Centralized certificate management system for two-way interactive communication devices in data networks
First Claim
1. A method for managing centralized certificates in a proxy server device for a plurality of thin client devices coupled to said proxy server through a data network, the method comprising:
- maintaining a free certificate database accessible by said proxy server, the free certificate database comprising a plurality of free certificates issued by a Certificate Authority (CA) wherein each of the free certificates has a corresponding public key and a corresponding private key;
maintaining a user account database wherein said user account database is not a thin client device, said user account database accessible by said proxy server that performs communication on behalf of said thin client devices, said user account database comprising a plurality of user accounts, each of the thin client devices associated with one of said user accounts wherein each of the user accounts comprises a device ID, a list of public and private keys assigned to the user account, and a list of certificates assigned to the user account; and
adding a certificate taken out from the free certificate database to each of said plurality of user accounts in said user account database.
7 Assignments
0 Petitions
Accused Products
Abstract
The present invention discloses a central certificate management system for thin client devices in data networks and has particular applications to systems having a large number of the thin clients serviced by a proxy server through which the thin clients communicate with a plurality of secure server computers over a data network. According to one aspect, the present invention provides a certificate management module that causes the server device to manage digital certificates for each of the thin client devices. To minimize the latency of obtaining certificates for each of the thin client devices, the certificate management module reserves a fixed number of free certificates signed by a certificate authority and their respective private keys in a certificate database and frequently updates the free certificate according to a certificate updating message. Whenever a user account is created for a thin client device, the certificate management module fetches one or more free certificates from the certificate database and associate the fetched certificates to the created account and meanwhile the certificate management module creates new free certificates with the certificate authority to fill in the certificate database. Apart from the tradition of obtaining certificates locally in client devices that normally have sufficient computing power, the present invention uses the computing resources in a server device to carry out the task of obtaining and maintaining certificates asynchronously in the proxy server and further. These and other features in the present invention dramatically minimize the demands for computing power and memory in thin client devices like mobile devices, cellular phones, landline telephones or Internet appliance controllers.
529 Citations
16 Claims
-
1. A method for managing centralized certificates in a proxy server device for a plurality of thin client devices coupled to said proxy server through a data network, the method comprising:
-
maintaining a free certificate database accessible by said proxy server, the free certificate database comprising a plurality of free certificates issued by a Certificate Authority (CA) wherein each of the free certificates has a corresponding public key and a corresponding private key;
maintaining a user account database wherein said user account database is not a thin client device, said user account database accessible by said proxy server that performs communication on behalf of said thin client devices, said user account database comprising a plurality of user accounts, each of the thin client devices associated with one of said user accounts wherein each of the user accounts comprises a device ID, a list of public and private keys assigned to the user account, and a list of certificates assigned to the user account; and
adding a certificate taken out from the free certificate database to each of said plurality of user accounts in said user account database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
receiving a certificate request when the number of free certificates in the certificate database is lower than a low threshold number; - and
generating a new certificate wherein generating the new certificate comprises, generating a distinguished name for the new certificate;
generating a new private key and a new public key for the new certificate;
sending a certificate request to the CA wherein the certificate request comprises the generated new public key;
receiving the new certificate signed by the CA; and
depositing the new certificate in the free certificate database.
-
-
3. The method as recited in claim 1, wherein maintaining the user account database comprises:
-
retrieving one of the free certificates from said free certificate database when a new thin client device is activated;
establishing a new user account comprising a new device ID and a new subscriber ID; and
associating the retrieved free certificate and the corresponding private key and public key with the new user account having the new device ID.
-
-
4. The method as recited in claim 1 further comprising:
updating the free certificates in the free certificate database upon receiving a certificate updating request.
-
5. The method as recited in claim 4 wherein updating the free certificates in the free certificate database upon receiving the certificate updating request comprises removing an invalid certificate from the free certificate database when the certificate updating request is a certificate revocation list.
-
6. The method as recited in claim 1 further comprising:
updating a user account in the user account database associated with a valid device ID upon receiving a newly provisioned username and password from a thin client device having said valid device ID.
-
7. The method as recited in claim 3 wherein the updating the free certificates in the certificate database upon receiving the certificate updating request comprises deleting a certificate from the certificate database according to an insert/delete query in the certificate updating request.
-
8. The method as recited in claim 1 wherein a user account in the user account database may be accessed from a computer coupled to said proxy server through the global internet.
-
9. The method as recited in claim 8 wherein a valid username and password must be supplied to access said user account.
-
10. An apparatus for managing centralized certificates in a proxy server device for a plurality of thin client devices over a data network, the apparatus comprising:
-
a certificate manager module for generating free certificates;
a free certificate database coupled to the certificate manager module for storing the free certificates from the certificate manager module until reaching an upper threshold;
a user account database, said user account database not stored in a thin client device, said user account database accessible by said proxy server device that performs communication on behalf of said thin client devices, said user account database comprising a plurality of user accounts, each of the thin client devices associated with one of said user accounts wherein each of the user accounts comprises a device ID and a list of certificates assigned to the user account; and
a certificate assigning module for associating one of said free certificates in the free certificate database to one of said plurality of user accounts in said user account database associated with a thin client device. - View Dependent Claims (11, 12, 13, 14, 15, 16)
a certificate engine communicating with the certificate assigning module;
a name generator generating a unique name for a new certificate;
a key pair generator generating a private key and a public key for the new certificate; and
a certificate request module for contacting a certificate authority for the new certificate, wherein a certificate request from said certificate request module comprises the public key and the unique name.
-
-
12. The apparatus as recited in claim 11, wherein said name generator comprises a distinguished name generator that combines a timestamp along with a subscriber ID.
-
13. The apparatus as recited in claim 10 wherein the certificate manager module updates said free certificate database upon receiving certificate update request.
-
14. The apparatus as recited in claim 13, wherein said certificate update request comprises a certificate revocation list.
-
15. The apparatus as recited in claim 14, wherein said certificate update request further comprises an insert/delete query.
-
16. The apparatus as recited in claim 10 further comprising:
-
a computer network coupled to said proxy server device; and
a client computer coupled to said computer network, said client computer able to access a user account in said user account database.
-
Specification