WO2023022724A1 - Gestion de certificat basée sur un agent - Google Patents

Gestion de certificat basée sur un agent Download PDF

Info

Publication number
WO2023022724A1
WO2023022724A1 PCT/US2021/046796 US2021046796W WO2023022724A1 WO 2023022724 A1 WO2023022724 A1 WO 2023022724A1 US 2021046796 W US2021046796 W US 2021046796W WO 2023022724 A1 WO2023022724 A1 WO 2023022724A1
Authority
WO
WIPO (PCT)
Prior art keywords
certificate
agent
application
electronic device
trust manager
Prior art date
Application number
PCT/US2021/046796
Other languages
English (en)
Inventor
JR. Alexandre SANTOS DA SILVA
Bruno MEYBOM POSPICHIL
Lucas Lemos ROSA
Flavio CAVALCANTE TABOSA
Wanialdo Eduardo DE LIMA DA SILVA
JR. Francisco FERREIRA DE MENDONCA
Pedro Felippe DOMINGOS FERNANDES
Vitor Nadjim MOTA OUABDELKADER
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2021/046796 priority Critical patent/WO2023022724A1/fr
Publication of WO2023022724A1 publication Critical patent/WO2023022724A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

  • Electronic devices may communicate with each other.
  • electronic devices may communicate with each other over a network.
  • Some examples of networks include a local area network, a wide area network and the internet.
  • Fig. 1 is a block diagram of an electronic device to manage certificates, according to an example.
  • Fig. 2 is a block diagram of a system to manage certificates, according to an example.
  • Fig. 3 is a block diagram of a system for certificate management, according to an example.
  • Fig. 4 is a block diagram of an electronic device to perform certificate management, according to an example.
  • Fig. 5 is a block diagram of an electronic device to perform certificate management, according to an example.
  • Fig. 6 is a flow diagram illustrating a method for certificate management, according to an example.
  • Fig. 7 depicts a non-transitory machine-readable storage medium for certificate management, according to an example.
  • Digital certificates may be used to establish the identity of an application on a network (e.g., the internet).
  • an application may include a program, a process, or a service (e.g., web service).
  • a certificate also referred to as a digital certificate, public key certificate or identity certificate
  • Trust in the process of issuing and maintaining certificates is expected by businesses and individuals to continue using web services. With that basic trust, users may be confident that malicious individuals cannot intercept or otherwise interfere with interactions over an otherwise untrusted network infrastructure (e.g., the internet).
  • applications may run distributed through local networks and the Internet.
  • a distributed application is a program that may be implemented by multiple electronic devices, each running an application or multiple applications, where each application that is a subcomponent of the distributed application.
  • applications may transport sensitive information.
  • web applications may leverage certificates to create secure channels. Issuing, installing, revoking, and removing those security certificates may involve manual operations and configurations. These manual processes may become troublesome as the number of host devices, servers, and services increase.
  • Security is a concern for computing. For example, modern web applications may exchange sensitive information through the internet while keeping the sensitive information secret.
  • Applications and servers may provide secure communication channels by leveraging mechanisms such as the Secure Sockets Layer (SSL) or transport layer security (TLS) protocols. These protocols use asymmetric encryption to share secret keys between endpoints and to encrypt communications.
  • SSL Secure Sockets Layer
  • TLS transport layer security
  • Certificates may identify an electronic device (e.g., a server) or services. For example, certificates may be used to match a hostname that a computing device access. Certificates may be stored in file formats, trusted platform module (TPM) hardware, certain directories on operating systems, or may be embedded in applications. As seen by these scenarios, these different possibilities make management of certificates difficult.
  • TPM trusted platform module
  • organizations may perform manual configuration of certificates. This may prove challenging for an organization. For example, system administrators may use special privileges or credentials to install certificates on servers. They may also determine the correct installation procedure and sometimes test applications manually. Depending on the size of the environment, administrators may do that repeatedly, and tasks may span for days leading to human errors or rework.
  • certificates may expire or may be compromised.
  • administrators may update or remove the expired or compromised certificates from the servers, also manually.
  • application development processes may also include manual certificate operations. For instance, developers of applications may ask a certificate service for the certificates to use on their applications. As in the case of system administrators, developers may perform manual operations, thus creating security breaches at the configuration level, which makes applications susceptible to social engineering attacks.
  • the process of managing certificates may be performed to ensure the security of systems. For example, certificates may expire because certificates have a validity period declared on creation. In cases such as these, private key certificates may be renewed. Even if system administrators follow all security procedures, keys of private certificates may be compromised. Thus, the system administrators may revoke these certificates and may register them on services that assert the revocations. In some examples, certificate revocations may be tracked through certificate revocation lists (CRL) and online certificate status protocol (OCSP). [0021] After revoking certificates, system administrators may perform tasks to replace old or revoked certificates with new ones. The installation of new certificates may also include manual operations.
  • CTL certificate revocation lists
  • OCSP online certificate status protocol
  • the present specification describes examples of automated certificate management for applications (including distributed applications) based on an agent decoupled from the executable application.
  • the application logic may remain unchanged, and the certificate management may be transparent.
  • an agent may run within the same machine or environment as the application.
  • the agent may have a unique identifier to identify the application and the host device uniquely.
  • the present specification describes an example of an electronic device.
  • the electronic device includes a processor and a memory communicatively coupled to the processor.
  • the memory stores executable instructions that when executed cause the processor to run an agent to perform certificate management for an application based on instructions received from a trust manager.
  • the memory also stores executable instructions that when executed cause the processor to run the application to perform operations based on a certificate managed by the agent without the application being aware of the certificate management by the agent.
  • the present specification also describes a method.
  • the method includes receiving a certificate command at a trust manager running on an electronic device.
  • the method also includes performing a certificate operation at the trust manager based on the certificate command.
  • the method further includes sending a result of the certificate operation to an agent to perform certificate management for an application separate from application logic.
  • the present specification also describes a non-transitory machine-readable storage medium that includes instructions, when executed by a processor of an electronic device, cause the processor to perform a certificate operation for a distributed application based on a certificate command.
  • the instructions also cause the processor to send a first result of the certificate operation to a first agent to perform certificate management for a first application that is part of the distributed application.
  • the instructions further cause the processor to send a second result of the certificate operation to a second agent to perform certificate management for a second application that is part of the distributed application.
  • processor may be a controller, an application-specific integrated circuit (ASIC), a semiconductor-based microprocessor, a central processing unit (CPU), and a field-programmable gate array (FPGA), and/or other hardware device.
  • ASIC application-specific integrated circuit
  • CPU central processing unit
  • FPGA field-programmable gate array
  • the term “memory” may include a computer-readable storage medium, which computer-readable storage medium may contain, or store computer-usable program code for use by or in connection with an instruction execution system, apparatus, or device.
  • the memory may take many types of memory including volatile and non-volatile memory.
  • the memory may include Random Access Memory (RAM), Read Only Memory (ROM), optical memory disks, and magnetic disks, among others.
  • RAM Random Access Memory
  • ROM Read Only Memory
  • optical memory disks optical memory disks
  • magnetic disks among others.
  • the executable code may, when executed by the respective component, cause the component to implement the functionality described herein.
  • Fig. 1 is a block diagram of an electronic device 100 to manage certificates, according to an example.
  • examples of an electronic device 100 may include computing devices, workstations, servers, laptop computers, desktop computers, smartphones, tablet devices, wireless communication devices, testing equipment, sensors, smart appliances, robots, or other devices having memory resources and processing resources.
  • the electronic device 100 includes a processor 102.
  • the processor 102 of the electronic device 100 may be implemented as dedicated hardware circuitry or a virtualized logical processor.
  • the dedicated hardware circuitry may be implemented as a central processing unit (CPU).
  • a dedicated hardware CPU may be implemented as a single to many-core general purpose processor.
  • a dedicated hardware CPU may also be implemented as a multi-chip solution, where more than one CPU are linked through a bus and schedule processing tasks across the more than one CPU.
  • a virtualized logical processor may be implemented across a distributed computing environment.
  • a virtualized logical processor may not have a dedicated piece of hardware supporting it. Instead, the virtualized logical processor may have a pool of resources supporting the task for which it was provisioned.
  • the virtualized logical processor may be executed on hardware circuitry; however, the hardware circuitry is not dedicated.
  • the hardware circuitry may be in a shared environment where utilization is time sliced.
  • a memory 104 may be implemented in the electronic device 100.
  • the memory 104 may be dedicated hardware circuitry to host instructions for the processor 102 to execute.
  • the memory 104 may be virtualized logical memory. Analogous to the processor 102, dedicated hardware circuitry may be implemented with dynamic randomaccess memory (DRAM) or other hardware implementations for storing processor instructions.
  • DRAM dynamic randomaccess memory
  • the virtualized logical memory may be implemented in an abstraction layer which allows the instructions to be executed on a virtualized logical processor, independent of any dedicated hardware implementation.
  • the electronic device 100 may also include instructions.
  • the instructions may be implemented in a platform specific language that the processor 102 may decode and execute.
  • the instructions may be stored in the memory 104 during execution.
  • the instructions may include agent instructions 106, and application instructions 108, according to the examples described herein.
  • Examples are described for a detached certificate management approach based on a management system and agents that run alongside applications.
  • developers may design applications to use certificates, and leave certificate management aside.
  • a system administrator may set up the system a single time for certificate management. They may choose to install the agents on a given directory that certificates are available to applications or may leverage configuration files to determine certificate installation.
  • the agent instructions 106 may include instructions to cause the processor 102 to run an agent on the electronic device 100.
  • the agent may perform certificate management for an application based on instructions received from a trust manager.
  • an agent is a program that autonomously performs certificate management operations on the electronic device 100 in response to instructions from the trust manager.
  • a trust manager is a program that coordinates certificate management operations by the agent.
  • the trust manager runs on a remote electronic device (e.g., a server) that communicates with the electronic device 100 over a network.
  • a remote electronic device e.g., a server
  • An example of a system that includes agents and a trust manager is illustrated in Fig. 2.
  • a system 200 may include an electronic device 210 to run a trust manager 212.
  • the electronic device 210 may include a processor and memory (not shown) to execute a trust manager 212.
  • the system 200 includes a first host device 200-1 and a second host device 200-2.
  • the first host device 200-1 and the second host device 200-2 may be implemented according to the electronic device 100 of Fig. 1.
  • the first host device 200-1 may run a first agent 214-1 and a first application 216-1 .
  • the second host device 200-2 may run a second agent 214-2 and a second application 216-2.
  • first application 216-1 and the second application 216-2 are part of a distributed application 218.
  • first application 216-1 may operate as a first module of the distributed application 218 and the second application 216-2 may operate as a second module of the distributed application 218.
  • first application 216-1 and the second application 216-2 are shown as part of a distributed application 218 in this example, in other examples, the first application 216-1 and the second application 216-2 may not be part of a distributed application 218.
  • the first agent 214-1 and the second agent 214-2 may handle certificate management procedures for the first application 216-1 and the second application 216-2, respectively.
  • an agent may include parameters to bind the agent to an application.
  • the first application 216- 1 may include parameters specific to perform certificate management for the first application 216-1.
  • the second application 216-2 may include parameters specific to perform certificate management for the second application 216-2.
  • the agents may perform operations for certificate management. For example, the agents may install new certificates received from the trust manager 212. The agents may delete revoked certificates. In some examples, the agents may periodically validate the status, placement, and integrity for certificates used by the applications. [0041] In some examples, the agents may have a degree of control over the applications by leveraging OS mechanisms. For example, the agents may be able to start, run or kill an application.
