Field
Embodiments of the invention generally relate to techniques for managing a digital certificate enrollment process. More specifically, embodiments presented herein provide techniques for exchanging encoded digital certificate data between a server and a certificate authority using barcode graphics and a mobile device.
Description of the Related Art
Providing secure communications and protecting sensitive data is a well known issue in a broad variety of contexts. For example, it is common for computer servers to use digital certificates to associate a server with a network domain. In such cases, clients use information contained in a certificate to verify the identity of a server and to enable secure communications with that server. Other applications use digital certificates to help manage encrypted data. For example, a database may be configured with a digital certificate specifying a key used to encrypt data (or used to create encryption keys) stored by the database.
More generally, digital certificates and public key infrastructure (PKI) techniques are used to create, distribute, and manage cryptographic keys used in a variety of contexts. Typically, digital certificates are issued by a certificate authority (CA) after a requesting party completes an enrollment process. As part of the enrollment process, the requesting party provides the CA with a public key to be named in the certificate and with information used to verify the identity of the requesting party (and authority to request the certificate). The public key corresponds to a private key that needs to be maintained securely by the requesting party. The key pair (i.e., the public and private key) is usually generated on the same computing system where the certificate will be installed. However, server systems are frequently unable to initiate an outbound network connection. For example, a server may be behind a network firewall that will block any attempts to initiate an outbound connection. In such cases, the party requesting a certificate needs to provide the certificate authority with a certificate signing request (CSR) but cannot create and send the CSR from the system where the key pair is generated or where the certificate will be installed.