/08/2011
Est. Priority Date: 03/08/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for automatically generating and sharing security certificates, the method comprising:

generating one or more certificates for token signing and encryption in a server farm;

encrypting the certificates using a key securely shared among servers in the server farm;

publishing the certificates at a location available to each server in the server farm;

listening for requests to access published certificates; and

upon receiving a request to access a certificate,processing the received request to access a certificate; and

replying to the processed request with the requested certificate,wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A certificate management system provides automated management of certificate lifecycles and certificate distribution. Rather than depend upon an administrator to manually distribute and manage certificates, the system self-generates certificates, distributes the certificates to appropriate servers or other parties, and transitions from old certificates to new certificates in a well-defined manner that avoids breaking functionality. After generating one or more certificates, the system securely shares certificates in a way that parties that use them can find the new certificates without an administrator manually distributing the certificates. When it is time to update certificates, the system generates new certificates and shares the new certificates in a similar way. During a transition period, the system provides a protocol by which both old and new certificates can be used to perform authenticated access to resources, so that the transition from an old to a new certificate does not break services.

Citations

20 Claims

1. A computer-implemented method for automatically generating and sharing security certificates, the method comprising:
- generating one or more certificates for token signing and encryption in a server farm;
  
  encrypting the certificates using a key securely shared among servers in the server farm;
  
  publishing the certificates at a location available to each server in the server farm;
  
  listening for requests to access published certificates; and
  
  upon receiving a request to access a certificate,processing the received request to access a certificate; and
  
  replying to the processed request with the requested certificate,wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein generating one or more certificates comprises invoking a local application programming interface (API) for creating certificates.
  - 3. The method of claim 1 wherein generating one or more certificates comprises invoking a remote public certificate authority (CA) to generate certificates.
  - 4. The method of claim 1 wherein encrypting the certificates comprises accessing the key using a common service account used by each server in the server farm to access shared certificate information.
  - 5. The method of claim 1 wherein encrypting the certificates comprises generating and storing a symmetric key or a key derived from the symmetric key to encrypt the one or more generated certificates.
  - 6. The method of claim 1 wherein publishing the certificates comprises placing the certificates in a public location in the server farm secured using a common service account so that only authorized parties can access the published certificates.
  - 7. The method of claim 1 wherein publishing the certificates comprises identifying each certificate as a primary or secondary certificate.
  - 8. The method of claim 1 wherein listening for requests to access published certificates comprises listen at a well-known port for server requests to access certificates associated with the server farm.
  - 9. The method of claim 1 wherein processing the received request comprises identifying the request as a periodic poll from a server in the server farm to detect newly generated or promoted certificates.
  - 10. The method of claim 1 wherein processing the received request comprises identifying certificates that have changed in a certificate collection and wherein replying to the processed request comprises sending the identified certificates in response to the request.

11. A computer system for automatically managing certificates shared by multiple servers, the system comprising:
- a processor and memory configured to execute software instructions;
  
  a certificate generation component configured to generate one or more certificates for token signing and encryption;
  
  a certificate publishing component configured to publish new certificates created by the certificate generation component to make the certificates available to other servers with which the system communicates;
  
  a certificate retrieval component configured to retrieve new certificates shared by the certificate publishing component;
  
  a certificate update component configured to add primary certificates retrieved from the certificate publishing component to a certificate store local to a server in the server farm;
  
  a certificate expiration component configured to remove expired certificates from the system and promotes secondary replacement certificates to primary certificates; and
  
  a certificate store configured to store certificates generated by the certificate generation component.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11 wherein the certificate generation component is further configured to create an initial set of certificates upon installation of the system and configuration of a server farm for automated certificate management.
  - 13. The system of claim 11 wherein the certificate generation component is further configured to create new certificates to replace old ones nearing expiration without intervention by an administrator.
  - 14. The system of claim 11 wherein the certificate publishing component is further configured to use a standard protocol to make new certificates available upon request to other servers.
  - 15. The system of claim 11 wherein the certificate publishing component is further configured to encrypt certificates using a key shared securely with servers in the server farm.
  - 16. The system of claim 11 wherein the certificate publishing component is further configured to publish both primary and secondary certificates to allow a transition period between original and replacement certificates as certificates approach expiration.
  - 17. The system of claim 11 wherein the certificate update component is further configured to retrieve secondary certificates and place the secondary certificates into a certificate store in a manner that accesses can be made to other servers using either the primary or secondary certificates during a transition period.

18. A computer-readable storage medium comprising instructions for controlling a computer system to periodically update certificates used for communication between servers, wherein the instructions, when executed, cause a processor to perform actions comprising:
- detecting pending expiration of a certificate for token signing or encryption;
  
  generating a new certificate to replace the expiring certificate;
  
  identifying the new certificate as a secondary certificate, such that servers retrieving the certificate will continue to use existing certificates as well as accepting requests that use the new certificate;
  
  publishing the new certificate at a location available to each server in a server farm; and
  
  upon detecting that a transition period has ended,promoting the new certificate from a secondary certificate to a primary certificate to complete replacement of the expiring certificate with the new certificate; and
  
  removing the expired certificate from a certificate store.
- View Dependent Claims (19, 20)
- - 19. The medium of claim 18 wherein detecting pending expiration comprises accessing a configurable transition period parameter and identifying one or more certificates for which an expiration time is within the transition period.
  - 20. The medium of claim 18 wherein detecting that the transition period has ended comprises detecting expiration of the expiring certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Brace, Colin H., Garg, Nakul, Sharif, Tariq

Granted Patent

US 9,197,630 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2107   File encryption

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2151   Time stamp

H04L 2463/061   applying further key deriva...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

AUTOMATED CERTIFICATE MANAGEMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED CERTIFICATE MANAGEMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links