  • the agents may run alongside applications and may handle certificate management according to commands from the trust manager 212.
  • the trust manager may perform a certificate operation for the distributed application 218 based on a certificate command.
  • a user e.g., a system administrator
  • the trust manager 212 may send a first result of the certificate operation to the first agent 214-1 to perform certificate management for the first application 216-1 that is part of the distributed application 218.
  • the trust manager 212 may also send a second result of the certificate operation to the second agent 214-2 to perform certificate management for the second application 216-2 that is part of the distributed application 218.
  • the agent may perform certificate management operations based on instructions received from a trust manager. For example, the agent may receive a certificate from the trust manager that is intended for an application. The agent may then install the certificate in a location that is accessible for use by the application. In some examples, the trust manager may send a revocation command to the agent to delete a revoked certificate. The agent may then delete the revoked certificate in response to the revocation command received from the trust manager.
  • a certificate management operation may include renewing a certificate.
  • the trust manager may send a new certificate that includes information from the existing certificate.
  • the agent may then update the existing certificate with the renewed certificate.
  • a certificate management operation may include replacing a certificate with a new certificate.
  • the trust manager may send a new certificate that includes new public and private keys.
  • the agent may then replace the existing certificate with the new certificate.
  • a certificate management operation by the agent may include monitoring certificate status for the application. For example, the agent may observe and log the number of times that the certificate is used. The agent may also determine which programs or computing devices are communicating with the application in a manner that uses the certificate. The agent may then report the certificate status to the trust manager. For example, the agent may periodically report which certificate is currently being used by the application, usage statistics for the certificate, or a combination thereof. The trust manager may, thus, be kept aware of the status of the certificate being used by the application and can make decisions on whether to revoke or renew the certificate based on the reported status. For example, the trust manager may revoke a certificate if the monitoring by the agent indicates a compromised certificate or other security risk.
  • the application instructions 108 may include instructions to cause the processor 102 to run the application to perform operations based on a certificate managed by the agent without the application being aware of the certificate management by the agent.
  • the application may communicate in a network environment using the certificate. This may include the application identifying itself using the certificate.
  • Other operations may include signing communications using a private key included in the certificate or encrypting a communication using a private key included in the certificate.
  • an application may not be aware of the certificate management by the agent.
  • an application may be configured to use a certificate in a manner established by the OS without being configured to communicate with an agent.
  • the certificate may be saved by the agent in a location that is accessible for use by the application.
  • the agent may remove a revoked certificate, and may monitor the usage and validity of the certificate by the application without the application being aware of this certificate management. Therefore, the agent separates certificate management from the application logic.
  • application logic includes the functionality and operations of the application.
  • the processor 102 may run multiple agents to perform certificate management for multiple applications. Each of the multiple agents may perform certificate management for a single application.
  • a first agent may perform certificate management for a first application
  • a second agent may perform certificate management for a second application
  • Fig. 4 An example of this approach is illustrated in Fig. 4.
  • the processor 102 may run multiple applications.
  • a single agent may perform certificate management for the multiple applications.
  • a single agent may include different application-specific parameters for each application. An example of this approach is illustrated in Fig. 5.
  • the use of the trust manager and an agent detaches certificate management (i.e. , security logic) from the application (i.e. , application logic). Therefore, the application may perform its functions without being aware of the certificate management procedures. Thus, in the described examples, the application does not ask the agent for its certificates. Furthermore, the application is not configured (e.g., programmed) to communicate with the agent. The agent and trust manager may automate certificate management that is detached from the applications logic.
  • Fig. 3 is a block diagram illustrating a system 300 for certificate management, according to an example.
  • the system 300 includes an electronic device 310 to run a trust manager 312.
  • the system 300 also includes a number of host devices 300a-n.
  • the host devices 300a-n may be implemented according to the electronic device 100 described in Fig. 1.
  • the electronic device 310 may include a processor and memory to implement the trust manager 312.
  • the trust manager 312 may perform certificate operations. These certificate operations may be based on a certificate command received at the trust manager 312.
  • the trust manager 312 may include an application programming interface (API) 324 to interface with users (e.g., system administrators) and programs (e.g., agents 314a-n).
  • the electronic device 310 may implement a user interface 320 or command line interface (CLI) 322 to receive certificate commands from a user.
  • the user interface 320 may be a graphical user interface 320 in which a user may input certificate commands to the API 324.
  • the CLI 322 may receive text-based certificate commands from a user, which are sent to the API 324.
  • the API 324 of the trust manager 312 provides an interface so that the user can send certificate commands.
  • These certificate commands may be sent in a batch or individually.
  • these certificate commands may instruct the trust manager 312 to create, renew, rekey, or revoke (i.e. , remove) certificates (including private certificates) and even their certificate authorities. In this case, all derived certificates may be revoked within an organization.
  • the certificate commands may instruct the trust manger 312 to perform certificate operations. These certificate operations may include generating a certificate for use by an application, renewing the certificate for the application, revoking the certificate from use by the application.
  • certificate generation may include acquiring a certificate for a specific application from a certificate authority.
  • certificate generation may include generating the certificate by the trust manager 312 itself.
  • the certificate may be a file that includes a public key for a given application.
  • the public key may be used to decrypt communications from the application and may be used to prove the identity of the application.
  • the certificate may also include the name of the certificate holder; a serial number used to uniquely identify a certificate, the individual or the entity identified by the certificate; expiration dates for the certificate; or a combination thereof.
  • the certificate operations performed by the trust manager 312 may also include maintaining an inventory of issued or revoked certificates.
  • the trust manager 312 may maintain a list of current certificates and the host devices to which the certificates are issued.
  • the trust manager 312 may also maintain a certificate revocation list (CRL) to identify revoked certificates. If an entity (e.g., a person or program) attempts to use a revoked certificate, the trust manager 312 may prevent access to the revoked certificate.
  • CTL certificate revocation list
  • the certificate operations performed by the trust manager 312 may also include logging certificate use.
  • the trust manager 312 may receive reports from the agents 314a-n about certificate usage by the applications 316a-n.
  • the trust manager 312 may also log the certificates that it has created, renewed, revoked, etc.
  • the trust manager 312 may also perform health analysis of the certificates to determine whether the certificates are being used in a manner that complies with defined conditions or policies.
  • the trust manager 312 may notify a user (e.g., a system administrator) based on the certificate operations. For example, if the trust manager 312 determines that a certificate has expired or is being used in a manner that violates a policy, then the trust manager 312 may generate a notification to inform the user.
  • the trust manager 312 may send the result of the certificate operation to an agent to perform certificate management for an application separate from application logic. For example, for a given application, the trust manager 312 may send a certificate to an agent for use by the application. In another example, the trust manager 312 may send a renewed certificate to the agent for use by the application. In yet another example, the trust manager 312 may send, to the agent, a command to revoke the certificate from use by the application. Upon receiving the revocation command, the agent may delete the certificate or otherwise may make the certificate unavailable to the application.
  • the agents 300a-n and the trust manager 312 may create a trust relationship before managing the certificates used by the applications 316a-n.
