Provisioning and managing certificates for accessing secure services in network

US 9,325,697 B2
Filed: 01/31/2013
Issued: 04/26/2016
Est. Priority Date: 01/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method for provisioning and managing certificates in a network, the method comprising:

generating a signing certificate by a network device based on a root certificate of the network device;

signing a client-device certificate for a client device based on the signing certificate of the network device; and

providing the signed client-device certificate to the client device, wherein the client-device certificate allows the client device to access a secure service provided by the network device;

wherein the signed client-device certificate is specifically associated with the network device and does not allow the client device to access a secure service provided by another network device, andthe signed client-device certificate includes a first Media Access Control (MAC) address, wherein if a second MAC address used by a client device requesting access to a secure service does not match the first MAC address, a connection between the network device and the client device is terminated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for provisioning and managing of certificates in a network are described. In one implementation, a signing certificate is generated by a network device based on a root certificate of the network device. Based on the signing certificate of the network device, a client-device certificate is signed for a client device. The signed client-device certificate is provided to the client device for allowing the client device to access a secure service provided by the network device.

19 Citations

View as Search Results

20 Claims

1. A method for provisioning and managing certificates in a network, the method comprising:
- generating a signing certificate by a network device based on a root certificate of the network device;
  
  signing a client-device certificate for a client device based on the signing certificate of the network device; and
  
  providing the signed client-device certificate to the client device, wherein the client-device certificate allows the client device to access a secure service provided by the network device;
  
  wherein the signed client-device certificate is specifically associated with the network device and does not allow the client device to access a secure service provided by another network device, andthe signed client-device certificate includes a first Media Access Control (MAC) address, wherein if a second MAC address used by a client device requesting access to a secure service does not match the first MAC address, a connection between the network device and the client device is terminated.
- View Dependent Claims (2, 3, 4, 5, 6, 18)
- - 2. The method as claimed in claim 1, wherein the method comprises the network device signing the client-device certificate in response to an administrator determining that the secure service is a secure service which the client device is allowed to access.
  - 3. The method as claimed in claim 1 further comprising:
    - receiving the client-device certificate, signed by the network device, from the client device;
      
      determining, by the network device, whether the client-device certificate is valid, wherein the determining is based on information associated with the client-device certificates signed by the network device; and
      
      allowing access of the secure service to the client device based on the determining.
  - 4. The method as claimed in claim 1 further comprising:
    - revoking the client-device certificate for the client device by removing information relating to the client-device certificate from a certificate generation list stored in the network device;
      
      said certificate generation list storing information relating to non-revoked client-device certificates signed by the network device.
  - 5. The method as claimed in claim 4, further comprising determining that a client-device certificate is valid if information relating to the client device certificate is included in said certificate generation list and determining that a client-certificate is invalid if information relating to the client device certificate is not included in said certificate generation list.
  - 6. The method as claimed in claim 4, wherein the revoking further comprises:
    - informing the client device about revocation of the client-device certificate.
  - 18. The method as claimed in claim 6, wherein the revoking further comprises:
    - receiving a confirmation that the certificate has been removed from the client device memory.

7. A network device providing a secure service in a network, the network device comprising:
- a processor; and
  
  a certificate authority coupled to the processor to;
  
  generate a signing certificate based on a root certificate of the network device;
  
  receive, from a client device, a certificate signing request comprising a client-device certificate to be signed by the network device;
  
  sign the client-device certificate based on the signing certificate of the network device;
  
  store, in the network device, information relating to said client-device certificate in a certificate generation list of client device certificates signed by the network device;
  
  store, in another network location, a copy of the certificate generation list; and
  
  when a determination is made to revoke the client-device certificate, revoke the client-device certificate for the client device, signed by the network device, by removing information relating to the client-device certificate from the certificate generation list stored in the network device and from the copy of the certificate generation list stored in another network location; and
  
  sending notification of the revocation to the client device; and
  
  a communication module coupled to the processor to;
  
  provide the client-device certificate, signed by the certificate authority, to the client device, wherein the client-device certificate is provided to allow the client device to access the secure service,wherein failure to provide a client-device certificate that appears on the certificate generation list results in denial of access to the secure service.
- View Dependent Claims (8, 9, 10, 11, 12, 17, 19, 20)
- - 8. The network device as claimed in claim 7, wherein the certificate authority stores certificate identifying information associated with the client-device certificate, signed by the network device, in the network device.
  - 9. The network device as claimed in claim 8, wherein the certificate identifying information associated with the client-device certificate comprises date of signing of the client-device certificate, serial number of the client-device certificate and identification attribute of the client device.
  - 10. The network device as claimed in claim 8, wherein the certificate authority is to make a determination of validity of the client-device certificate received from the client device for accessing the secure service, the determination of validity including checking whether the certificate identifying information is stored in the network device.
  - 11. The network device as claimed in claim 10, wherein the communication module establishes an application SSL connection of the network device with the client device based on the client-device certificate received from the client device, and the communication module allows accessing of the secure service to the client device, over the application SSL connection, based on the validity of the client-device certificate.
  - 12. The network device as claimed in claim 7, wherein the certificate authority incorporates a network device identifier in the client-device certificate signed by the network device.
  - 17. The network device as claimed in claim 7 wherein the network device is a network switch.
  - 19. The network device as claimed in claim 7, wherein the client-device certificate includes a client device identifier, the client device identifier comprising a Media Access Control (MAC) address.
  - 20. The network device as claimed in claim 8, wherein the identifying information is a date of signing of the client-device certificate.

13. A non-transitory computer-readable medium comprising instructions executable by a processor to:
- generate a signing certificate in a network device based on a root certificate of the network device;
  
  receive a certificate signing request in the network device from a client device over an encrypted SSL connection, the certificate signing request comprises a client-device certificate to be signed;
  
  sign the client-device certificate in the network device, the client-device certificate is signed based on the signing certificate of the network device;
  
  store information relating to the signed client-device certificate in a certificate generation list in the network device; and
  
  provide the client-device certificate, signed in the network device, to the client device over the encrypted SSL connection, wherein the client-device certificate is provided for allowing the client device to access a secure service provided by the network device;
  
  wherein the client device possesses a plurality of certificates for different devices on the network, each certificate allowing access to a different network device, wherein revocation of one certificate does not result in the revocation of other certificates held by the client device.
- View Dependent Claims (14, 15, 16)
- - 14. The non-transitory computer-readable medium as claimed in claim 13 comprising instructions executable by the processor to:
    - revoke the client-device certificate provided by the network device for the client device by removing information relating to the signed client-device certificate from the certificate generation list.
  - 15. The non-transitory computer-readable medium as claimed in claim 13 further comprising instructions to determine whether the client-device certificate is valid in response to receiving a request for the secure service from the client device and to provide the secure service to the client device in response to receiving the request and determining that the client-device certificate is valid.
  - 16. The non-transitory computer-readable medium as claimed in claim 13 wherein said secure service is selected from the group comprising:
    - selective monitoring of traffic and dynamic provisioning of access control list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Datta, Kaushik, Mills, Craig J.
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US13/755,301
Publication Number

US 20140215207A1
Time in Patent Office

1,181 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0823 using certificates cryptogr...

H04L 63/10 for controlling access to d...

Provisioning and managing certificates for accessing secure services in network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning and managing certificates for accessing secure services in network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links