Systems and methods for computer digital certificate management and analysis

US 9,531,705 B1
Filed: 03/12/2014
Issued: 12/27/2016
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for testing security settings for a computing device comprising:

receiving at least one digital certificate from the computing device, the at least one digital certificate including a certificate chain that includes a first certificate preceding a second certificate, each certificate in the certificate chain having an expiration date;

identifying whether the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;

determining that the at least one digital certificate is invalid when the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;

determining whether the first certificate contains an Authority Information Access (AIA) entry with a URL that can be utilized to retrieve a third certificate;

when the first certificate contains such a URL;

using the URL in the first certificate'"'"'s AIA to retrieve the third certificate, andcomparing the third certificate to the second certificate; and

determining that the at least one digital certificate is invalid when the second certificate is not identical to the third certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described herein are methods and systems for updating digital certificates on a computer and testing to confirm that the update was performed correctly. The testing may involve confirming that a server'"'"'s common name (CN) and/or a server'"'"'s subject alternative name (SAN) matches the domain name server (DNS) name utilized to access the server, confirming that, for all the certificates sent in chain, each certificate'"'"'s expiration date is less than or equal to the expiration date of that certificate'"'"'s parent certificate, confirming that the certificates'"'"' authority key identifier (AKI), subject key identifier (SKI), and/or authority information access (AIA) are in compliance, and comparing available cipher suites to a list of pre-approved cipher suites.

16 Citations

View as Search Results

16 Claims

1. A computer-implemented method for testing security settings for a computing device comprising:
- receiving at least one digital certificate from the computing device, the at least one digital certificate including a certificate chain that includes a first certificate preceding a second certificate, each certificate in the certificate chain having an expiration date;
  
  identifying whether the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;
  
  determining that the at least one digital certificate is invalid when the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;
  
  determining whether the first certificate contains an Authority Information Access (AIA) entry with a URL that can be utilized to retrieve a third certificate;
  
  when the first certificate contains such a URL;
  
  using the URL in the first certificate'"'"'s AIA to retrieve the third certificate, andcomparing the third certificate to the second certificate; and
  
  determining that the at least one digital certificate is invalid when the second certificate is not identical to the third certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, further comprising:
    - determining whether the first certificate is directly certified by the second certificate; and
      
      determining that the at least one digital certificate is invalid when the first certificate is not directly certified by the second certificate.
  - 3. The computer-implemented method of claim 1, further comprising:
    - determining whether both of the following conditions are met;
      
      whether the first certificate contains an authority key identifier (AKI); and
      
      whether the second certificate contains a subject key identifier (SKI);
      
      determining that the at least one digital certificate is not invalid when at least one of the conditions is not met; and
      
      when both of the conditions are met;
      
      determining that the at least one digital certificate is invalid when the first certificate'"'"'s AKI does not equal the second certificate'"'"'s SKI.
  - 4. The computer-implemented method of claim 1, further comprising:
    - determining an “
      
      Issuer”
      
      entry for the first certificate;
      
      determining a “
      
      Subject”
      
      entry for the second certificate; and
      
      determining that the at least one digital certificate is invalid when the first certificate'"'"'s “
      
      Issuer”
      
      entry does not equal the second certificate'"'"'s “
      
      Subject”
      
      entry.
  - 5. The computer-implemented method of claim 1, the method further comprising:
    - retrieving a set of cipher suites for the computing device;
      
      retrieving a list of approved cipher suites; and
      
      determining whether a cipher suite in the computing device'"'"'s set of cipher suites matches a cipher suite in the list of approved cipher suites.
  - 6. The computer-implemented method of claim 1, the method further comprising:
    - retrieving a set of cipher suites for the computing device;
      
      retrieving a list of approved cipher suites; and
      
      determining whether each cipher suite in the computing device'"'"'s set of cipher suites matches a cipher suite in the list of approved cipher suites.
  - 7. The computer-implemented method of claim 1, the method further comprising:
    - determining the computing device is insecure when a setting on the computing device enables client-side renegotiation of secure communications.

8. A device comprising:
- a processor; and
  
  a memory coupled to the processor, the memory comprising instructions that, when executed by the processor, cause the processor to effectuate operations comprising;
  
  receiving, at a computing device with the processor, at least one digital certificate from the server, the at least one digital certificate including a certificate chain that includes a first certificate preceding a second certificate, each certificate in the certificate chain having an expiration date;
  
  identifying whether the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;
  
  determining that the at least one digital certificate is invalid when the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;
  
  determining that the at least one digital certificate is invalid when the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;
  
  determining whether the first certificate contains an Authority Information Access (AIA) entry with a URL that can be utilized to retrieve a third certificate;
  
  when the first certificate contains such a URL;
  
  using the URL in the first certificate'"'"'s AIA to retrieve the third certificate, andcomparing the third certificate to the second certificate; and
  
  determining that the at least one digital certificate is invalid when the second certificate is not identical to the third certificate.
- View Dependent Claims (9, 10, 11, 14, 15, 16)
- - 9. The device of claim 8, the instructions further comprising:
    - determining an “
      