  • a one-time password OTP
  • OTP may be used to establish a secure connection between the agents 300a-n and the trust manager 312.
  • an OTP may be generated by the trust manager 312. This OTP may be entered in the host device running the agent to establish a secure connection with the trust manager 312.
  • an agent may be registered with the trust manager 312.
  • each agent 314a-n may be registered with the trust manager 312 to inform the trust manager 312 on how to contact the agents 314a-n.
  • registration may be based on a hostname of the machine (e.g., host device) that the agent runs on and a universally unique identifier (UUID) for the agent.
  • the hostname may identify the host device upon which the agent is running.
  • the UUID may be used to distinguish a particular agent from other agents. For example, if a host device has multiple agents running alongside multiple applications, the UUID may be used to identify a specific agent.
  • the trust manager 312 may send commands and information (e.g., certificates) to specific agents. Thus, when performing these certification operations, the trust manager 312 knows which certificates to send to which agents.
  • the trust manager 312 may validate the agent based on a cryptographic exchange between the trust manager 312 and the agent. For example, agents 314a-n and the trust manager 312 may exchange certificates for mutual authentication, thus ensuring secure certificate exchange and manipulation. This procedure allows administrators to use their elevated credentials once in the centralized trust manager 312, thus reducing repetitive work.
  • the trust manager 312 may include a command queue 326 for sending commands (e.g., the results of the certificate operations) to the agents 314a-n.
  • the command queue 326 may communicate the commands to the agents 314a-n over a command bus.
  • the trust manager 312 may include a security library (not shown).
  • the trust manager 312 may store sensitive information (e.g., certificates, cryptographic keys, logs, etc.) in the security library.
  • the distribution and placement of certificates by the trust manager 312 and agents 314a-n may be automatic on issuing the certificates.
  • the system 300 eliminates probabilities of human errors. Also, system administrators may avoid delegating tasks, thus reducing improper use of credentials and misconfiguration of certificates.
  • a user may provide certificate commands to the API 324 of the trust manager 312.
  • the certificate commands may include issue, renew, or revoke certificates for the applications 316a-n.
  • the API 324 of the trust manager 312 may perform operations according to the certificate commands. For example, the trust manager 312 may generate, renew, or revoke the certificates as indicated by the certificate command.
  • the API 324 may send the results of the certificate operations to the agents 314a-n.
  • the API 324 may send a new certificate to agent-A 314a for use by application-A 316a, and so forth through agent-N 314n for use by application-N 316n.
  • the API 324 may send a command to the agents 314a-n to delete certificates or even to stop the applications 316a- n.
  • Fig. 4 is a block diagram of an electronic device 400 to perform certificate management, according to an example.
  • the electronic device 400 may be implemented as described in Fig. 1 .
  • the electronic device 400 may include a processor to execute instructions stored in memory.
  • the processor may run multiple agents 414a-n to manage certificates for multiple applications 416a-n based on commands from a trust manager.
  • each of the multiple agents 414a-n may perform certificate management for a single application.
  • agent-A 414a may perform certificate management for application-A 416a
  • agent-B 414b may perform certificate management for application-B 416b, and so forth.
  • execution of agent-A 414a is decoupled from execution of application-A 416a
  • execution of agent-B 414b is decoupled from execution of application-B 416b, and so forth.
  • each of the agents 414a-n may be identified by a trust manager by the hostname of the electronic device 400 and a UUID specific to the agent.
  • agent-A 414a may have a first UUID
  • agent-B 414b may have a second UUID
  • Fig. 5 is a block diagram of an electronic device 500 to perform certificate management, according to an example.
  • the electronic device 500 may be implemented as described in Fig. 1.
  • the electronic device 500 may include a processor to execute instructions stored in memory.
  • the processor may run a single agent 514 to manage certificates for multiple applications 516a-n based on commands from a trust manager.
  • the agent 514 may perform certificate management for each of the applications 516a-n.
  • the agent 514 may include application parameters 530a-n specific to a given application.
  • application-A parameters 530a may include information and a certificate associated for application-A 516a
  • application-B parameters 530b may include information and a certificate for application-B 516b, and so forth.
  • the application parameters 530a-n may include a UUID for the associated application.
