Apparatus and methods for protecting network resources
First Claim
1. A method of protecting an organization'"'"'s network resources, comprising:
- maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations;
maintaining a second root certificate of a second cryptographic infrastructure associated with the organization, wherein the second root certificate facilitates issuing other certificates associated with the organization to the organization'"'"'s authenticators;
issuing, to each of the organization'"'"'s authenticators, an initial intermediate CA certificate within the second cryptographic infrastructure, wherein a respective authenticator'"'"'s intermediate CA certificate is signed by the second root certificate, and wherein the respective authenticator is configured to provision devices for the organization using the corresponding intermediate CA certificate; and
responsive to the respective authenticator issuing to a new client computing device a client certificate which is signed by the corresponding initial intermediate CA certificate, issuing to the respective authenticator a replacement intermediate CA certificate which is signed by the second root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate.
2 Assignments
0 Petitions
Accused Products
Abstract
Apparatus and methods are provided for protecting network resources, particularly in association with automatic provisioning of new client devices. A global PKI (Public Key Infrastructure) scheme is rooted at a globally available server. Roots of PKIs for individual organizations also reside at this server or another globally available resource. To enable access to an organization'"'"'s network, one or more authenticators are deployed, which may be co-located with access points or other network components. After a client device enabler (CDE) and an authenticator perform mutual authentication with certificates issued within the global PKI, the CDE is used to provision a new client device for the organization. After the client is provisioned, it and an authenticator use certificates issued within the per-organization PKI to allow the client access to the network.
14 Citations
19 Claims
-
1. A method of protecting an organization'"'"'s network resources, comprising:
-
maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations; maintaining a second root certificate of a second cryptographic infrastructure associated with the organization, wherein the second root certificate facilitates issuing other certificates associated with the organization to the organization'"'"'s authenticators; issuing, to each of the organization'"'"'s authenticators, an initial intermediate CA certificate within the second cryptographic infrastructure, wherein a respective authenticator'"'"'s intermediate CA certificate is signed by the second root certificate, and wherein the respective authenticator is configured to provision devices for the organization using the corresponding intermediate CA certificate; and responsive to the respective authenticator issuing to a new client computing device a client certificate which is signed by the corresponding initial intermediate CA certificate, issuing to the respective authenticator a replacement intermediate CA certificate which is signed by the second root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of protecting an organization'"'"'s network resources, the method comprising:
-
maintaining, by an authentication server, a first root certificate of a first cryptographic infrastructure associated with a plurality of organizations; maintaining a second root certificate of a second cryptographic infrastructure associated with the organization, wherein the second root certificate facilitates issuing other certificates associated with the organization to the organization'"'"'s authenticators; issuing, to each of the organization'"'"'s authenticators, an initial intermediate CA certificate within the second cryptographic infrastructure, wherein a respective authenticator'"'"'s intermediate CA certificate is signed by the second root certificate, and wherein the respective authenticator is configured to provision devices for the organization using the corresponding intermediate CA certificate; and responsive to the respective authenticator issuing to a new client computing device a client certificate which is signed by the corresponding initial intermediate CA certificate, issuing to the respective authenticator a replacement intermediate CA certificate which is signed by the second root certificate, wherein the replacement intermediate CA certificate replaces the initial intermediate CA certificate. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification