Handling of digital certificates

US 9,960,923 B2
Filed: 03/03/2013
Issued: 05/01/2018
Est. Priority Date: 03/05/2013
Status: Active Grant

First Claim

Patent Images

1. A method for handling digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate, the method comprising:

determining whether a revocation condition for revoking the at least one digital certificate is fulfilled, wherein;

the at least one digital certificate was issued by the first certificate authority;

the at least one digital certificate is valid and not presently revoked; and

any given digital certificate that is not revoked is uniquely identified by a unique identifier;

based on a result of the determining;

revoking, by the first certificate authority, the at least one digital certificate; and

issuing, by a second certificate authority, at least one further digital certificate to have a same unique identifier as one of the at least one digital certificate that is revoked.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for handling digital certificates in a communication network is described. The communication network comprises a first certificate authority (110-116) having issued at least one digital certificate. The method comprises determining (216) whether a revocation condition for revoking the at least one digital certificate is fulfilled. The at least one digital certificate has been issued by the first certificate authority, wherein the at least one digital certificate is valid and is not revoked. The method further comprises, based on a result of the step of determining (216), revoking (404), by the first certificate authority (110-116), the at least one digital certificate, and based on the result of the step of determining (216), issuing, by a second certificate authority (110-116), at least one further digital certificate for the revoked at least one digital certificate. An associated system, methods in involved network entities, the involved network entities, and computer programs are also described. Therefore security handling in the communication network which may be fluctuating with respect to its number of network nodes and/or which may comprise numerous network nodes may be performed in an easy and efficient way.

Citations

29 Claims

1. A method for handling digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate, the method comprising:
- determining whether a revocation condition for revoking the at least one digital certificate is fulfilled, wherein;
  
  the at least one digital certificate was issued by the first certificate authority;
  
  the at least one digital certificate is valid and not presently revoked; and
  
  any given digital certificate that is not revoked is uniquely identified by a unique identifier;
  
  based on a result of the determining;
  
  revoking, by the first certificate authority, the at least one digital certificate; and
  
  issuing, by a second certificate authority, at least one further digital certificate to have a same unique identifier as one of the at least one digital certificate that is revoked.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, further comprising:
    - prior to the determining, determining whether a trust relation addition condition for adding a trust relation in at least one network node of the communication network to the second certificate authority is fulfilled; and
      
      based on a result of determining whether the trust relation addition condition is fulfilled, establishing a trust relation in the at least one network node of the communication network to the second certificate authority.
  - 3. The method of claim 2, wherein the establishing comprises sending, to a network managing node, information for the network managing node to send information to the at least one network node to add a trust relation in the at least one network node to the second certificate authority.
  - 4. The method of claim 2, further comprising stopping, based on the result of the determining whether the trust relation addition condition is fulfilled, by the first certificate authority, to issue a further digital certificate and enabling the second certificate authority to issue the at least one further digital certificate.
  - 5. The method of claim 2, further comprising, based on the result of the step of determining whether the trust relation addition condition is fulfilled, creating the second certificate authority.
  - 6. The method of claim 4, wherein the following are performed in parallel:
    - the stopping, by the first certificate authority, to issue a further digital certificate; and
      
      the enabling the second certificate authority, to issue the at least one further digital certificate.
  - 7. The method of claim 2, further comprising:
    - stopping, based on the result of the determining whether the trust relation addition condition is fulfilled, by the first certificate authority, to issue a further digital certificate and enabling the second certificate authority to issue the at least one further digital certificate; and
      
      subsequent to determining whether the trust relation addition condition is fulfilled, determining whether the first certificate authority is enabled to issue a further digital certificate; and
      
      wherein, if the first certificate authority is enabled to issue a further digital certificate, the stopping, by the first certificate authority, to issue a further digital certificate and the enabling the second certificate authority to issue the at least one further digital certificate are performed; and
      
      wherein, if the first certificate authority is not enabled to issue a further digital certificate;
      
      the determining whether the revoking condition is fulfilled is performed.
  - 8. The method of claim 2:
    - wherein the at least one network node comprises a trust relation to the first certificate authority;
      
      further comprising, subsequent to the revoking, by the first certificate authority, the at least one digital certificate, removing the trust relation to the first certificate authority in the at least one network node.
  - 9. The method of claim 3, wherein the establishing and/or the removing is performed by operation and maintenance means.
  - 10. The method of claim 1, further comprising revoking the first certificate authority subsequent to the removing the trust relation in the at least one network node to the first certificate authority.
  - 11. The method of claim 1, further comprising receiving, by the first certificate authority, a request for revoking the at least one digital certificate.
  - 12. The method of claim 1:
    - wherein at least one condition of the revocation condition is associated with at least one threshold; and
      
