SERVER-SIDE KEY GENERATION FOR NON-TOKEN CLIENTS

US 20110296172A1
Filed: 05/28/2010
Published: 12/01/2011
Est. Priority Date: 05/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method, implemented by a computing system of a certificate system programmed to perform the following, comprising:

receiving, at a certificate manager of the computing system from a requester, a certificate enrollment request for a digital certificate for a non-token client;

determining that certificate enrollment request includes a server-side key indicator to generate a key pair, including a public key and a private key, for the digital certificate;

generating the key pair for the digital certificate by a server-side key generation engine of the computing system when the certificate enrollment request includes the server-side key indicator;

encrypting the private key by the server-side key generation engine; and

delivering the encrypted private key to the requester.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for server-side key generation for non-token clients is described.

Citations

23 Claims

1. A method, implemented by a computing system of a certificate system programmed to perform the following, comprising:
- receiving, at a certificate manager of the computing system from a requester, a certificate enrollment request for a digital certificate for a non-token client;
  
  determining that certificate enrollment request includes a server-side key indicator to generate a key pair, including a public key and a private key, for the digital certificate;
  
  generating the key pair for the digital certificate by a server-side key generation engine of the computing system when the certificate enrollment request includes the server-side key indicator;
  
  encrypting the private key by the server-side key generation engine; and
  
  delivering the encrypted private key to the requester.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - receiving a password from the requester; and
      
      encrypting the private key in an encrypted file using the password by the server-side key generation engine, wherein said delivering comprises delivering the encrypted file to the requester.
  - 3. The method of claim 2, wherein said receiving the password from the requester comprises receiving an encrypted password that has been encrypted using a public key of a transport key pair, and wherein the method further comprises decrypting the encrypted password by the server-side key generation engine using a private key of the transport key pair.
  - 4. The method of claim 2, wherein said receiving the password comprises receiving the password as part of the certificate enrollment request, and wherein at least the password of the certificate enrollment request is encrypted using a public key of a transport key pair of the certificate system.
  - 5. The method of claim 2, wherein the encrypted file is a Public Key Cryptography Standard (PKCS) #12 file.
  - 6. The method of claim 2, wherein said encrypting the private key in the encrypted file further comprises encrypting the digital certificate with the private key in the encrypted file.
  - 7. The method of claim 2, further comprising sending a message to the requester with a link to a location of the encrypted file to allow the requester to retrieve the encrypted file.
  - 8. The method of claim 2, further comprising sending an email message to the requester with the encrypted file as an attachment to the email message.
  - 9. The method of claim 1, further comprising:
    - identifying a server-side key generation certificate profile of the computing system when the certificate enrollment request includes the server-side key indicator; and
      
      processing the certificate enrollment request according to the server-side key generation certificate profile when the certificate enrollment request includes the server-side key indicator.
  - 10. The method of claim 1, further comprising:
    - presenting to the requester a user interface for the certificate enrollment request on a web page, wherein the user interface comprises an input field to receive a password from the requester;
      
      receiving the certificate enrollment request and the password from the requester, wherein at least the password of the certificate enrollment request is encrypted using a public key of a transport key pair;
      
      decrypting the password by the server-side key generation engine using a private key of the transport key pair;
      
      approving, by the certificate manager, the certificate enrollment request to issue the digital certificate; and
      
      encrypting at least the private key of the digital certificate in an encrypted file using the decrypted password, wherein said delivering comprises delivering the encrypted file to the requester.
  - 11. The method of claim 10, further comprising presenting a second user interface comprising a link to a location of the encrypted file to allow the requester to retrieve the encrypted file when the certificate enrollment request is approved.
  - 12. The method of claim 10, further comprising sending an email message to the requester with the encrypted file as an attachment when the certificate enrollment request is approved.
  - 13. The method of claim 10, further comprising:
    - encrypting the private key using a private storage key by the server-side key generation engine; and
      
      archiving the private key in a key repository.
  - 14. The method of claim 1, further comprising:
    - receiving a password from an administrator of the computing system;
      
      encrypting the private key in an encrypted file using the password by the server-side key generation engine, wherein said delivering comprises delivering the encrypted file to the requester; and
      
      providing the password generated by the computing system.
  - 15. The method of claim 14, wherein said providing the password comprises:
    - creating a service task to manually notify the requester of the password; and
      
      notifying an agent of the certificate system of the service task to manually notify the requester of the password.

16. A certificate system, comprising:
- a data storage device to store data concerning key pairs of digital certificates issued by a certificate authority (CA);
  
  a certificate manager, coupled to the data storage device, to receive from a requester a certificate enrollment request for a digital certificate for a non-token client and to determine that the certificate enrollment request includes a server-side key indicator to generate a key pair, including a public key and a private key, for the digital certificate; and
  
  a server-side key generation engine, coupled to the certificate manager, to generate the key pair for the digital certificate when the certificate enrollment request includes the server-side key indicator, and to deliver the digital certificate and key pair to the requester.
- View Dependent Claims (17, 18, 19)
- - 17. The certificate system of claim 16, wherein the server-side key generation engine comprises:
    - a key generator to generate the key pair;
      
      a key encryption module, coupled to the key generator, to encrypt the private key; and
      
      a key delivery module, coupled to the key encryption module, to deliver the encrypted private key to the requester.
  - 18. The certificate system of claim 17, wherein the server-side key generation engine further comprises a key archival module, coupled to the key encryption module, to archive the private key in the data storage device, and wherein the key encryption module is configured to encrypt the private key using a private storage key and archive the encrypted private key in a key repository.
  - 19. The certificate system of claim 17, wherein the key encryption module is configured to receive a password from the requester, decrypt the password if encrypted, and encrypt the private key in an encrypted file using the password, and wherein the key delivery module is configured to deliver the encrypted file to the requester.

20. A machine-readable storage medium having instructions, which when executed, cause a computing system to perform a method, the method comprising:
- receiving, at a certificate manager of the computing system from a requester, a certificate enrollment request for a digital certificate for a non-token client;
  
  determining that certificate enrollment request includes a server-side key indicator to generate a key pair, including a public key and a private key, for the digital certificate;
  
  generating the key pair for the digital certificate by a server-side key generation engine of the computing system when the certificate enrollment request includes the server-side key indicator;
  
  encrypting the private key by the server-side key generation engine; and
  
  delivering the encrypted private key to the requester.
- View Dependent Claims (21, 22, 23)
- - 21. The machine-readable storage medium of claim 20, further comprising:
    - receiving a password from the requester; and
      
      encrypting the private key in an encrypted file using the password by the server-side key generation engine, wherein said delivering comprises delivering the encrypted file to the requester.
  - 22. The machine-readable storage medium of claim 21, wherein said receiving the password from the requester comprises receiving an encrypted password that has been encrypted using a transport key, and wherein the method further comprises decrypting the encrypted password by the server-side key generation engine using the transport key.
  - 23. The machine-readable storage medium of claim 20, further comprising:
    - presenting to the requester a user interface for the certificate enrollment request on a web page, wherein the user interface comprises an input field to receive a password from the requester;
      
      receiving the certificate enrollment request and the password from the requester, wherein at least the password of the certificate enrollment request is encrypted using a transport key;
      
      decrypting the password by the server-side key generation engine;
      
      approving, by the certificate manager, the certificate enrollment request to issue the digital certificate; and
      
      encrypting at least the private key of the digital certificate in an encrypted file using the decrypted password, wherein said delivering comprises delivering the encrypted file to the requester.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Wnuk, Andrew

Granted Patent

US 8,788,811 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 67/00   Network arrangements or pro...

H04L 67/01   Protocols

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3226   using a predetermined code,...

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

SERVER-SIDE KEY GENERATION FOR NON-TOKEN CLIENTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SERVER-SIDE KEY GENERATION FOR NON-TOKEN CLIENTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links