  • application-A parameters 530a may include a first UUID for application-A 516a
  • application-B parameters 530b may include a second UUID for application-B 516b, and so forth.
  • the trust manager may indicate to the agent 514 which application is the subject of a certificate management command.
  • Fig. 6 is a flow diagram illustrating a method 600 for certificate management, according to an example.
  • the method 600 may be performed by a trust manager, such as the trust manager 312 running on electronic device 310 described in Fig. 3.
  • the trust manager running on the electronic device may receive a certificate command.
  • the certificate command include a command to create, renew, rekey, or revoke (e.g., remove) certificates for an application running on a host device.
  • the trust manager may include an API to receive the certificate command.
  • the trust manager may perform a certificate operation based on the certificate command.
  • the certificate operation may include generating a certificate for use by the application; renewing the certificate for the application; revoking the certificate from use by the application; or a combination thereof.
  • the trust manager may send a result of the certificate operation to an agent to perform certificate management for an application separate from application logic.
  • sending the result of the certificate operation to the agent may include one of sending a certificate to the agent for use by the application; sending a renewed certificate to the agent for use by the application; sending, to the agent, a command to revoke the certificate from use by the application, or a combination thereof.
  • the method 600 may also include registering the agent with the trust manager based on a hostname of the agent and a universally unique identifier (UUID) for the agent.
  • the trust manager may validate the agent based on a cryptographic exchange between the trust manager and the agent.
  • Fig. 7 depicts a non-transitory machine-readable storage medium 740 for certificate management, according to an example.
  • an electronic device 100, 210, 310 includes various hardware components.
  • an electronic device 100, 210, 310 includes a processor and a machine-readable storage medium 740.
  • the machine-readable storage medium 740 is communicatively coupled to the processor.
  • the machine-readable storage medium 740 includes a number of instructions 742, 744, 746 for performing a designated function.
  • the machine-readable storage medium 740 causes the processor to execute the designated function of the instructions 742, 744, 746.
  • the machine-readable storage medium 740 can store data, programs, instructions, or any other machine-readable data that can be utilized to operate the electronic device 100.
  • Machine-readable storage medium 740 can store computer readable instructions that the processor of the electronic device 100, 210, 310 can process, or execute.
  • the machine-readable storage medium 740 can be an electronic, magnetic, optical, or other physical storage device that contains or stores executable instructions.
  • Machine- readable storage medium 740 may be, for example, Random Access Memory (RAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a storage device, an optical disc, etc.
  • RAM Random Access Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • the machine-readable storage medium 740 may be a non-transitory machine-readable storage medium 740, where the term “non-transitory” does not encompass transitory propagating signals.
  • certificate operation instructions 742 when executed by the processor, cause the processor to perform a certificate operation for a distributed application based on a certificate command.
  • First result instructions 744 when executed by the processor, may cause the processor to send a first result of the certificate operation to a first agent to perform certificate management for a first application that is part of the distributed application.
  • Second result instructions 746 when executed by the processor, may cause the processor to send a second result of the certificate operation to a second agent to perform certificate management for a second application that is part of the distributed application.
  • execution of the first agent is decoupled from execution of the first application
  • execution of the second agent is decoupled from execution of the second application
  • the instructions when executed by the processor, cause the processor to identify the first agent based on a first identifier.
  • the first identifier may include a hostname of a first electronic device running the first agent and the first application.
  • the first identifier may also include a first UUID for the first agent.
  • the instructions, when executed by the processor, cause the processor to identify the second agent based on a second identifier.
  • the second identifier may include a hostname of a second electronic device running the second agent and the second application.
  • the second identifier may also include a second UUID for the second agent.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

