View All Documents & Correspondence
System And Method For Centrally Managing Secure Socket Layer (Ssl) Certificates
Abstract: A system (300) for centrally managing Secure Socket Layer (SSL) certificates is disclosed. In some embodiments, the system (300) includes a certificate management device (302) configured to centrally (402) monitor, track, and renew a plurality of pre-deployed SSL certificates associated with a plurality of application servers and a plurality of network devices, and issued by a set of Certificate Authority (CA). The certificate management device (302) includes a monitoring module (304) configured to monitor (404) validity of each of the plurality of pre-deployed SSL certificates; and generate (406) auto ticketing for one or more of the plurality of pre-deployed SSL certificates. The certificate management device (302) further includes a certificate generation module (306) configured to automatically create (408) a certificate signing request (CSR) for each of the one or more pre-deployed SSL certificate; send (410) a request for a new SSL certificate to an associated CA based on the CSR; and receive (412) the new SSL certificate from the associated CA.
Notices, Deadlines & Correspondence
Patent Information
Applicants
HCL Technologies Limited
Inventors
1. YATIN SADHWANI
Specification
Generally, the invention relates to Secure Socket Layer (SSL) certificates. More specifically, the invention relates to system and method for centrally managing SSL certificates.
Background
[002] Secure Sockets Layer (SSL) certificates are the certificates that enables websites to move from Hypertext Transfer Protocol (HTTP) to Hypertext Transfer Protocol Secure (HTTPS). HTTPS is the secure version of HTTP, and HTTPS websites are those that use SSL/ Transport Layer Certificates (TLS) to encrypt their traffic. In other words, SSL certificates are protocols that provides authentication and enables encryption of data shared between an application (e.g., web browser) and a web server in order maintain confidentiality. Each websites requires an SSL certificate to keep user data safe, authenticate ownership, prevent attackers from constructing a false version of the site, and earn user confidence.
[003] Currently, many organizations and companies are struggling with monitoring, tracking and renewing of SSL certificates, especially for network appliances, for example, Aruba Wireless controllers, Clear pass F5 load balancers virtual servers, Pulse VPN boxes, Forescout, Infoblox, CISCO ACS, PaloAlto Firewalls, and Gigamon’s, etc. Moreover, many of these organizations and companies have experienced multiple major services outages due to failure of manual or static tracking of SSL certificates expiration issued by CA (Certificate Authority), due to limitation in installation of third party plugin on network appliance or tightly coupled systems. In addition, increase in SSL certificates, shorter life cycles, and changing standards in cryptography have exponentially increased risk of outages and failed audits, where mismanaged keys and digital certificates routinely disrupts services and undermine trust in business. In order to above mentioned limitation, an application that can centrally manage monitoring, tracking, renewing of SSL certificates is required.
[004] Therefore, there is a need of implementing an efficient and reliable system and method for centrally managing secure socket layer (SSL) certificates.
SUMMARY OF INVENTION
[005] In one embodiment, a system for centrally managing Secure Socket Layer (SSL) certificates is disclosed. The system includes a certificate management device configured to centrally monitor, track, and renew a plurality of pre-deployed SSL certificates associated with a plurality of application servers and a plurality of network devices, and issued by a set of Certificate Authority (CA). The certificate management device includes a monitoring module and a certificate generation module. The monitoring module is configured to monitor validity of each of the plurality of pre-deployed SSL certificates based on a pre-configured threshold for certificate expiry. The monitoring module is further configured to generate auto ticketing for one or more of the plurality of pre-deployed SSL certificates based on monitoring. The certificate generation module is configured to automatically create a certificate signing request (CSR) for each of the one or more pre-deployed SSL certificate by replicating certificate attributes from the corresponding pre-deployed SSL certificate, upon auto-ticketing. The certificate generation module is further configured to send a request for a new SSL certificate to an associated CA based on the CSR. The certificate generation module is further configured to receive the new SSL certificate from the associated CA.
[006] In another embodiment, a method for centrally managing Secure Socket Layer (SSL) certificates is disclosed. The method may include centrally monitoring, tracking, and renewing a plurality of pre-deployed SSL certificates associated with a plurality of application servers and a plurality of network devices, and issued by a set of Certificate Authority (CA). The methods to centrally monitor, track, and renew the plurality of pre-deployed SSL certificates further includes monitoring validity of each of the plurality of pre-deployed SSL certificates based on a pre-configured threshold for certificate expiry. The method further includes generating auto ticketing for one or more of the plurality of pre-deployed SSL certificates based on monitoring. The method further includes upon auto-ticketing, automatically creating a certificate signing request (CSR) for each of the one or more pre-deployed SSL certificate by replicating certificate attributes from the corresponding pre-deployed SSL certificate. The method further includes sending a request for a new SSL certificate to an associated CA based on the CSR. The method further includes receiving the new SSL certificate from the associated CA.
[007] It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS
[008] The present application can be best understood by reference to the following description taken in conjunction with the accompanying drawing figures, in which like parts may be referred to by like numerals.
[009] FIG. 1 is a pictorial depiction of a current workflow used for managing Secure Socket Layer (SSL) certificate, in accordance with some embodiment of the present disclosure.
[010] FIG. 2 is pictorial depiction of a proposed workflow for centrally managing Secure Socket Layer (SSL) certificates, in accordance with some embodiment of the present disclosure.
[011] FIG. 3 illustrates a functional block diagram of an exemplary system proposed for centrally managing Secure Socket Layer (SSL) certificates, in accordance with some embodiment of the present disclosure.
[012] FIG. 4 illustrates a flowchart of a method for centrally managing Secure Socket Layer (SSL) certificates, in accordance with some embodiment of the present disclosure.
[013] FIG. 5 illustrates a flowchart of a detailed method for centrally managing Secure Socket Layer (SSL) certificates, in accordance with some embodiment of the present disclosure.
[014] FIG. 6 illustrates a flowchart of a method for centrally managing one or more pre-deployed Secure Socket Layer (SSL) certificates, in accordance with some embodiment of the present disclosure.
DETAILED DESCRIPTION OF THE DRAWINGS
[015] The following description is presented to enable a person of ordinary skill in the art to make and use the invention and is provided in the context of particular applications and their requirements. Various modifications to the embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the invention. Moreover, in the following description, numerous details are set forth for the purpose of explanation. However, one of ordinary skill in the art will realize that the invention might be practiced without the use of these specific details. In other instances, well-known structures and devices are shown in block diagram form in order not to obscure the description of the invention with unnecessary detail. Thus, the invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
[016] While the invention is described in terms of particular examples and illustrative figures, those of ordinary skill in the art will recognize that the invention is not limited to the examples or figures described. Those skilled in the art will recognize that the operations of the various embodiments may be implemented using hardware, software, firmware, or combinations thereof, as appropriate. For example, some processes can be carried out using processors or other digital circuitry under the control of software, firmware, or hard-wired logic. (The term “logic” herein refers to fixed hardware, programmable logic and/or an appropriate combination thereof, as would be recognized by one skilled in the art to carry out the recited functions.) Software and firmware can be stored on computer-readable storage media. Some other processes can be implemented using analog circuitry, as is well known to one of ordinary skill in the art. Additionally, memory or other storage, as well as communication components, may be employed in embodiments of the invention.
[017] Referring now to FIG. 1, a current workflow 100 used for managing Secure Socket Layer (SSL) certificate is depicted, in accordance with some embodiment of the present disclosure. Currently, in order to manage a plurality of pre-deployed SSL certificates, a mail server 102 may create an email alert 104 about expiry of one or more of the plurality of pre-deployed SSL certificates. Further, the created email alert 104 may be send to a concerned user email address 106 to inform the concerned user about the expiry of the one or more of the plurality of pre-deployed SSL certificates. The concerned user may have to manually monitor, track, and renew each of the one or more of the plurality of pre-deployed SSL certificates in order to maintain secure functioning of a set of websites that includes the one or more of the plurality of pre-deployed SSL certificates.
[018] By way of an example, suppose an organization named ‘Infoblox’ might have deployed a plurality of SSL certificates in order to allow users (i.e., e.g., customers) to securely access their websites. In present example, the plurality of SSL certificates deployed may correspond to a set of SSL certificates provided for Virtual Private Network (VPN) Servers 108 of Infoblox, an Infoblox SSL certificate 110 provide for Infoblox website, a set of SSL certificates provided for Aruba Controllers 112 of Infoblox, a set of SSL certificates provided for virtual servers 114 of Infoblox, and a set of SSL certificates provided for clear pass 116 of Infoblox.
[019] In order to manage each of the plurality of SSL certificates that has been previously deployed by Infoblox, a plurality of users may have to manually monitor and track each of the plurality of previously deployed SSL certificates (i.e., the plurality of pre-deployed SSL certificates). Each of the plurality of users may correspond to member of a support group of Infoblox. Further, each of the plurality of user may be responsible to monitor, track, and renew each of the plurality of previously deployed SSL certificates in order to enable secure functioning of the websites.
[020] Based on monitoring and tracking of each of the plurality of previously deployed SSL certificates, one of the plurality of users may have to generate a request to an associated Certificate Authority (CA) to renew the one or more of the plurality of previously deployed SSL certificates that are about to expire or are already expired. In order to generate the request, the one of the plurality of users may have to manually create a Certificate Signing Request (CSR) for the one or more of the plurality of previously deployed SSL certificates. In order to create the CSR, the one of the plurality of users may have to manually input certificate attributes for corresponding one or more of the plurality of previously deployed SSL certificates.
[021] Once the CSR is created, the one of the plurality of users may have to send the request for a new SSL certificate to the associated CA for the one or more of the plurality of previously deployed SSL certificates that are about to expire or are already expired, based on the the created CSR. Upon receiving the request, the associated CA may issue the new SSL certificate. Further, the one of the plurality of user may have to update the new received SSL certificate to ensure secure functioning of an associated website.
[022] This complete process of manually monitoring, tracking, and renewing of each of the plurality of pre-deployed SSL certificate may not be efficient as it may include human error and may be time consuming. Therefore, due to limitations of existing technique for managing the plurality of pre-deployed SSL certificates as disclosed in the FG.1, the present disclosure provides an efficient system and method for centrally managing the plurality of pre-deployed SSL certificates. This has been explained in greater detail in conjunction to FIG. 2 - FIG.5.
[023] Referring now to FIG. 2, a proposed workflow 200 for centrally managing Secure Socket Layer (SSL) certificates is depicted, in accordance with some embodiment of the present disclosure. In order to centrally manage each of the plurality of pre-deployed SSL certificates, an interactive dashboard may be created. The created interactive dashboard may be installed on a certificate management device 202. The certificate management device 202 may be a processor-based device configured to performs functionalities to centrally manage each of the plurality of pre-deployed SSL certificates. Initially, the created interactive dashboard may be populated with the plurality of pre-deployed SSL certificates in order to centrally monitor, track, and renew each of the plurality of pre-deployed SSL certificates. The interactive dashboard may be populated by fetching each of the plurality of pre-deployed SSL certificates from a server of a concerned organization.
[024] By way of an example, in present embodiment, the concerned organization may correspond to ‘Infoblox’. The server of the Infoblox may correspond to a server 204. In addition, the plurality of pre-deployed SSL certificates may correspond to a set of SSL certificates provided for Virtual Private Network Servers 204 of Infoblox, an Infoblox SSL certificate 206 provide for Infoblox website, a set of SSL certificates provided for Aruba Controllers 208 of Infoblox, a set of SSL certificates provided for virtual servers 210 of Infoblox, and a set of SSL certificates provided for clear pass 212 of Infoblox.
[025] Once each of the plurality of pre-deployed SSL certificates fetched from the server (i.e., server 204) of the concerned organization (i.e., the Infoblox), then each of the plurality of pre-deployed SSL certificates may be received via an email 216 by the certificate management device 202. Further, the certificate management device 202 may be connected to a server 218. The server 218 may be configured to store each of the plurality of pre-deployed SSL certificates and information associated with each of the plurality of SSL certificates on a database 220.
[026] Once the each of the plurality of pre-deployed SSL certificates are stored and the interactive dashboard is populated, the certificate management device 202 may be configured to centrally monitor, track, and renew each of the plurality of pre-deployed SSL certificates. This has been explained in greater detail in conjunction to FIG. 3 – FIG. 5. Further, based on central management of each of the plurality of pre-deployed SSL certificates, the certificate management device 202 may be configured to notify one of a plurality of users 222 about vulnerability or expiration of at least one of the plurality of pre-deployed SSL certificates.
[027] In present embodiment, the plurality of users 222 may correspond to members of a support group of the Infoblox. By way of an example, suppose a default value set for expiry of each of the plurality of pre-deployed SSL certificates of the Infoblox is defined for 60 days. Then, based on the default value set for expiry, an alert may be generated 15 days prior to expiry of the at least one of the plurality of pre-deployed SSL certificates in order to notify at least one member of the support group about expiry of the at least one of the plurality of pre-deployed SSL certificates. Upon receiving no response for the support group, a second alert may be generated 7 days prior to expiry of the at least one of the plurality of pre-deployed SSL certificates.
[028] In one embodiment, upon receiving response from the at least one member a suitable action may be taken to renew or halt renewal of the at least one of the plurality of pre-deployed SSL certificates based on the received response. In other embodiment, upon receiving no response from the at least one member after the second alert, the certificate management device 202 may automatically renew the at least one of the plurality of pre-deployed SSL certificates by creating a CSR for the at least one of the plurality of pre-deployed SSL certificates. Based on the created CSR, the certificate management device 202 may be configured to send a request for a new SSL certificate to an associated CA.
[029] The request for the new SSL certificate may be sent using Representational State Transfer - Application programming Interface (REST-API) protocol. Upon receiving the request, the associated CA may be configured to issue the new SSL certificate for the at least one of the plurality of pre-deployed SSL certificates based on the received CSR. The new SSL certificate issued may be received by the certificate management device 202. The certificate management device 202 may then automatically update the new SSL certificate received for at least one of the plurality of pre-deployed SSL certificates of the concerned organization.
[030] Referring now to FIG. 3, a functional block diagram of an exemplary system 300 proposed for centrally managing Secure Socket Layer (SSL) certificates is illustrated, in accordance with some embodiment of the present disclosure. In order to centrally manage SSL certificates, the system 300 may include a certificate management device 302. In reference to FIG. 2, the certificate management device 302 may correspond to the certificate management device 202. In an embodiment, the certificate management device 302 may provide an interactive dashboard (i.e., a graphical user interface (GUI)) to each of a plurality of users for centrally managing a plurality of pre-deployed SSL certificates. In an embodiment, each of the plurality of users may correspond to members of support group of a concerned organization. The certificate management device 302 may be configured to centrally monitor, track, and renew the plurality of pre-deployed SSL certificates. It should be noted that, in present embodiment, the certificate management device 302 disclosed may be implemented using a python computer programming language. However, any of an existing computer programming language may be used for implementing the certificate management device 302.
[031] Further, each of the plurality of pre-deployed SSL certificates may be associated with a plurality of application servers and a plurality of network devices. Examples of the plurality of application servers may include, but is not limited to, JBoss, WebLogic, Websphere, Glassfish, Tcat Server, Apache Geronimo, JRun, and Oracle OC4J. In addition, examples of the plurality of network devices may, but is not limited to, Aruba Wireless controllers, Clear pass F5 load balancers virtual servers, Pulse VPN boxes, Forescout, Infoblox, CISCO ACS, PaloAlto Firewalls, and Gigamon’s. Moreover, each of the plurality of pre-deployed SSL certificated may be issued by a set of CA. As will be appreciated, each of the set of CA may correspond to an entity responsible for issuing each of the plurality of pre-deployed SSL certificates.
[032] In order to centrally monitor, track, and renew each of the plurality of SSL certificates, the certificate management device 302 may include a monitoring module 304 and a certificate generation module 306. The monitoring module 304 may be configured to monitor validity of each of the plurality of pre-deployed SSL certificates. The validity of each of the plurality of pre-deployed SSL certificates may be monitored based on a pre-configured threshold for certificate expiry. By way of an example, a pre-configured threshold for validating expiry of each of the plurality of pre-deployed SSL certificates may be defined to be of 60 days. Once the validity of each of the plurality of SSL certificates is monitored, the monitoring module 304 may be configured to generate auto-ticketing for one or more of the plurality of pre-deployed SSL certificates.
[033] Once auto-tickets are generated for each of the plurality of SSL certificates, the certificate generation module 306 may be configured to automatically create a CSR for each of the one or more pre-deployed SSL certificates. The CSR may be automatically created for each of the one or more pre-deployed SSL certificates by replicating certificate attributes from the corresponding pre-deployed SSL certificate. Once the CSR is created, the certificate generation module 306 may be configured to send a request for a new SSL certificate to an associated CA based on the CSR. In an embodiment, the request for the new SSL certificate may be send to the associated CA based on identifying expiry of at least one of the one or more pre-deployed SSL certificates. Further, upon sending the request for the new SSL certificate, the certificate generation module 306 may be configured to receive the new SSL certificate from the associated CA.
[034] The certificate management device 302 may be a processor based device that includes a memory and an Input/Output (I/O) unit. The I/O unit may further include a user interface. A user or an administrator may interact with the certificate management device 302 and vice versa through the I/O unit. Further, the memory may store instructions that, when executed by the processor of the certificate management device 302, may cause the processor to centrally monitor, track, and renew each of the plurality of pre-deployed SSL certificates.
[035] As will be described in greater detail in conjunction with FIG. 4 and FIG. 5, the processor in conjunction with memory may perform various functions including monitoring validity of each of the plurality of pre-deployed SSL certificates, generating auto ticketing for one or more of the plurality of pre-deployed SSL certificates, automatically creating the CSR for each of the one or more pre-deployed SSL certificates, sending the request for the new SSL certificate to the associated CA, and receiving the new SSL certificate from the associated CA, etc. Examples of the certificate management device 302 may include, but are not limited to, a server, a desktop, a laptop, a notebook, a tablet, a smartphone, a mobile phone, an application server, or the like.
[036] The certificate management device 302 may be connected to a database 308. The database 308 may be used to store information associated with each of the plurality of pre-deployed SSL certificates, and information of the CA associated with each of the plurality of pre-deployed SSL certificates. In addition, the database 308 may store the new SSL certificate received from the associated CA based on the CSR generated for each of the one or more pre-deployed SSL certificates. Additionally, the database 308 may be periodically updated based on the new SSL certificate received from the associated CA for the at least one of the one or more pre-deployed SSL certificates. In reference to FIG. 2, the database 308 may correspond to the database 220.
[037] Further, the certificate management device 302 may interact with a server 310 or the external devices 316 over a network 314 for sending and receiving various data. The network 314, for example, may be any wired or wireless communication network and the examples may include, but may be not limited to, the Internet, Wireless Local Area Network (WLAN), Wi-Fi, Long Term Evolution (LTE), Worldwide Interoperability for Microwave Access (WiMAX), and General Packet Radio Service (GPRS).
[038] In some embodiment, the certificate management device 302 may fetch information associated with each of the plurality of pre-deployed SSL certificates from the server 310. In reference to FIG. 2, the server 310 may correspond to the server 204. In addition, the server 310 may provide information associated with the plurality of pre-deployed SSL certificates to a plurality of users. The server 310 may further include a database 312. The database 312 may store information associated with each of the plurality of pre-deployed SSL certificates. By way of an example, the database 312 may store the information associated with the each of the plurality of pre-deployed SSL certificates in order to distinguish the new SSL certificates from existing once. The database 312, may be periodically updated based on information associated with the new SSL certificates. Alternatively, the certificate management device 302 may receive the user input from one of the external devices 316.
[039] Referring now to FIG. 4, a method 400 for centrally managing Secure Socket Layer (SSL) certificates is depicted via a flowchart, in accordance with some embodiment of the present disclosure. At step 402, each of a plurality of pre-deployed SSL certificates issued by a set of CA may be centrally monitored, tracked and renewed. In an embodiment, each of the plurality of pre-deployed SSL certificates may be associated with a plurality of application servers and a plurality of network devices. Examples of the plurality of application servers may include, but is not limited to, JBoss, WebLogic, Websphere, Glassfish, Tcat Server, Apache Geronimo, JRun, and Oracle OC4J. In addition, examples of the plurality of network devices may include, but is not limited to, Aruba Wireless controllers, Clear pass F5 load balancers virtual servers, Pulse VPN boxes, Forescout, Infoblox, CISCO ACS, PaloAlto Firewalls, and Gigamon’s.
[040] In order to centrally monitor, track, and renew each of the plurality of pre-deployed SSL certificates, at step 404, validity of each of the plurality of pre-deployed SSL certificates may be monitored. The validity of each of the plurality of pre-deployed SSL certificates may be monitored based on a pre-configured threshold for certificate expiry. In reference to FIG. 2, the pre-configured threshold may correspond to the default value defined for validating expiry of each of the plurality of pre-deployed SSL certificates. By way of an example, the pre-configured threshold to may be defined to be of 60 days. Based on the pre-configured threshold, the validity of each of the plurality of pre-deployed SSL certificates may be monitored to identify expiry of each of the plurality of pre-deployed SSL certificates.
[041] Further, at step 406, auto-ticketing for one or more of the plurality of pre-deployed SSL certificates may be generated based on monitoring. In an embodiment, the auto-ticketing may enable unique identification for determining expiry of the one or more of the plurality of pre-deployed SSL certificates. In an embodiment, one of a plurality of users may be notified about vulnerability or expiration of at least one of the plurality of pre-deployed SSL certificates identified based on monitoring. In present embodiment, the plurality of users may correspond to member of support group of concerned organization responsible for managing the at least one of the plurality of pre-deployed SSL certificates.
[042] Once the auto-ticketing is done, at step 408, a new CSR may be automatically created for each of the one or more pre-deployed SSL certificates. The CSR may be automatically created by replicating certificate attributes from the corresponding pre-deployed SSL certificate. In an embodiment, the CSR may be created upon identifying expiry of the one or more of the plurality of pre-deployed SSL certificates. In some embodiment, the CSR for the new certificate may be manually created based on inputted certificate attributes. In other words, a user may manually create the CSR for the new SSL certificate upon receiving a request for creation of the new SSL certificate for a new website. The new SSL certificate may be manually created by inputting certificate attributes for the new SSL certificate.
[043] Upon creating the CSR, at step 410, a request may be send to an CA associated with the one or more of the plurality of pre-deployed SSL certificates based on the generated CSR. In an embodiment, the request for the new SSL certificate may be sent using REST-API protocol. Once the request for the new SSL certificate is send to the associated CA, at step 412, the new SSL certificate may be received from the associated CA. In an embodiment, the new SSL certificate may be replicated and mailed to the support group of the concerned organization.
[044] Referring now to FIG. 5, a flow diagram of a detailed method 500 for centrally managing Secure Socket Layer (SSL) certificates is depicted via a flowchart, in accordance with some embodiment of the present disclosure. At step 502, an SSL life cycle may start. In reference to FIG. 3, the SSL life cycle may be started by the certificate creation device 302. Once the SSL life cycle is started, at step 504, the plurality of pre-deployed SSL may be fetched from a webserver of the concerned organization. In reference to FIG. 3, the database may correspond to the database 312. In addition, the webserver may correspond to the server 310. Once the plurality of pre-deployed SSL certificates are fetched, at step 506, a check may be performed for identifying validity of each of the plurality of pre-deployed SSL certificates.
