Renewal processing of digital certificates in an asynchronous messaging environment

US 8,856,514 B2
Filed: 03/12/2012
Issued: 10/07/2014
Est. Priority Date: 03/12/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

obtaining, within an asynchronous messaging environment from a certificate server of an issuer of an existing digital certificate, a renewed digital certificate to replace the existing digital certificate, where the renewed digital certificate comprises a new certificate serial number, an extended attribute that stores a serial number value of the existing digital certificate, and an issuer identifier that matches an issuer identifier of the existing digital certificate;

receiving a message with a symmetric key encrypted using the existing digital certificate and identified within the message via the serial number value of the existing digital certificate; and

processing the message using the renewed digital certificate, comprising;

determining whether the symmetric key encrypted using the existing digital certificate in a message payload matches the issuer identifier and the new certificate serial number of the renewed digital certificate;

determining, in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload does not match the issuer identifier and the new certificate serial number of the renewed digital certificate, whether the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate; and

in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate;

validating the renewed digital certificate; and

in response to successful validation of the renewed digital certificate;

decrypting the symmetric key using a private key of the renewed digital certificate;

decrypting the received message payload using the decrypted symmetric key; and

processing the decrypted message payload.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A renewed digital certificate is obtained within an asynchronous messaging environment from a certificate server of an issuer of an existing digital certificate to replace the existing digital certificate. The renewed digital certificate includes an extended attribute that stores a serial number value of the existing digital certificate. A message is received with a symmetric key that is encrypted using the existing digital certificate. The symmetric key is identified within the message by the serial number value of the existing digital certificate. The message is processed using the renewed digital certificate.

22 Citations

View as Search Results

18 Claims

1. A method, comprising:
- obtaining, within an asynchronous messaging environment from a certificate server of an issuer of an existing digital certificate, a renewed digital certificate to replace the existing digital certificate, where the renewed digital certificate comprises a new certificate serial number, an extended attribute that stores a serial number value of the existing digital certificate, and an issuer identifier that matches an issuer identifier of the existing digital certificate;
  
  receiving a message with a symmetric key encrypted using the existing digital certificate and identified within the message via the serial number value of the existing digital certificate; and
  
  processing the message using the renewed digital certificate, comprising;
  
  determining whether the symmetric key encrypted using the existing digital certificate in a message payload matches the issuer identifier and the new certificate serial number of the renewed digital certificate;
  
  determining, in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload does not match the issuer identifier and the new certificate serial number of the renewed digital certificate, whether the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate; and
  
  in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate;
  
  validating the renewed digital certificate; and
  
  in response to successful validation of the renewed digital certificate;
  
  decrypting the symmetric key using a private key of the renewed digital certificate;
  
  decrypting the received message payload using the decrypted symmetric key; and
  
  processing the decrypted message payload.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, where the existing digital certificate comprises one of an expired digital certificate and a certificate determined to expire within a configured time relative to an expiration date of the existing digital certificate.
  - 3. The method of claim 1, where obtaining, within the asynchronous messaging environment from the certificate server of the issuer of the existing digital certificate, the renewed digital certificate to replace the existing digital certificate comprises:
    - sending, in response to determining that the existing digital certificate is expired, the existing digital certificate to the certificate server of the issuer of the existing digital certificate;
      
      receiving the renewed digital certificate from the certificate server of the issuer of the existing digital certificate, where the renewed digital certificate comprises the new certificate serial number, a subject distinguished name (DN), a public key, and the issuer identifier of the issuer of the existing digital certificate, and the extended attribute storing the serial number value of the existing digital certificate; and
      
      designating the renewed digital certificate as valid for asynchronous message processing.
  - 4. The method of claim 1, where obtaining, within the asynchronous messaging environment from the certificate server of the issuer of the existing digital certificate, the renewed digital certificate to replace the existing digital certificate comprises:
    - extracting, in response to determining that the existing digital certificate is expired, the serial number value, a subject distinguished name (DN), and a public key from the existing digital certificate;
      
      sending the extracted serial number value, subject distinguished name (DN), and public key, and the extended attribute to the certificate server of the issuer of the existing digital certificate;
      