Selon un exemple, la présente divulgation concerne un dispositif électronique. Un exemple de dispositif électronique comprend un processeur et une mémoire stockant des instructions exécutables qui, lorsqu'elles sont exécutées, amènent le processeur à exécuter un agent pour effectuer une gestion de certificat pour une application sur la base d'instructions reçues d'un gestionnaire de confiance. Les instructions amènent également le processeur à exécuter l'application pour effectuer des opérations sur la base d'un certificat géré par l'agent sans que l'application soit sensible à la gestion de certificat par l'agent.
PCT/US2021/046796 2021-08-20 2021-08-20 Gestion de certificat basée sur un agent WO2023022724A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2021/046796 WO2023022724A1 (fr) 2021-08-20 2021-08-20 Gestion de certificat basée sur un agent

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2021/046796 WO2023022724A1 (fr) 2021-08-20 2021-08-20 Gestion de certificat basée sur un agent

Publications (1)

Publication Number Publication Date
WO2023022724A1 true WO2023022724A1 (fr) 2023-02-23

Family

ID=85239703

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2021/046796 WO2023022724A1 (fr) 2021-08-20 2021-08-20 Gestion de certificat basée sur un agent

Country Status (1)

Country Link
WO (1) WO2023022724A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11936772B1 (en) 2023-03-24 2024-03-19 Srinivas Kumar System and method for supply chain tamper resistant content verification, inspection, and approval
US12015721B1 (en) * 2023-03-24 2024-06-18 Srinivas Kumar System and method for dynamic retrieval of certificates with remote lifecycle management

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2419235C2 (ru) * 2006-05-05 2011-05-20 Интердиджитал Текнолоджиз Корпорейшн Управление цифровыми правами с использованием методик доверительной обработки
US20170012953A1 (en) * 2011-12-21 2017-01-12 Ssh Communications Security Oyj Automated Access, Key, Certificate, and Credential Management
US10003458B2 (en) * 2011-12-21 2018-06-19 Ssh Communications Security Corp. User key management for the secure shell (SSH)
US10841316B2 (en) * 2014-09-30 2020-11-17 Citrix Systems, Inc. Dynamic access control to network resources using federated full domain logon
US10972467B2 (en) * 2013-03-15 2021-04-06 Airwatch Llc Certificate based profile confirmation

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2419235C2 (ru) * 2006-05-05 2011-05-20 Интердиджитал Текнолоджиз Корпорейшн Управление цифровыми правами с использованием методик доверительной обработки
US20170012953A1 (en) * 2011-12-21 2017-01-12 Ssh Communications Security Oyj Automated Access, Key, Certificate, and Credential Management
US10003458B2 (en) * 2011-12-21 2018-06-19 Ssh Communications Security Corp. User key management for the secure shell (SSH)
US10972467B2 (en) * 2013-03-15 2021-04-06 Airwatch Llc Certificate based profile confirmation
US10841316B2 (en) * 2014-09-30 2020-11-17 Citrix Systems, Inc. Dynamic access control to network resources using federated full domain logon

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11936772B1 (en) 2023-03-24 2024-03-19 Srinivas Kumar System and method for supply chain tamper resistant content verification, inspection, and approval
US12015721B1 (en) * 2023-03-24 2024-06-18 Srinivas Kumar System and method for dynamic retrieval of certificates with remote lifecycle management

Similar Documents

Publication Publication Date Title
US10979419B2 (en) System and method of device identification for enrollment and registration of a connected endpoint device, and blockchain service
US20200242249A1 (en) System and method for recording device lifecycle transactions as versioned blocks in a blockchain network using a transaction connector and broker service
US11711222B1 (en) Systems and methods for providing authentication to a plurality of devices
US10678555B2 (en) Host identity bootstrapping
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
US10003458B2 (en) User key management for the secure shell (SSH)
CN107820689B (zh) 将认证密钥分发给应用程序安装的系统和方法
US20170041349A1 (en) Installing configuration information on a host
EP3850510B1 (fr) Inscription de dispositif d'infrastructure
US12028330B2 (en) Systems and methods for credentials distribution
WO2023022724A1 (fr) Gestion de certificat basée sur un agent
US20230267226A1 (en) Blockchain-based operations
US9515877B1 (en) Systems and methods for enrolling and configuring agents
EP3934197B1 (fr) Techniques de mise en antémémoire de répertoire distribuée pour permettre un accès aux ressources sécurisé et efficace
US20230269099A1 (en) Revocation of certificates issued by distributed servers
WO2023069062A1 (fr) Gestion de cycle de vie de certificat basée sur une chaîne de blocs
US20230078179A1 (en) High frequency rotation of cryptographic data
US20240338465A1 (en) Producing messages

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21954394

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21954394

Country of ref document: EP

Kind code of ref document: A1