Field
Embodiments of the invention generally relate to computer security. More specifically, techniques are disclosed for dynamically generating digital certificates on a cloud-based server of a certificate authority.
Description of the Related Art
Both commercial and non-commercial enterprises frequently that engage in secure online communications provide digital certificates to relying parties requesting them. In a public key infrastructure scheme, a digital certificate is an electronic document that uses a digital signature to bind a public key to an identity or subject named in the certificate. The certificate allows a relying party to verify that the public key belongs to the individual (or subject) identified by the certificate. Further, the certificates are issued to bind a domain name to a particular IP address. Binding a domain to an address allows a relying party to, for example, verify the identity of a website. In such a scheme, the signer of the certificate is generally a certificate authority (CA). To obtain a digital certificate, an individual enrolls in a certification process with the CA. Such a process may involve logging into a website and providing various credentials to ensure that the customer enrolling in the process is the same individual being represented in the certificate.
However, the certification process may be burdensome for both the CA and individuals enrolling in the process. For instance, it is difficult to change the information on a certificate after the certificate is generated. For example, if an individual wishes to add an additional subject alternative name (SAN) for a server, the individual is generally unable to edit the certificate directly to add the SAN. Rather, the individual may be required to either obtain a new certificate that includes the additional SAN or revoke the current certificate and install a new certificate with the new information. In both cases, the individual has to perform multiple installment and enrollment steps with the CA and is also subject to restrictions on what information the customer can change. Such steps may include logging onto the CA website as well as communicating with the CA via telephone or e-mail.
Additionally, if a certificate authority detects a zero-day vulnerability to the certificate information (e.g., such as in the algorithm used to generate the certificate), the CA typically notifies the customer via e-mail instructing the individual to revoke the current certificate and install a new certificate. This approach may take a considerable amount of time, especially if the individual does not immediately act on the notification. Further, this approach results in a window in which the server associated with the certificate is not secure.