      wherein the determining whether the at least one revocation condition is fulfilled comprises;
      
      comparing a corresponding characteristic with the at least one threshold; and
      
      determining that the at least one revocation condition is fulfilled if the corresponding characteristic is equal to or above the at least one threshold.
  - 13. The method of claim 1, wherein at least one condition of the revocation condition is related to at least one of:
    - a length of a certificate revocation record in the first certificate authority for digital certificates having been revoked by the first certificate authority;
      
      a number of entries in the certificate revocation record in the first certificate authority;
      
      an elapsed life time of the first certificate authority since a creation of the first certificate authority;
      
      a remaining life time of the first certificate authority;
      
      a number of digital certificates in the first certificate authority, the digital certificates being valid and being not revoked;
      
      a ratio between digital certificates revoked by the first certificate authority and digital certificates issued by the first certificate authority;
      
      the first certificate authority being compromised; and
      
      an administrative reason affecting the first certificate authority selected from the group consisting of;
      
      a change of a name of the first certificate authority, a shutdown of the first certificate authority, a change of a platform of the first certificate authority, and maintenance work for the first certificate authority.
  - 14. The method of claim 2:
    - wherein at least one condition of the trust relation addition condition;
      
      wherein the determining whether the at least one trust relation addition condition is fulfilled comprises;
      
      comparing a corresponding characteristic with the at least one threshold; and
      
      determining that the at least one trust relation addition condition is fulfilled if the corresponding characteristic is equal to or above the at least one threshold.
  - 15. The method of claim 2, wherein at least one condition of the trust relation addition condition is related to at least one of:
    - a length of a certificate revocation record in the first certificate authority for digital certificates having been revoked by the first certificate authority;
      
      a number of entries in the certificate revocation record in the first certificate authority;
      
      an elapsed life time of the first certificate authority since a creation of the first certificate authority;
      
      a remaining life time of the first certificate authority;
      
      a number of digital certificates in the first certificate authority, the digital certificates being valid and being not revoked;
      
      a ratio between digital certificates revoked by the first certificate authority and digital certificates issued by the first certificate authority;
      
      the first certificate authority being compromised; and
      
      an administrative reason affecting the first certificate authority selected from the group consisting of;
      
      a change of a name of the first certificate authority, a shutdown of the first certificate authority, a change of a platform of the first certificate authority, and maintenance work for the first certificate authority.
  - 16. The method of claim 1, the method further comprises determining whether a trust relation addition condition for adding a trust relation in at least one network node of the communication network to a second certificate authority is fulfilled, and if so:
    - stopping by the first certificate authority to issue further digital certificates;
      
      creating the second certificate authority; and
      
      enabling the second certificate authority to issue digital certificates; and
      
      wherein the further digital certificate replaces a digital certificate revoked by the first digital certificate authority.
  - 17. The method of claim 1,wherein any given digital certificate binds a key to an identity of a network node;
    - andwherein the issuing comprises issuing one of the at least one further digital certificates to bind the same key to the same network node as one of the at least one digital certificate that is revoked.
  - 18. The method of claim 1, wherein the unique identifier is a serial number of a digital certificate.

19. A method, in a controlling certificate authority, for handling digital certificates in a communication network, the controlling certificate authority comprising first and second certificate authorities, wherein the first certificate authority has issued at least one digital certificate, the method comprising:
- determining whether a revocation condition for revoking the at least one certificate is fulfilled, the at least one digital certificate having been issued by the first certificate authority, the at least one digital certificate being valid and not presently revoked, and any given digital certificate that is not revoked is uniquely identified by a unique identifier;
  
  based on a result of the determining;
  
  trigger the first certificate authority to revoke the at least one digital certificate; and
  
  trigger the second certificate authority to issue at least one further digital certificate to have a same unique identifier as one of the at least one digital certificate that is revoked.
- View Dependent Claims (20)
- - 20. The method of claim 19, further comprising:
    - receiving, from a network node of the communication network, a request for issuing the at least one further digital certificate, wherein the initiating the second certificate authority to issue the at least one further digital certificate is performed in response to the received request; and
      
      sending the issued at least one further digital certificate to the at least one network node.