[045] In an embodiment, the validity may be identified for determining expiry of each of the plurality of pre-deployed SSL certificates. The validity of each of the plurality of pre-deployed SSL certificates may be identified based on the pre-configured threshold. By way of an example, the pre-configured threshold may be defined to be of 60 days. Based on the defined pre-configured threshold, the check may be performed to identify the one or more of the pre-deployed SSL certificates that may get expire soon or are already expired. In other words, the one or more of the pre-deployed SSL certificates may be determined to be completed or is about to complete 60 days cycle from date of issue of the one or more of the pre-deployed SSL certificates. In an embodiment, the at least one of the plurality of user holding the one or more of the pre-deployed SSL certificates may be notified about the expiry of the one or more of the pre-deployed SSL certificates.
[046] In one embodiment, based on the check performed, upon determining the validity of the one or more of the pre-deployed SSL certificates to be expired, at step 508, a tracker associated with the one or more of the pre-deployed SSL certificates may be updated in the database. In another embodiment, at step 510, a new service now incident ticket may be created for the one or more of the pre-deployed SSL certificates. In an embodiment, the new service now incident ticket may correspond to a ticket generated for creating the CSR for the one or more of the pre-deployed SSL certificates. In addition, the database may be updated based on the new service now incident ticket created for the one or more of the pre-deployed SSL certificates. Once the new service now incident ticket is generated, at step 512, a check may be performed to determine whether the CSR may need to be created for each of the one or more of the pre-deployed SSL certificates. It should be noted that, the CSR may be either created automatically or manually.
[047] In one embodiment, in order to automatically create the CSR, at step 514, a live CSR (i.e., the automatically created CSR) may be generated. The live CSR may be generated for the one or more of the pre-deployed SSL certificates by replicating certificate attributes from the corresponding pre-deployed SSL certificate. Upon generating the live CSR, at step 516, the live CSR generated may be replicated and mailed to the support group. In an embodiment, the support group may correspond to members responsible for centrally managing each of the plurality of SSL certificates.
[048] Further, at step 518, a service now requested item may be created for each of the one or more of the pre-deployed SSL certificates in order to issue a new SSL certificate. In an embodiment, the service now requested item may correspond to the request generated for creating the new SSL certificate for each of the one or more of the pre-deployed SSL certificates. Once the service now requested item is created, the created service now requested item may be send a CA associated with the one or more of the pre-deployed SSL certificates to create the new SSL certificate based on the automatically generated CSR. In an embodiment, the created service now requested item may be send to the associated CA using REST-API protocol. Upon receiving the created service now requested item, at step 520, a check may be performed by the associated CA to determine whether the new SSL certificates needs to be created for each the one or more of the pre-deployed SSL certificates using the REST-API. Based on the check performed, at step 522, a new SSL certificate may be issued for each the one or more of the pre-deployed SSL certificates.
[049] In another embodiment, in order to manually create the CSR, at step 524, a manual CSR may be generated. The manual CSR may be generated for the one or more of the pre-deployed SSL certificates by manually inputting certificate attributes from the corresponding pre-deployed SSL certificate. It should be noted that, the CSR may be generated manually only upon receiving the request for the new SSL certificate for anew website. Upon generating the manual CSR, at step 526, the manual CSR generated may be replicated and mailed to the support group.
[050] Further, at step 528, a service now requested item may be created for each of the one or more of the pre-deployed SSL certificates in order to issue a new SSL certificate. In an embodiment, the service now requested item may correspond to the request generated for creating the new SSL certificate for the new website. Once the service now requested item is created, the created service now requested item may be send a CA associated with the new SSL certificate to create the new SSL certificate based on the manually generated CSR. In an embodiment, the created service now requested item may be send to the associated CA using REST-API protocol. Upon receiving the created service now requested item, at step 520, a check may be performed by the associated CA to determine whether the new SSL certificates needs to be created for the new website using the REST-API. Based on the check performed, at step 522, the new SSL certificate may be issued for the new website.
[051] Referring now to FIG. 6, a flowchart of a method 600 for centrally managing one or more pre-deployed Secure Socket Layer (SSL) certificates is illustrated, in accordance with some embodiment of the present disclosure. At step 602, a graphical user interface (GUI) client may be rendered, upon being launched by a user. In reference to FIG. 3, the GUI client may be rendered to the user on at least one of the plurality of external devices 316 (also referred as a user device). In an embodiment, the GUI client may be configured to display a plurality of pre-deployed SSL certificates associated with a plurality of application servers and a plurality of network devices. In addition, the GUI client may display a validity of each of the plurality of pre-deployed SSL certificates. In an embodiment, each of the plurality of pre-deployed SSL certificates may be issued by one of a set of Certificate Authority (CA).
[052] Examples of the plurality of application servers may include, but is not limited to, JBoss, WebLogic, Websphere, Glassfish, Tcat Server, Apache Geronimo, JRun, and Oracle OC4J. In addition, examples of the plurality of network devices may include, but is not limited to, Aruba Wireless controllers, Clear pass F5 load balancers virtual servers, Pulse VPN boxes, Forescout, Infoblox, CISCO ACS, PaloAlto Firewalls, and Gigamon’s. Moreover, in order to display the validity of each of the plurality of pre-deployed SSL certificates, initially, the validity of each of the plurality of pre-deployed SSL certificates may be monitored based on a pre-configured threshold for certificate expiry. In reference to FIG. 2, the pre-configured threshold may correspond to the default value defined for validating expiry of each of the plurality of pre-deployed SSL certificates. Further, based on monitoring of the validity, a user may be notified about an upcoming expiry of the one or more of the plurality of pre-deployed SSL certificates.
[053] In an embodiment, the GUI client may display the validity of each of the plurality of pre-deployed SSL certificates in a visually coded format based on the pre-configured threshold for certificate expiry. In an embodiment, the visually coded format may correspond to color coded format or graphically coded format. By way of an example, in order to display the plurality of pre-deployed SSL certificate in color coded format, at least one of the plurality of pre-deployed SSL certificates with imminent expiry (e.g., expiry due within a week) may be indicated with red color. Further, at least one of the plurality of pre-deployed SSL certificates with expiry in nearing future (e.g., say in 15 days) may be indicated with orange color. Moreover, at least one of the plurality of pre-deployed SSL certificates with delayed expiry (e.g., expiry due in a month) may be displayed in green color. Moreover, in some embodiment, the GUI client may be configured to enable the user to manually create a CSR for the new SSL certificate based on inputted certificate attributes.
[054] Once the GUI client displaying the plurality of pre-deployed SSL certificate is rendered to the user, at step 604, a selection for renewal of one or more of the plurality of pre-deployed SSL certificates may be received, from the user. In an embodiment, the selection for renewal of the plurality of pre-deployed SSL certificates may either be manual, pre-defined, or pre-configured auto-renewal. By way of an example, in one embodiment, the user may manually select one or more of the plurality of pre-deployed SSL certificates with imminent expiry for renewal. In another embodiment, the user may set automatic renewal for one or more of the plurality of pre-deployed SSL certificates, based on his requirement.
[055] Upon receiving the user selection for the renewal of the plurality of SSL certificates, at step 606, auto ticketing may be generated for the one or more of the plurality of pre-deployed SSL certificates based on the user selection. In an embodiment, the auto-ticketing may enable unique identification for determining expiry of the one or more of the plurality of pre-deployed SSL certificates. Further, at step 608, a CSR may be automatically created for each of the one or more pre-deployed SSL certificates. The CSR may be created by replicating certificate attributes from the corresponding pre-deployed SSL certificate. Once the CSR is created, at step 610, a request may be sent for a new SSL certificate to an associated CA based on the created CSR. At step 612, the new SSL certificate may be received from the associated CA based on the sent request. Upon receiving the new SSL certificate, at step 614, the new SSL certificate received corresponding to the each of the one or more pre-deployed SSL certificates may be updated.
[056] Various embodiments provide system and method for centrally managing SSL certificates. The disclosed system and method may include a certificate management device configured to centrally monitor, track, and renew a plurality of pre-deployed SSL certificates associated with a plurality of application servers and a plurality of network devices, and issued by a set of Certificate Authority (CA). The certificate management device may further include a monitoring module and a certificate generation module. The monitoring module may be configured to monitor validity of each of the plurality of pre-deployed SSL certificates based on a pre-configured threshold for certificate expiry. In addition, the monitoring module may be configured to generate auto ticketing for one or more of the plurality of pre-deployed SSL certificates based on monitoring. Further, the certificate generation module may be configured to automatically create a CSR for each of the one or more pre-deployed SSL certificates, upon auto-ticketing. The certificate generation module may create the CSR by replicating certificate attributes from the corresponding pre-deployed SSL certificate. Moreover, the certificate generation module may be configured to send a request for a new SSL certificate to an associated CA based on the CSR. Additionally, the certificate generation module may be configured to receive the new SSL certificate from the associated CA.
[057] The system and method disclose the certificate management device that may provide some advantages like, the disclosed certificate management device may provide comprehensive security, operational efficiency, and business Continuity considering key element to be automation. The disclosed certificate management device may function irrelevant of technology or the CA. Further, the disclosed certificate management device may centrally monitor, track, and renew each of the plurality of pre-deployed SSL certificates. The disclosed certificate management device may not require any user credentials for application (i.e., the created interactive dashboard) to establish and talk with end devices.
[058] Moreover, the disclosed certificate management device may create live CSR and manual CSR by using the application and mail the live CSR and manual CSR to the support group. In addition, the disclosed certificate management device may generate auto-ticketing about expiration of each of the plurality of pre-deployed SSL certificates based on pre-configured threshold. Further, the disclosed certificate management device may be fully integrated with ServiceNow REST- API. The application (i.e., the interactive dashboard) of the disclosed certificate management device may be presented to the plurality of users (i.e., the support group) in tabular format with sorting on all columns. Additionally, the disclosed certificate management device may provide excel export feature for reporting and data analysis. Moreover, using the application installed on the disclosed certificate management device, the request for the new SSL certificate may be generated within the application which through REST API integration creates requested item for further processing.
[059] Further, using the disclosed certificate management device, every department of the organization may be able to centrally manage each of the plurality of pre-deployed SSL certificates using the interactive dashboard. Also, the disclosed certificate management device may include an authentication module developed in python and integrated with Aruba’s clear pass radius server. Moreover, authorization details of each of the plurality of users mapped with AD (Active Directory) group in order to granted access of the disclosed certificate management device depending upon role of each of the plurality of users in the organization.
[060] It will be appreciated that, for clarity purposes, the above description has described embodiments of the invention with reference to different functional units and processors. However, it will be apparent that any suitable distribution of functionality between different functional units, processors or domains may be used without detracting from the invention. For example, functionality illustrated to be performed by separate processors or controllers may be performed by the same processor or controller. Hence, references to specific functional units are only to be seen as references to suitable means for providing the described functionality, rather than indicative of a strict logical or physical structure or organization.
[061] Although the present invention has been described in connection with some embodiments, it is not intended to be limited to the specific form set forth herein. Rather, the scope of the present invention is limited only by the claims. Additionally, although a feature may appear to be described in connection with particular embodiments, one skilled in the art would recognize that various features of the described embodiments may be combined in accordance with the invention.
[062] Furthermore, although individually listed, a plurality of means, elements or process steps may be implemented by, for example, a single unit or processor. Additionally, although individual features may be included in different claims, these may possibly be advantageously combined, and the inclusion in different claims does not imply that a combination of features is not feasible and/or advantageous. Also, the inclusion of a feature in one category of claims does not imply a limitation to this category, but rather the feature may be equally applicable to other claim categories, as appropriate.
