The present invention relates to digital certificates, and more particularly, to the generation and distribution of digital certificates.
Many methods have been developed to secure the integrity of electronic message data during transmission. Simple encryption is the most common method of securing data. Encryption suitably refers to the transformation of plaintext data into an unintelligible form known as ciphertext. Encryption is usually accomplished by the application of mathematical algorithms on the plaintext data. These algorithms are defined by parameters known as xe2x80x98keysxe2x80x99. Two common encryption methods are symmetric methods, which use private keys, and asymmetric methods, which use public keys. Both private key encryption (such as DES (Data Encryption Standard)) and public key encryption methods have been implemented, but, key cryptographic methods alone do not allow a recipient to authenticate the validity of the public key nor to validate the identity of the sender.
In general, authentication allows for the verification that someone or something is valid or genuine. Digital signature authentication allows the receiver of a message to be confident of the identity of the sender and/or the integrity of the message. Digital signatures have been used to guarantee the validity of a public key by being incorporated into a digital certificate. The xe2x80x98signedxe2x80x99 document containing the digital signature attests to the validity and public key of the person signing the message, and prevents one user from impersonating another through a phony key pair. Along with the public key and the subject name, the certificate also contains the validity period of the key, the name of the issuer of the certificate and the certificate serial number. The information in the certificate is digitally signed by the issuer. However, a secure, centralized repository is required for storing and managing the keys.
For example, the X.500 directory may be used as a repository for storing certificates, with association of the public keys of network users with their distinguished name. (An X.500 distinguished name refers to a unique object in the X.500 Directory, and is a sequence of vertex points leading from the xe2x80x98rootxe2x80x99 of the tree to the object of interest, as is conventionally understood). The X.500 standard defines an authentication framework, known as X.509, for use by OSI (Open Systems International connection) applications to provide a basis for authentication and security services. The X.509 framework describes how authentication information is formed and placed in the directory. The X.509 authentication framework also defines basic security services, including simple and strong authentication. Strong authentication involves the use of public key cryptographic standard (PKCS) and a trusted hierarchy of Certificate Authorities (CAs), where a CA refers to a trusted source for obtaining a user""s authentication information or certificate and that controls a Public Key Infrastructure (PKI). Thus, traditional methods of key generation and certificate distribution rely on human interaction with CAs.
Accordingly, a need remains for a streamlined way of generating identities for widely distributed applications that use PKI for authentication. The present invention addresses such a need.
The present invention provides method and system aspects for automated generation and distribution of certificates in a computer network of computer systems. These aspects include generating a request by a first computer system for a certificate from a second computer system, and responding to the request in the second computer system by automatically generating the certificate and distributing the certificate to the first computer system. Further, generating a request includes issuing a POST/CERTREQ request, and sending a self-signed certificate from the first computer system to the second computer system. Automatically generating the certificate includes sending a sequence of certificates to the first computer system, the sequence of certificates including the newly generated certificate of the first computer system with a signature from the second computer system and a self-signed certificate from the second computer system.
Through the present invention, the generation and distribution of digital certificates for use by communicating Java(trademark) applications for authentication are effectively achieved. A straightforward approach utilizes standard HTTP protocol in conjunction with a Java development kit version 1.1. These and other advantages of the aspects of the present invention will be more fully understood in conjunction with the following detailed description and accompanying drawings.