The invention relates generally to computer systems, and deals more particularly with a technique to update an SSL certificate used to establish a secure, remote connection.
SSL certificates are known today to provide secure connections between two computers such as between a client and a server. An SSL certificate is an electronic certificate/document which attests to the binding of a public encryption key to an individual or computer. The SSL certificate allows verification of a claim by the individual or computer that a specific public key is associated with the individual or computer. This allows another party to be assured that the individual or computer is the entity to which this other party intends to communicate.
The SSL certificate can be “self-signed” or “certificate-authority signed”. A “self-signed”certificate is a certificate issued by the individual or computer where the individual or computer itself vouches that the individual or computer identified in the certificate is associated with the public key contained in the certificate. A “certificate-authority signed” certificate is a certificate issued by a trusted, third party (i.e. a “certificate authority”) which vouches that the individual or computer identified in the certificate is associated with the public key contained in the certificate.
The following is an example of a known use of an SSL certificate. A client requests from a server an SSL certificate (as a prelude to establishing a connection with the server). The client request for the SSL certificate specifies the host name, domain name, if any, and IP address of the server. The server responds with the SSL certificate, using a known X.509v3 format. The server either “self-signed” the certificate or obtained certificate-authority signing of the SSL certificate. The server has stored the SSL certificate in a server database. The SSL certificate includes either a fully-qualified “distinguished” name of the host or a short name of the host. The fully-qualified distinguished name includes the host name and host domain name. The short name includes the host name but not the host domain name; in some environments there is no domain name for the host. In both cases, the SSL certificate may optionally include a list of IP addresses of the host, as an extension of the SSL certificate. Also, in both cases, the SSL certificate specifies a public key used to encrypt some subsequent messages between the client and server. When the client receives the SSL certificate from the server, the client compares the host name and host domain name, host name or IP address in the original request made by the client to the distinguished name, short name certificate extension, if any, or IP address certificate extensions, if any, in the SSL certificate. If the host name and domain name, host name, or IP address match, then the client is confident that the server is the intended communication partner and proceeds to establish an (encrypted) SSL connection with the server. The client uses the public key to create another, session encryption key to encrypt the subsequent messages in the session. The server likewise uses this same session encryption key.
Occasionally, the host name, domain name, if any, or server IP address changes. For example, the host name and domain name may change when the server is moved from one owner to another owner. This is because the host name may specify the owner, and the domain name may specify an organizational layer within the owner. The server IP address may change when the server is moved to a different network. When the host name, domain name or server IP address changes, the definition of the SSL certificate stored by the server must be changed as well. Otherwise, when the server supplies the SSL certificate to the client, the host name, domain name, if any, and/or IP address will not match what is expected by the client. Consequently, the client may conclude that the server which supplied the certificate is not the intended communication partner and may not establish the connection with the server. Currently, the person who changes the host name, domain name or server IP address must remember to change the definition of the SSL certificate and then make the change manually.
An object of the present invention is to improve the process of updating the definition of an SSL certificate when the host name, domain name or server IP address changes.