CLAIMS
WHAT IS CLAIMED IS:
1. A system (300) for centrally managing Secure Socket Layer (SSL) certificates, the system (300) comprising:
a certificate management device (302) configured to centrally (402) monitor, track, and renew a plurality of pre-deployed SSL certificates associated with a plurality of application servers and a plurality of network devices, and issued by a set of Certificate Authority (CA), wherein the certificate management device (302) comprises:
a monitoring module (304) configured to:
monitor (404) validity of each of the plurality of pre-deployed SSL certificates based on a pre-configured threshold for certificate expiry; and
generate (406) auto ticketing for one or more of the plurality of pre-deployed SSL certificates based on monitoring; and
a certificate generation module (306) configured to:
upon auto ticketing, automatically create (408) a certificate signing request (CSR) for each of the one or more pre-deployed SSL certificate by replicating certificate attributes from the corresponding pre-deployed SSL certificate;
send (410) a request for a new SSL certificate to an associated CA based on the CSR; and
receive (412) the new SSL certificate from the associated CA.
2. The system (300) of claim 1, wherein the certificate generation module (306) is further configured to:
manually create a CSR for the new SSL certificate based on inputted certificate attributes, wherein the new SSL certificate is replicated and mailed to a support group.
3. The system (300) of claim 1, wherein the request for the new SSL certificate is sent using Representational State Transfer - Application programming Interface (REST-API) protocol.
4. The system (300) of claim 1, further comprising notifying one of the plurality of users about vulnerability or expiration of at least one of the plurality of pre-deployed SSL certificates based on monitoring.
5. The system (300) of claim 1, wherein the certificate management device (302) provides an interactive graphical user interface (GUI) to each of the plurality of users for centrally managing the plurality of SSL certificates.
6. A method (400) for centrally managing Secure Socket Layer (SSL) certificates, the method comprising:
centrally (402) monitoring, tracking, and renewing, by a certificate management device (302), a plurality of pre-deployed SSL certificates associated with a plurality of application servers and a plurality of network devices, and issued by a set of Certificate Authority (CA), wherein central monitoring, tracking, and renewing the plurality of pre-deployed SSL certificates comprises:
monitoring (404), by a monitoring module (304) of the certificate management device (302), validity of each of the plurality of pre-deployed SSL certificates based on a pre-configured threshold for certificate expiry;
generating (406), by a monitoring module (304) of the certificate management device (302), auto ticketing for one or more of the plurality of pre-deployed SSL certificates based on monitoring;
upon auto-ticketing automatically creating (408), by a certificate generation module (306) of the certificate management device (302), a certificate signing request (CSR) for each of the one or more pre-deployed SSL certificate by replicating certificate attributes from the corresponding pre-deployed SSL certificate;
sending (410), by the certificate generation module (306) of the certificate management device (302), a request for a new SSL certificate to an associated CA based on the CSR; and
receiving (412), by the certificate generation module (306) of the certificate management device (302), the new SSL certificate from the associated CA.
7. The method (400) of claim 6, further comprising:
manually creating, by the certificate generation module (306) of the certificate management device (302), a CSR for the new SSL certificate based on inputted certificate attributes, wherein the new SSL certificate is replicated and mailed to a support group.
8. The method (400) of claim 6, wherein the request for the new SSL certificate is sent using Representational State Transfer - Application programming Interface (REST-API) protocol.
9. The method (400) of claim 6, further comprising notifying one of the plurality of users about vulnerability or expiration of at least one of the plurality of pre-deployed SSL certificates based on monitoring.
10. The method (400) of claim 6, further comprising:
providing, by the certificate management device (302), an interactive graphical user interface (GUI) to each of the plurality of users for centrally managing the plurality of SSL certificates.
Documents
Application Documents
| # | Name | Date |
|---|---|---|
| 1 | 202111060807-STATEMENT OF UNDERTAKING (FORM 3) [26-12-2021(online)].pdf | 2021-12-26 |
| 1 | 202111060807-US(14)-HearingNotice-(HearingDate-22-01-2025).pdf | 2025-01-03 |
| 1 | 202111060807-Written submissions and relevant documents [06-02-2025(online)].pdf | 2025-02-06 |
| 2 | 202111060807-REQUEST FOR EXAMINATION (FORM-18) [26-12-2021(online)].pdf | 2021-12-26 |
| 2 | 202111060807-Correspondence to notify the Controller [17-01-2025(online)].pdf | 2025-01-17 |
| 2 | 202111060807-CLAIMS [04-10-2022(online)].pdf | 2022-10-04 |
| 3 | 202111060807-CORRESPONDENCE [04-10-2022(online)].pdf | 2022-10-04 |
| 3 | 202111060807-FORM-26 [17-01-2025(online)].pdf | 2025-01-17 |
| 3 | 202111060807-REQUEST FOR EARLY PUBLICATION(FORM-9) [26-12-2021(online)].pdf | 2021-12-26 |
| 4 | 202111060807-DRAWING [04-10-2022(online)].pdf | 2022-10-04 |
| 4 | 202111060807-PROOF OF RIGHT [26-12-2021(online)].pdf | 2021-12-26 |
| 4 | 202111060807-US(14)-HearingNotice-(HearingDate-22-01-2025).pdf | 2025-01-03 |
| 5 | 202111060807-POWER OF AUTHORITY [26-12-2021(online)].pdf | 2021-12-26 |
| 5 | 202111060807-FER_SER_REPLY [04-10-2022(online)].pdf | 2022-10-04 |
| 5 | 202111060807-CLAIMS [04-10-2022(online)].pdf | 2022-10-04 |
| 6 | 202111060807-POWER OF AUTHORITY [26-12-2021(online)]-1.pdf | 2021-12-26 |
| 6 | 202111060807-OTHERS [04-10-2022(online)].pdf | 2022-10-04 |
| 6 | 202111060807-CORRESPONDENCE [04-10-2022(online)].pdf | 2022-10-04 |
| 7 | 202111060807-FORM-9 [26-12-2021(online)].pdf | 2021-12-26 |
| 7 | 202111060807-FER.pdf | 2022-05-06 |
| 7 | 202111060807-DRAWING [04-10-2022(online)].pdf | 2022-10-04 |
| 8 | 202111060807-COMPLETE SPECIFICATION [26-12-2021(online)].pdf | 2021-12-26 |
| 8 | 202111060807-FER_SER_REPLY [04-10-2022(online)].pdf | 2022-10-04 |
| 8 | 202111060807-FORM 18 [26-12-2021(online)].pdf | 2021-12-26 |
| 9 | 202111060807-DECLARATION OF INVENTORSHIP (FORM 5) [26-12-2021(online)].pdf | 2021-12-26 |
| 9 | 202111060807-FORM 1 [26-12-2021(online)].pdf | 2021-12-26 |
| 9 | 202111060807-OTHERS [04-10-2022(online)].pdf | 2022-10-04 |
| 10 | 202111060807-DRAWINGS [26-12-2021(online)].pdf | 2021-12-26 |
| 10 | 202111060807-FER.pdf | 2022-05-06 |
| 10 | 202111060807-FIGURE OF ABSTRACT [26-12-2021(online)].jpg | 2021-12-26 |
| 11 | 202111060807-COMPLETE SPECIFICATION [26-12-2021(online)].pdf | 2021-12-26 |
| 11 | 202111060807-DRAWINGS [26-12-2021(online)].pdf | 2021-12-26 |
| 11 | 202111060807-FIGURE OF ABSTRACT [26-12-2021(online)].jpg | 2021-12-26 |
| 12 | 202111060807-DECLARATION OF INVENTORSHIP (FORM 5) [26-12-2021(online)].pdf | 2021-12-26 |
| 12 | 202111060807-FORM 1 [26-12-2021(online)].pdf | 2021-12-26 |
| 13 | 202111060807-COMPLETE SPECIFICATION [26-12-2021(online)].pdf | 2021-12-26 |
| 13 | 202111060807-DRAWINGS [26-12-2021(online)].pdf | 2021-12-26 |
| 13 | 202111060807-FORM 18 [26-12-2021(online)].pdf | 2021-12-26 |
| 14 | 202111060807-FORM-9 [26-12-2021(online)].pdf | 2021-12-26 |
| 14 | 202111060807-FIGURE OF ABSTRACT [26-12-2021(online)].jpg | 2021-12-26 |
| 14 | 202111060807-FER.pdf | 2022-05-06 |
| 15 | 202111060807-FORM 1 [26-12-2021(online)].pdf | 2021-12-26 |
| 15 | 202111060807-OTHERS [04-10-2022(online)].pdf | 2022-10-04 |
| 15 | 202111060807-POWER OF AUTHORITY [26-12-2021(online)]-1.pdf | 2021-12-26 |
| 16 | 202111060807-FER_SER_REPLY [04-10-2022(online)].pdf | 2022-10-04 |
| 16 | 202111060807-FORM 18 [26-12-2021(online)].pdf | 2021-12-26 |
| 16 | 202111060807-POWER OF AUTHORITY [26-12-2021(online)].pdf | 2021-12-26 |
| 17 | 202111060807-DRAWING [04-10-2022(online)].pdf | 2022-10-04 |
| 17 | 202111060807-FORM-9 [26-12-2021(online)].pdf | 2021-12-26 |
| 17 | 202111060807-PROOF OF RIGHT [26-12-2021(online)].pdf | 2021-12-26 |
| 18 | 202111060807-CORRESPONDENCE [04-10-2022(online)].pdf | 2022-10-04 |
| 18 | 202111060807-REQUEST FOR EARLY PUBLICATION(FORM-9) [26-12-2021(online)].pdf | 2021-12-26 |
| 18 | 202111060807-POWER OF AUTHORITY [26-12-2021(online)]-1.pdf | 2021-12-26 |
| 19 | 202111060807-POWER OF AUTHORITY [26-12-2021(online)].pdf | 2021-12-26 |
| 19 | 202111060807-REQUEST FOR EXAMINATION (FORM-18) [26-12-2021(online)].pdf | 2021-12-26 |
| 19 | 202111060807-CLAIMS [04-10-2022(online)].pdf | 2022-10-04 |
| 20 | 202111060807-US(14)-HearingNotice-(HearingDate-22-01-2025).pdf | 2025-01-03 |
| 20 | 202111060807-STATEMENT OF UNDERTAKING (FORM 3) [26-12-2021(online)].pdf | 2021-12-26 |
| 20 | 202111060807-PROOF OF RIGHT [26-12-2021(online)].pdf | 2021-12-26 |
| 21 | 202111060807-REQUEST FOR EARLY PUBLICATION(FORM-9) [26-12-2021(online)].pdf | 2021-12-26 |
| 21 | 202111060807-FORM-26 [17-01-2025(online)].pdf | 2025-01-17 |
| 22 | 202111060807-Correspondence to notify the Controller [17-01-2025(online)].pdf | 2025-01-17 |
| 22 | 202111060807-REQUEST FOR EXAMINATION (FORM-18) [26-12-2021(online)].pdf | 2021-12-26 |
| 23 | 202111060807-STATEMENT OF UNDERTAKING (FORM 3) [26-12-2021(online)].pdf | 2021-12-26 |
| 23 | 202111060807-Written submissions and relevant documents [06-02-2025(online)].pdf | 2025-02-06 |
| 24 | 202111060807-PatentCertificate24-06-2025.pdf | 2025-06-24 |
| 25 | 202111060807-IntimationOfGrant24-06-2025.pdf | 2025-06-24 |
Search Strategy
| 1 | 202111060807E_04-05-2022.pdf |