21. A method, in a network node, for handling digital certificates in a communication network, the network node maintaining a digital certificate issued by a first certificate authority of the communication network, the method comprising:
- sending a request for issuing, by a second certificate authority of the communication network, a further digital certificate, wherein the request for issuing a further digital certificate comprises an identifier uniquely identifying the digital certificate issued by the first certificate authority, and the further digital certificate is identified by the same identifier in the request; and
  
  receiving the further digital certificate, the further digital certificate having been issued by the second certificate authority, wherein the further digital certificate replaces the digital certificate issued and revoked by the first certificate authority.
- View Dependent Claims (22)
- - 22. The method of claim 21, wherein the same identifier is a serial number of the digital certificate issued by the first certificate authority.

23. A method, in a network managing node, for handling digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate, the method comprising:
- sending information, to a network node of the communication network for the network node, requesting a further digital certificate to be issued by a second certificate authority for a digital certificate;
  
  wherein the information requesting a further digital certificate comprises an identifier uniquely identifying a digital certificate issued by the first digital certificate authority, and the further digital certificate comprises the same identifier in the request; and
  
  wherein the further digital certificate replaces the digital certificate, which is issued and revoked by the first certificate authority.
- View Dependent Claims (24)
- - 24. The method of claim 23, the same identifier is a serial number of the digital certificate issued by the first certificate authority.

25. A controlling certificate authority for handling digital certificates in a communication network, the controlling certificate authority comprising:
- one or more processing circuits configured to function as first and second certificate authorities, wherein the first certificate authority has issued at least one digital certificate;
  
  wherein the controlling certificate authority is configured to;
  
  determine whether a revocation condition for revoking the at least one first digital certificate is fulfilled, the at least one digital certificate having been issued by the first certificate authority, the at least one digital certificate being valid and not presently revoked, and any given digital certificate that is not revoked is uniquely identified by a unique identifier;
  
  based on a result of the determining, trigger the first certificate authority to revoke the at least one digital certificate; and
  
  based on the result of the determining, trigger the second certificate authority to issue at least one further digital certificate to have a same unique identifier as one of the at least one digital certificate that is revoked.

26. A network node for handling digital certificates in a communication network, the network node maintaining a digital certificate issued by a first certificate authority of the communication network, the network node comprising:
- one or more processing circuits configured to cause the network node to;
  
  send a request for issuing, by a second certificate authority of the communication network, a further digital certificate, wherein the request for issuing a further digital certificate comprises an identifier uniquely identifying the digital certificate issued by the first digital certificate authority, and the further digital certificate is identified by the same identifier in the request; and
  
  receive the further digital certificate, the further digital certificate having been issued by the second certificate authority, wherein the further digital certificate replaces the digital certificate issued and revoked by the first digital certificate authority.

27. A network managing node for handling digital certificates in a communication network, the communication network comprising:
- a first certificate authority having issued at least one digital certificate; and
  
  one or more processing circuits configured to cause the network managing node to send information, to a network node of the communication network for the network node, requesting a further digital certificate to be issued by a second certificate authority for a digital certificate; and
  
  wherein the information requesting a further digital certificate comprises an identifier uniquely identifying a digital certificate issued by the first certificate authority, and the further digital certificate comprises the same identifier in the request; and
  
  wherein the further digital certificate replaces the digital certificate, which is issued and revoked by the first certificate authority.

28. A computer program product stored in a non-transitory computer readable medium for controlling the handling of digital certificates in a communication network, the communication network comprising a first certificate authority having issued at least one digital certificate, the computer program product comprising software instructions which, when run on one or more processors of the communication network, causes the communication network to:
- determine whether a revocation condition for revoking the at least one digital certificate is fulfilled, wherein;
  
  the at least one digital certificate was issued by the first certificate authority;
  
  the at least one digital certificate is valid and not presently revoked;
  
  any given digital certificate that is not revoked is uniquely identified by a unique identifier;
  
  based on a result of the determining;
  
  revoke, by the first certificate authority, the at least one digital certificate; and
  
  issue, by a second certificate authority, at least one further digital certificate to have a same unique identifier as one of the at least one digital certificate that is revoked.
- View Dependent Claims (29)
- - 29. The computer program product of claim 28, wherein a controlling certificate authority comprises the one or more processors and functions as the first and second certificate authorities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Zmbik, Lszlo
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US14/766,573
Publication Number

US 20150381374A1
Time in Patent Office

1,885 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 9/3268 using certificate validatio...

Handling of digital certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Handling of digital certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links