The present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for intelligent certificate discovery in physical and virtualized networks.
The modern Internet economy has developed around secure, encrypted transmissions, originally web browser-driven, but now application driven. These secure, encrypted transmissions usually employ Hypertext Transport Protocol (HTTP) over Secure Sockets Layer (SSL) or Transport Layer Security (TLS). Such protocols rely on Public Key Infrastructure (PKI) for the initial exchange of information which leads to a high performance secure connection that shields sensitive private information from unintended parties. PKI in turn relies on an asymmetric key pair association where a public key is exposed to the world through a certificate (usually in X.509 format) issued by a well-known certificate authority. The corresponding private key remains hidden from all other parties except the owner of the private key. The certificate includes information about the public key, information about the identity of the owner of the public key, and a digital signature of an entity that has verified that the contents of the certificate are correct (referred to as the “issuer” of the certificate). In the X.509 format, for example, the certificate includes the following information:                Serial Number: Used to uniquely identify the certificate        Subject: The person or entity identified        Signature Algorithm: The algorithm used to create the signature        Signature: The actual signature to very that the certificate came from the issuer        Issuer: The entity that verified the information and issued the certificate        Valid-From (Not-Before): The date the certificate is first valid from        Valid-To (Not-After): The expiration date        Key-Usage: Purpose of the public key (e.g., encipherment, signature, certificate signing, etc.)        Public Key: The public key        Public Key Algorithm: The algorithm used to generate the Public Key        Thumbprint Algorithm: The algorithm used to hash the public key certificate        Thumbprint (also known as fingerprint): The hash itself, used as an abbreviated form of the public key certificate        
The strength of this key pair is based partially on the algorithm in which the keys are intended to be used, as well as the length of the keys themselves. Such information is readily available in the certificate along with assertions regarding the appropriate usage of the certificate from the issuing authority, e.g., assertions of “not-valid-before” and “not-valid-after” timestamps, the chain of trust for the issuing authority itself, and the like, as illustrated above with regard to the X.509 format. All such information in the certificate should be examined before a client computing device extends its trust to the server associated with the certificate, or vice versa. However, many client side users and server side commercial applications fail to adequately check this information. Moreover, the National Institute of Standards and Technology (NIST) has published guidelines for the United States of America federal government sector dictating what key sizes and algorithms are permissible for usage by federal installations. Similar restrictions apply in the commercial sector as well, whether by companies voluntarily adhering to the NIST guidelines or being forced by compliance requirements from regulating bodies, such as Health Insurance Portability and Accountability (HIPPA) or Peripheral Component Interconnect/Data Security Standard (PCI/DSS) regulating bodies, among others.