Automatically generating a certificate operation request

US 8,898,457 B2
Filed: 02/26/2010
Issued: 11/25/2014
Est. Priority Date: 02/26/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing, by a processing device, a secure connection with a server device using an authentication protocol that uses symmetric-key cryptography;

generating, by a client agent executing by the processing device, a request to perform a certificate operation associated with a certificate; and

sending, by the client agent, the request over the secure connection to an identity management system executing by the server device, wherein the identity management system comprises a registration authority (RA), wherein the RA is a trusted manager of a certificate authority (CA) and uses the authentication of the secure connection between the server device and the client agent to send a proxy of the request to the CA without performing an additional authentication of the request, wherein the client agent is capable of generating and sending the certificate operation without user intervention at the processing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for automatically generating a certificate operation request is described.

27 Citations

View as Search Results

20 Claims

1. A method comprising:
- establishing, by a processing device, a secure connection with a server device using an authentication protocol that uses symmetric-key cryptography;
  
  generating, by a client agent executing by the processing device, a request to perform a certificate operation associated with a certificate; and
  
  sending, by the client agent, the request over the secure connection to an identity management system executing by the server device, wherein the identity management system comprises a registration authority (RA), wherein the RA is a trusted manager of a certificate authority (CA) and uses the authentication of the secure connection between the server device and the client agent to send a proxy of the request to the CA without performing an additional authentication of the request, wherein the client agent is capable of generating and sending the certificate operation without user intervention at the processing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the authentication protocol is the Kerberos authentication protocol.
  - 3. The method of claim 1, wherein the processing device is a service provider that provides a service to one or more clients over a network.
  - 4. The method of claim 1, wherein the certificate operation is at least one of requesting the certificate, renewing the certificate, checking a request status of the certificate, retrieving the certificate, putting the certificate on hold, removing the certificate from being on hold, or revoking the certificate.
  - 5. The method of claim 1, wherein the certificate operation is requesting the certificate, wherein the generating the request comprises generating a certificate signing request (CSR) by the client agent, wherein the CSR contains information identifying an owner of the certificate and a public key.
  - 6. The method of claim 5, wherein the generating the CSR comprises:
    - generating a message to include the information identifying the owner of the certificate and the public key; and
      
      digitally signing the message using a private key corresponding to the public key, wherein the digitally signed message is the CSR.
  - 7. The method of claim 6, wherein the generating the CSR comprises generating a key pair including the private key and the public key.
  - 8. The method of claim 1, wherein the generating the request comprises:
    - periodically determining if any certificate operation needs to be performed;
      
      generating the request when the certificate operation needs to be performed; and
      
      sending the request to the identity management system over the secure connection after generating the request.
  - 9. The method of claim 1, wherein the certificate operation is retrieving the certificate, wherein the request identifies the certificate to be retrieved, and wherein the method further comprises:
    - when the certificate operation is approved by the identity management system, receiving the certificate from the identity management system over the secure connection without user intervention at the processing device; and
      
      storing the certificate at a designated storage location.

10. A computing system, comprisinga processing device to execute a client agent, comprising:
- a Kerberos client to establish a secure connection with a server device using an authentication protocol that uses symmetric-key cryptography; and
  
  a certificate utility to generate a request to perform a certificate operation associated with a certificate and to send the request over the secure connection to an identity management system of the server device, wherein the client agent is capable of generating and sending the certificate operation without user intervention at the processing device, wherein the identity management system comprises a registration authority (RA), wherein the RA is a trusted manager of a certificate authority (CA) and uses the authentication of the secure connection between the server device and the client agent to send a proxy of the request to the CA without performing an additional authentication of the request.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computing system of claim 10, wherein the client agent comprises a systems security services daemon (SSSD) that includes the certificate utility.
  - 12. The computing system of claim 10, wherein the certificate utility comprises a certificate signing request (CSR) generator to generate a CSR for the certificate, wherein the CSR contains information identifying an owner of the certificate and a public key.
  - 13. The computing system of claim 10, wherein the Kerberos client interacts with a key distribution center (KDC) of the server device to establish the secure connection.
  - 14. The computing system of claim 10, wherein the certificate utility interacts with the registration authority (RA) of the server device over the secure connection to request the certificate operation, wherein the RA is to determine whether to approve the request from the client agent and to send the proxy of the request to CA to perform the certificate operation when approved.
  - 15. The computing system of claim 10, wherein the certificate utility comprises an XML-RPC client that is an event-based daemon, wherein the XML-RPC client periodically determines if any certificate operation needs to be performed, generates the request when the certificate operation needs to be performed, and sends the request to the identity management system over the secure connection.

16. A non-transitory computer-readable storage medium having instructions, which when executed, cause a processing device to perform operations comprising:
- establishing, by the processing device, a secure connection with a server device using an authentication protocol that uses symmetric-key cryptography;
  
  generating, by a client agent of the processing device, a request to perform a certificate operation associated with a certificate; and
  
  sending, by the client agent, the request over the secure connection to an identity management system of the server device, wherein the client agent is capable of generating and sending the certificate operation without user intervention at the processing device, wherein the identity management system comprises a registration authority (RA), wherein the RA is a trusted manager of a certificate authority (CA) and uses the authentication of the secure connection between the server device and the client agent to send a proxy of the request to the CA without performing an additional authentication of the request.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer-readable storage medium of claim 16, wherein the authentication protocol is the Kerberos authentication protocol.
  - 18. The non-transitory computer -readable storage medium of claim 16, wherein the certificate operation is at least one of requesting the certificate, renewing the certificate, checking a request status of the certificate, retrieving the certificate, putting the certificate on hold, removing the certificate from being on hold, or revoking the certificate.
  - 19. The non-transitory computer readable storage medium of claim 16, wherein the certificate operation is requesting the certificate, wherein generating the request comprises generating a certificate signing request (CSR) by the client agent, wherein the CSR contains information identifying an owner of the certificate and a public key.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein generating the CSR comprises:
    - generating a message to include the information identifying the owner of the certificate and the public key; and
      
      digitally signing the message using a private key corresponding to the public key, wherein the digitally signed message is the CSR.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Wnuk, Andrew
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
MEJIA, FELICIANO S

Application Number

US12/714,227
Publication Number

US 20110213966A1
Time in Patent Office

1,733 Days
Field of Search

713150-158, 726 2- 10
US Class Current

713/156
CPC Class Codes

G06F 21/606   by securing the transmissio...

H04L 61/4505   using standardised director...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 9/006   involving public key infras...

H04L 9/321   involving a third party or ...

H04L 9/3268   using certificate validatio...

Automatically generating a certificate operation request

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

27 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatically generating a certificate operation request

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links