The present invention relates generally to cryptography and, more particularly, to a system and method for automated validation and execution of cryptographic key and certificate deployment and distribution.
Key management is the process by which cryptographic keys are created according to the appropriate policies, backed up against disasters, delivered to the systems that need them on time, are under the control of the appropriate personnel, and possibly deleted at the end of their lifecycle. To avoid any error-prone manual operations, all keys are preferably managed automatically.
However, up to this point in time key deployment and distribution has been largely controlled by a human, which is prone to errors. Specifically, there is no assurance that all necessary keys are properly deployed and distributed to the precise locations where they are needed, and no assurance that an existing key deployment exposes no risks. This is because a typical enterprise key management system may involve thousands of keys and/or certificates, with many of them being updated or refreshed regularly, along with thousands of key deployment points. With such a system, the management task of timely and efficiently distributing keys is inherently complicated and error-prone.
The well-known public key infrastructure (PKI) is used for public key and certificate management. It comprises a fetch-type of interaction between the client and the PKI server. However, the PKI server has no control over certificate deployment at the client's location. Heretofore, there is no known way to represent key deployment so that key deployment can be understood by a machine, such as a computer, let alone by an automated method to validate and execute the key deployment and distribution process.
What is needed is a system and method for the automated management (i.e., validation and execution) of the deployment and distribution of cryptographic keys and/or certificates such that keys and certificates are deployed or distributed to any place where they are used to process or protect data, and not sent to places where they are not needed or not tracked, and removed from places where they should no longer exist in order to avoid risks associated with an incorrect deployment or distribution.