      Issuer”
      
      entry for the first certificate;
      
      determining a “
      
      Subject”
      
      entry for the second certificate; and
      
      determining that the at least one digital certificate is invalid when the first certificate'"'"'s “
      
      Issuer”
      
      entry does not equal the second certificate'"'"'s “
      
      Subject”
      
      entry.
  - 10. The device of claim 8, the instructions further comprising:
    - determining whether the first certificate is directly certified by the second certificate; and
      
      determining that the at least one digital certificate is invalid when the first certificate is not directly certified by the second certificate.
  - 11. The device of claim 8, the instructions further comprising:
    - determining whether both of the following conditions are met;
      
      whether the first certificate contains an authority key identifier (AKI); and
      
      whether the second certificate contains a subject key identifier (SKI);
      
      determining that the at least one digital certificate is not invalid when at least one of the conditions is not met; and
      
      when both of the conditions are met;
      
      determining that the at least one digital certificate is invalid when the first certificate'"'"'s AKI does not equal the second certificate'"'"'s SKI.
  - 14. The device of claim 8, the instructions further comprising:
    - determining an “
      
      Issuer”
      
      entry for the first certificate;
      
      determining a “
      
      Subject”
      
      entry for the second certificate; and
      
      determining that the at least one digital certificate is invalid when the first certificate'"'"'s “
      
      Issuer”
      
      entry does not equal the second certificate'"'"'s “
      
      Subject”
      
      entry.
  - 15. The device of claim 8, the instructions further comprising:
    - determining the computing device is insecure when a setting on the computing device enables client-side renegotiation of secure communications.
  - 16. The device of claim 8, the instructions further comprising:
    - retrieving a set of cipher suites for the computing device;
      
      retrieving a list of approved cipher suites; and
      
      determining whether a cipher suite in the computing device'"'"'s set of cipher suites matches a cipher suite in the list of approved cipher suites.

12. A computer-implemented method for testing security settings for a server comprising:
- receiving, at a computing device with a processor, at least one digital certificate from the server; and
  
  determining, via the computing device'"'"'s processor, whether the at least one digital certificate is valid, wherein the step of determining whether the at least one digital certificate is valid comprises;
  
  receive one or more domain name server (DNS) names utilized, by the computing device, to contact the server;
  
  identify one or more subject alternative names (SAN) in the at least one digital certificate;
  
  determining that the at least one digital certificate is invalid when at least one of the one or more DNS names does not have a corresponding entry in the one or more SAN entries; and
  
  determining that the at least one digital certificate is not invalid when each of the one or more DNS names does have a corresponding entry in the one or more SAN entries, wherein the at least one digital certificate comprises a certificate chain that includes a first certificate and a second certificate, each certificate in the certificate chain having an expiration date, wherein the first certificate precedes the second certificate in the certificate chain, and wherein the step of determining whether the at least one digital certificate is valid further comprises;
  
  identifying whether the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date; and
  
  determining that the at least one digital certificate is invalid when the first certificate'"'"'s expiration date is later than the second certificate'"'"'s expiration date;
  
  determining that the one or more subject alternative names (SAN) in the at least one digital certificate does not have the one or more DNS names;
  
  determining that the at least one digital certificate is invalid when there are two or more of the one or more DNS names used to access the server; and
  
  determining that the at least one digital certificate is not invalid when there is only one of the one or more DNS names and when a common name received from the server matches the one DNS name.
- View Dependent Claims (13)
- - 13. The computer-implemented method of claim 12, further comprising:
    - determining an “
      
      Issuer”
      
      entry for the first certificate;
      
      determining a “
      
      Subject”
      
      entry for the second certificate;
      
      determining that the at least one digital certificate is invalid when the first certificate'"'"'s “
      
      Issuer”
      
      entry does not equal the second certificate'"'"'s “
      
      Subject”
      
      entry;
      
      determining whether the first certificate is directly certified by the second certificate; and
      
      determining that the at least one digital certificate is invalid when the first certificate is not directly certified by the second certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
United Services Automobile Association
Original Assignee
United Services Automobile Association
Inventors
Mehner, Carl, Lawrence, Dale
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
Ho, Thomas

Application Number

US14/206,478
Time in Patent Office

1,021 Days
Field of Search

713/157
US Class Current

1/1
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 9/3263   involving certificates, e.g...

H04L 9/3265   using certificate chains, t...

H04L 9/3268   using certificate validatio...

Systems and methods for computer digital certificate management and analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for computer digital certificate management and analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links