Key rotation with external workflows
First Claim
1. A computer-implemented method for key management, comprising:
- providing a set of workflow templates associated with a set of classes of keys to a client;
receiving a request from the client to generate a key based at least in part on a workflow template of the set of workflow templates;
after receiving the request from the client, generating an asymmetric keypair by a key management system, the generated keypair unavailable for use by the client until processed through a workflow;
associating the keypair with a class of keys of the set of classes by the key management system, the class of keys corresponding to a workflow template associated with a workflow management system for preparing the keypair to become active;
communicating, by the key management system, the generation of the keypair to the workflow management system configured to generate and process the workflow for the keypair based at least in part on the workflow template;
activating, by the key management system, the keypair for use after the workflow has completed, the activating comprising distributing the keypair to computing resources over an internal network and sending a notification to the client that the keypair is available for use without sending the keypair to the client;
generating a new keypair based at least in part on the class of keys associated with the keypair, the new keypair unavailable for use by the client until processed through a replacement workflow associated with the class of keys; and
deactivating the keypair based at least in part on activating the new keypair.
1 Assignment
0 Petitions
Accused Products
Abstract
A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.
48 Citations
22 Claims
-
1. A computer-implemented method for key management, comprising:
-
providing a set of workflow templates associated with a set of classes of keys to a client; receiving a request from the client to generate a key based at least in part on a workflow template of the set of workflow templates; after receiving the request from the client, generating an asymmetric keypair by a key management system, the generated keypair unavailable for use by the client until processed through a workflow; associating the keypair with a class of keys of the set of classes by the key management system, the class of keys corresponding to a workflow template associated with a workflow management system for preparing the keypair to become active; communicating, by the key management system, the generation of the keypair to the workflow management system configured to generate and process the workflow for the keypair based at least in part on the workflow template; activating, by the key management system, the keypair for use after the workflow has completed, the activating comprising distributing the keypair to computing resources over an internal network and sending a notification to the client that the keypair is available for use without sending the keypair to the client; generating a new keypair based at least in part on the class of keys associated with the keypair, the new keypair unavailable for use by the client until processed through a replacement workflow associated with the class of keys; and deactivating the keypair based at least in part on activating the new keypair. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for key management, comprising:
-
providing a set of workflow templates associated with a set of classes of secrets to a client; receiving a request from the client to generate a secret based at least in part on a workflow template of the set of workflow templates; after receiving the request from the client, generating the secret associated with a class of secrets of the set of classes of secrets by a key management system, the generated secret being inactive for use by at least the client; sending, by the key management system, information about the secret to a workflow management system configured to process a workflow according to the workflow template based at least in part on the information; activating, by the key management system, the secret for use after determining that the workflow is complete, the activating comprising distributing the secret to a computing resource over an internal network and notifying the client that the secret is available for use without sending the secret to the client; generating a new secret based at least in part on the class of secrets associated with the secret, the new secret inactive for use by at least the client until processed through a replacement workflow associated with the class of secrets; and deactivating the secret based at least in part on activating the new secret. - View Dependent Claims (8, 9, 20, 21, 22)
-
-
10. A system comprising:
-
one or more computing resources comprising one or more processors and memory including executable instructions that, when executed by the one or more processors, cause the one or more processors to collectively implement at least; a key manager configured to; provide a set of workflow templates associated with a set of classes of secrets to a client; receive a request from the client to generate at least one secret based at least in part on a workflow template of the set of workflow templates; generate the at least one secret in response to the request from the client; associate the at least one secret with at least one workflow based at least in part on the workflow template; maintain the at least one secret as inactive until receipt of information that the at least one workflow is complete; notify the client when the at least one secret becomes active without sending the at least one secret to the client; and associated with the at least one secret, the at least one new secret inactive until processed through a replacement workflow associated with the class of secrets; a workflow management system configured to; receive information about the at least one secret; and
in response to receiving the information about the at least one secret, generate the at least one workflow, process the at least one workflow, and report completion of the at least one workflow to the key manager; anda key distribution manager configured to; distribute the at least one secret to at least one computing resource over an internal network to enable the at least one computing resource to perform cryptographic operations; and deactivate the at least one secret based at least in part on activating the at least one new secret. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. One or more non-transitory computer-readable storage media having collectively stored thereon executable instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
provide a set of workflow templates associated with a set of classes of secrets to a client; receive a request from the client to generate a key based at least in part on a workflow template of the set of workflow templates; generate the key after receiving the request from the client, the key associated with a class of secrets of the set of classes and being inactive; invoke a workflow according to the workflow template based at least in part on the class of secrets associated with the key; activate the key for use after the workflow has been processed, the activate comprising distributing the key to a computing resource over an internal network and notifying the client that the key is active without transmitting the key to the client; generate a new key based at least in part on the class of secrets associated with the key, the new key inactive until processed through a replacement workflow associated with the class of secrets; and deactivate the key based at least in part on activating the new key. - View Dependent Claims (17, 18, 19)
-
Specification