Mechanism to support single certificate for different public keys in Cloud Deployments
Publication Date: 2016-Jan-06
The IP.com Prior Art Database
The proposed idea is to enhance the Public Key Infrastructure(PKI) to enable single certificate to certify multiple different public keys. It has the most common use where a single owner maintains different services or Virtual Machines and have to manage multiple certificates for each service/machine individually. The most beneficial use of this mechanism is in cloud computing where a customer can rent multiple Virtual Machines, softwares as services and might have to manage multiple certificates for their authentication.
Page 01 of 4
Mechanism to support single certificate for different public keys in Cloud Deployments Acronyms Used:
CSR - Certificate Signing Request
CA - Certificate Authority
VM - Virtual Machine
SaaS - Software as a Service
FQDN - Fully Qualified Domain Name
SSL - Secure Socket Layer
- Public Key Infrastructure
This proposed idea solves the problem related to managing one certificate per public key. Single certificate per public key results in having multiple certificates by the same owner for managing multiple types of computing services or systems.
This is mainly to address Cloud deployments for following types of requirements:
Customer rented multiple VMs and want to use public cryptography for authenticating those VMs. Customers running multiple servers/services (SaaS) and is using public key cryptography for authentication of those services eg. SSL based.
In both of above scenario, customer maintains public/private key pair for each instance of VM or service in case of SaaS. And he has to get one certificate signed for each public key. One question comes is why he has to maintain different certificates, why can't he have single public/private key pair for multiple VMs/services. This has the obvious issue of sharing same secret of private key among multiple systems/services and compromise of one can result in compromising all other systems/services as well.
The proposed solution is to fix this issue by providing mechanism for single certificate signing multiple different public keys, thereby customers via this mechanism will have to manage only single certificate.
The core idea of the proposed innovation is enhancement in Certificate Signing Request and Certificate to support single certificate for multiple different public keys. It also adds the enhancement on Common Name support to enable same certificate for different hosts or services.
The proposed idea is meant for purpose of authentication on computing machines and not user. Since certificate has even usage as Digital Signature for signing documents etc, where as an individual can plan to have different key pairs and different certificates respectively, however, the scope of the proposed idea is not to address those applications of public key cryptography. The proposed idea address machine/service authentication usage of public key cryptography.
This solution will provide a more efficient way of handling certificates for different public keys and will save time for both the customer and CA in case of Cloud Deployments.
Cloud Deployment differ from traditional deployments where customers are renting VMs/SaaS on third party systems and need to authenticate them for remote access.
In traditional deployment, organisations used to have systems at their data center itself which was anyway private to them and was in total control of them. Also, all the services were run on those systems. But as the organizations move to deployment in clouds, they will use publ...