Field
Embodiments of the invention generally relate to techniques for installing digital certificates on a server. More specifically, techniques are disclosed for simultaneously creating multiple key pairs and certificates using different signing and hashing algorithms.
Description of the Related Art
Both commercial and non-commercial enterprises frequently need to engage in secure online communications. To do so, PKI—public key infrastructure—has evolved to provide a variety of security mechanisms using both symmetric and asymmetric cryptography. For example, one organization may supply a digital certificate to a relying party. In a PKI scheme, a digital certificate is an electronic document that binds a public key to an identity (e.g., to an individual or to a server domain name). The binding allows a relying party to verify that the entity (or individual) named in the certificate holds the corresponding private key.
A certificate authority (CA) may use a variety of signing algorithms to sign a certificate. Although most web servers support certificates signed using the RSA signing algorithm, servers are also beginning to support other signing algorithms, such as DSA (digital signature algorithm) and ECDSA (elliptical curve digital signature algorithm). These algorithms have advantages and disadvantages relative to one another (e.g., in terms of key sizes, encryption strength, scalability, etc.), so one algorithm may be a better choice than the other, depending on the needs of users of a server. Many servers today support multiple certificates based on different algorithms. For example, a server may support connections using either RSA-based certificate or an ECC-based certificate. A customer may further configure a priority order for clients to communicate with the server (e.g., in the negotiation phase) under such algorithms. Doing so provides more flexibility to the server and better performance for the clients.
However, although servers may support multiple algorithm type-certificates at a time, the process to generate the underlying key pairs is still limited to generating one key pair using a single algorithm at a time. For example, if a customer wishes to install an RSA-based certificate and an ECC-based certificate on a server that supports both RSA and ECC algorithms, the customer has to generate key pairs corresponding to each algorithm and install each certificate separately. In addition, the customer has to engage in separate enrollment and identity authentication workflows for each separate certificate request. Further, because certificates generally have a long validity period, customers typically have infrequent experience installing certificates. Given that the installation process can be complex, a customer may possibly install certificates inaccurately. Therefore, the current approach is lengthy, tedious, and error-prone.