1. Field
Embodiments presented herein provide an automated step-up process for installing and provisioning a high-assurance certificate on a computer server. More specifically, embodiments presented herein reduce the time needed to secure a server by serially installing multiple certificates while completing the identity verification and authentication required for the high-assurance certificate.
2. Description of the Related Art
Providing secure communications and protecting sensitive data is a well known issue in a broad variety of contexts. For example, it is common for computer servers to use digital certificates to associate a server with a network domain. In such cases, clients use information contained in a certificate to verify the identity of a server and to establish a secure network connection with that server. Other applications use digital certificates to help manage encrypted data. For example, a database may be configured with a digital certificate specifying a key used to encrypt data (or used to create encryption keys) stored by the database.
Digital certificates are issued by a certificate authority (CA) after a requesting party completes an enrollment process. As part of the enrollment process, the requesting party provides the CA with a public key to be named in the certificate and with information used to verify the identity of the requesting party (and in some cases the authority to request the certificate). The public key corresponds to a private key that needs to be maintained securely by the requesting party. The certificate, once issued, binds the public key to information listed in the certificate—such as the name of a network domain.
Certificate authorities perform varying levels of identify investigation and authentication when issuing a digital certificate For example, SSL certificates (used to secure a communication channel between a web server and client) are differentiated by the degree which the certificate authority has vetted the identity of an organization named in the SSL certificate. Depending on the specific certificate purchased (and the associated level of authentication required), the time required to perform the identity verification varies. For example, some certificates can be issued almost immediately, after verifying that a requesting party has control of a network domain named in a certificate. In contrast, CA typically performs more extensive identity verification before issuing a “high-assurance” certificate, where the CA verifies the organization requesting the certificate or the authority of an individual within the organization to make the request. However, doing so can delay the delivery of a requested certificate and the time before a customer can secure a given computer server.