      receiving the renewed digital certificate from the certificate server of the issuer of the existing digital certificate, where the renewed digital certificate comprises the new certificate serial number, the subject distinguished name (DN), the public key, and the issuer identifier of the issuer of the existing digital certificate, and the extended attribute storing the serial number value of the existing digital certificate; and
      
      designating the renewed digital certificate as valid for asynchronous message processing.
  - 5. The method of claim 1, where processing the message using the renewed digital certificate comprises:
    - identifying the symmetric key encrypted using the existing digital certificate within the message payload of the received message using the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate.
  - 6. The method of claim 1, further comprising:
    - in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload does not match the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate;
      
      generating an error indicating that the symmetric key encrypted using the existing digital certificate was not found in the message payload.

7. A system, comprising:
- a memory that stores an existing digital certificate; and
  
  a processor programmed to;
  
  obtain, within an asynchronous messaging environment from a certificate server of an issuer of the existing digital certificate, a renewed digital certificate to replace the existing digital certificate, where the renewed digital certificate comprises a new certificate serial number, an extended attribute that stores a serial number value of the existing digital certificate, and an issuer identifier that matches an issuer identifier of the existing digital certificate;
  
  store the renewed digital certificate to the memory;
  
  receive a message with a symmetric key encrypted using the existing digital certificate and identified within the message via the serial number value of the existing digital certificate; and
  
  process the message using the renewed digital certificate, the processor being programmed to;
  
  determine whether the symmetric key encrypted using the existing digital certificate in a message payload matches the issuer identifier and the new certificate serial number of the renewed digital certificate;
  
  determine, in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload does not match the issuer identifier and the new certificate serial number of the renewed digital certificate, whether the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate; and
  
  in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate;
  
  validate the renewed digital certificate; and
  
  in response to successful validation of the renewed digital certificate;
  
  decrypt the symmetric key using a private key of the renewed digital certificate;
  
  decrypt the received message payload using the decrypted symmetric key; and
  
  process the decrypted message payload.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, where the existing digital certificate comprises one of an expired digital certificate and a certificate determined to expire within a configured time relative to an expiration date of the existing digital certificate.
  - 9. The system of claim 7, where in being programmed to obtain, within the asynchronous messaging environment from the certificate server of the issuer of the existing digital certificate, the renewed digital certificate to replace the existing digital certificate, the processor is programmed to:
    - send, in response to determining that the existing digital certificate is expired, the existing digital certificate to the certificate server of the issuer of the existing digital certificate;
      
      receive the renewed digital certificate from the certificate server of the issuer of the existing digital certificate, where the renewed digital certificate comprises the new certificate serial number, a subject distinguished name (DN), a public key, and the issuer identifier of the issuer of the existing digital certificate, and the extended attribute storing the serial number value of the existing digital certificate; and
      
      designate the renewed digital certificate as valid for asynchronous message processing.
  - 10. The system of claim 7, where in being programmed to obtain, within the asynchronous messaging environment from the certificate server of the issuer of the existing digital certificate, the renewed digital certificate to replace the existing digital certificate, the processor is programmed to:
    - extract, in response to determining that the existing digital certificate is expired, the serial number value, a subject distinguished name (DN), and a public key from the existing digital certificate;
      
      send the extracted serial number value, subject distinguished name (DN), and public key, and the extended attribute to the certificate server of the issuer of the existing digital certificate;
      
      receive the renewed digital certificate from the certificate server of the issuer of the existing digital certificate, where the renewed digital certificate comprises the new certificate serial number, the subject distinguished name (DN), the public key, and the issuer identifier of the issuer of the existing digital certificate, and the extended attribute storing the serial number value of the existing digital certificate; and
      
      designate the renewed digital certificate as valid for asynchronous message processing.
  - 11. The system of claim 7, where, in being programmed to process the message using the renewed digital certificate, the processor is programmed to:
    - identify the symmetric key encrypted using the existing digital certificate within the message payload of the received message using the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate.
  - 12. The system of claim 7, where the processor is further programmed to:
    - in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload does not match the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate;
      
      generate an error indicating that the symmetric key encrypted using the existing digital certificate was not found in the message payload.

13. A computer program product comprising a computer readable storage medium including computer readable program code, where the computer readable program code when executed on a computer causes the computer to:
- obtain, within an asynchronous messaging environment from a certificate server of an issuer of an existing digital certificate, a renewed digital certificate to replace the existing digital certificate, where the renewed digital certificate comprises a new certificate serial number, an extended attribute that stores a serial number value of the existing digital certificate, and an issuer identifier that matches an issuer identifier of the existing digital certificate;
  
  receive a message with a symmetric key encrypted using the existing digital certificate and identified within the message via the serial number value of the existing digital certificate; and
  
  process the message using the renewed digital certificate, the computer readable program code when executed on the computer causing the computer to;
  
  determine whether the symmetric key encrypted using the existing digital certificate in a message payload matches the issuer identifier and the new certificate serial number of the renewed digital certificate;
  
  determine, in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload does not match the issuer identifier and the new certificate serial number of the renewed digital certificate, whether the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate; and
  
  in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload matches the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate;
  
  validate the renewed digital certificate; and
  
  in response to successful validation of the renewed digital certificate;
  
  decrypt the symmetric key using a private key of the renewed digital certificate;
  
  decrypt the received message payload using the decrypted symmetric key; and
  
  process the decrypted message payload.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 13, where the existing digital certificate comprises one of an expired digital certificate and a certificate determined to expire within a configured time relative to an expiration date of the existing digital certificate.
  - 15. The computer program product of claim 13, where in causing the computer to obtain, within the asynchronous messaging environment from the certificate server of the issuer of the existing digital certificate, the renewed digital certificate to replace the existing digital certificate, the computer readable program code when executed on the computer causes the computer to:
    - send, in response to determining that the existing digital certificate is expired, the existing digital certificate to the certificate server of the issuer of the existing digital certificate;
      
      receive the renewed digital certificate from the certificate server of the issuer of the existing digital certificate, where the renewed digital certificate comprises the new certificate serial number, a subject distinguished name (DN), a public key, and the issuer identifier of the issuer of the existing digital certificate, and the extended attribute storing the serial number value of the existing digital certificate; and
      
      designate the renewed digital certificate as valid for asynchronous message processing.
  - 16. The computer program product of claim 13, where in causing the computer to obtain, within the asynchronous messaging environment from the certificate server of the issuer of the existing digital certificate, the renewed digital certificate to replace the existing digital certificate, the computer readable program code when executed on the computer causes the computer to:
    - extract, in response to determining that the existing digital certificate is expired, the serial number value, a subject distinguished name (DN), and a public key from the existing digital certificate;
      
      send the extracted serial number value, subject distinguished name (DN), and public key, and the extended attribute to the certificate server of the issuer of the existing digital certificate;
      
      receive the renewed digital certificate from the certificate server of the issuer of the existing digital certificate, where the renewed digital certificate comprises the new certificate serial number, the subject distinguished name (DN), the public key, and the issuer identifier of the issuer of the existing digital certificate, and the extended attribute storing the serial number value of the existing digital certificate; and
      
      designate the renewed digital certificate as valid for asynchronous message processing.
  - 17. The computer program product of claim 13, where, in causing the computer to process the message using the renewed digital certificate, the computer readable program code when executed on the computer causes the computer to:
    - identify the symmetric key encrypted using the existing digital certificate within the message payload of the received message using the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate.
  - 18. The computer program product of claim 13, where the computer readable program code when executed on the computer further causes the computer to:
    - in response to determining that the symmetric key encrypted using the existing digital certificate in the message payload does not match the issuer identifier of the renewed digital certificate and the serial number value of the existing digital certificate stored within the extended attribute of the renewed digital certificate;
      
      generate an error indicating that the symmetric key encrypted using the existing digital certificate was not found in the message payload.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dixon, Bret W., Dixon, Scot W.
Primary Examiner(s)
Eskandarnia, Arvin

Application Number

US13/417,888
Publication Number

US 20130238895A1
Time in Patent Office

939 Days
Field of Search

713/156
US Class Current

713/156
CPC Class Codes

G06F 21/33   using certificates

H04L 63/045   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3265   using certificate chains, t...

H04L 9/3268   using certificate validatio...

H04N 21/835   Generation of protective da...

Renewal processing of digital certificates in an asynchronous messaging environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Renewal processing of digital certificates in an asynchronous messaging environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links