公开(公告)号：US12166904B1

公开(公告)日：2024-12-10

申请号：US17957665

申请日：2022-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Trevor Freeman ,  Param Sharma ,  Todd Cignetti

IPC: H04L9/32 ,  H04L9/00

Abstract: Approaches presented herein relate to the management of secure secrets, such as digital certificates. When an operation is performed by a certificate authority (CA) with respect to a digital certificate, information for the operation is written to a blockchain (or other distributed and verifiable ledger) in addition to a secure database accessible to the CA. The ability of an external party to access the blockchain and independently verify information about a digital certificate can help to increase a level or assurance in the integrity of the CA, which can be important when an entity wants to act as (or offer) their own private certificate authority. Information in the blockchain can also help to identify “dark” certificates, which may appear valid but were not issued by a CA using a valid and secure process, and thus can be identified by a lack of valid transactions included in the corresponding blockchain.

公开(公告)号：US11533185B1

公开(公告)日：2022-12-20

申请号：US16910010

申请日：2020-06-23

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Jonathan Kozolchyk ,  Todd Cignetti ,  Kyle Benjamin Schultheiss ,  Josh Rosenthol ,  Jose Maria Silveira Neto ,  Yiwen Wu

IPC: H04L9/32

Abstract: Systems and method for generating and managing certificate authorities. For instance, a certificate service may provide one or more user interfaces for creating certificate authorities, such as a root certificate authority, a subordinate certificate authority, and/or an intermediate certificate authority. For example, a user may use a user device to create a certificate hierarchy. The certificate service may also provide one or more user interfaces for issuing certificates using the certificate authorities. One or more computing resources may then use the end-entity certificates issued from the certificate authority hierarchy for authentication and/or encryption. For security purposes, the certificate authority may also allow the user to set policies representing users that are able to access and/or utilize the certificate authorities to perform actions, such as issuing certificates. The certificate service may also generate audit reports indicating certificates that are created using the certificate authorities.

公开(公告)号：US11888994B1

公开(公告)日：2024-01-30

申请号：US17364232

申请日：2021-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Josh Rosenthol ,  Todd Cignetti ,  Jonathan Kozolchyk

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3263 ,  H04L9/0825 ,  H04L9/0836 ,  H04L9/0891

Abstract: Described are automated systems and methods for providing a template design for a public-key infrastructure (PKI) system. For example, certain infrastructure information and stored PKI information can be processed to determine a PKI template, which can specify the configuration for a proposed PKI hierarchy. A configurable representation of the proposed PKI hierarchy can be generated and presented to the user, which can facilitate review, modification, and further customization of the proposed PKI hierarchy. Aspects of the present disclosure can also determine costs associated with the proposed PKI hierarchy, and can create and deploy the proposed PKI hierarchy.

公开(公告)号：US11671264B1

公开(公告)日：2023-06-06

申请号：US17024983

申请日：2020-09-18

Applicant: Amazon Technologies, Inc.

Inventor： Todd Cignetti ,  Trevoli Ponds-White ,  Michael S. Slaughter ,  Param Sharma ,  Kyle Benjamin Schultheiss ,  Chris Stoner

IPC: H04L9/40 ,  H04L9/32

CPC classification number: H04L9/3268 ,  H04L9/3247

Abstract: Techniques for validating digital certificate information before signing are described. A method of validating digital certificate information before signing may include generating a to-be-signed (TBS) certificate, providing the TBS certificate to a certificate pre-issuance validation service to perform one or more validations on the TBS certificate, and receiving a request to issue a signed certificate based on the TBS certificate following validation of the TBS certificate by the certificate pre-issuance validation service.

公开(公告)号：US12137175B1

公开(公告)日：2024-11-05

申请号：US17364160

申请日：2021-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Todd Cignetti ,  Josh Rosenthol ,  Jonathan Kozolchyk

IPC: H04L9/32 ,  H04L9/30

Abstract: Described are automated systems and methods for employing certificate authority meta-resources to facilitate automatic renewal and/or rotation of certificates and/or certificate authorities in a PKI hierarchy. For example, embodiments of the present disclosure can provide creating a certificate authority meta-resource, which can maintain and monitor certain information to facilitate automatic renewal and rotation of certificates and/or certificate authorities in a PKI hierarchy. The certificate authority meta-resource can also keep track of the active certificate authorities and certificates to ensure that trust is maintained without manual configuration of the PKI hierarchy.

公开(公告)号：US12088738B2

公开(公告)日：2024-09-10

申请号：US17541998

申请日：2021-12-03

Applicant: Amazon Technologies, Inc.

Inventor： Josh Rosenthol ,  Param Sharma ,  Kyle Benjamin Schultheiss ,  Marcel Andrew Levy ,  Todd Cignetti

IPC: G06F21/00 ,  H04L9/08 ,  H04L9/32 ,  H04L9/40

CPC classification number: H04L9/3268 ,  H04L9/0825 ,  H04L9/3213 ,  H04L63/102 ,  H04L63/20

Abstract: Techniques are described for enabling users of a certificate management service to create certificate issuance policies that can be applied to certificate issuance requests across both public and private certificate authorities (CAs) and other certificate-related services. According to embodiments described herein, a certificate issuance policy includes one or more certificate issuance rules to be applied to requests associated with one or more specified user accounts or roles for certificate-related resources (e.g., public certificates, private certificates, etc.). The application of a certificate issuance rule can be conditioned on a particular request context (e.g., based on a user account or role associated with a request, a type of certificate requested, a subject name identified in the request, etc.) and can specify a wide range of actions to be performed on requests matching a rule (e.g., allowing or denying a request, modifying one or more parameters of the request, etc.).

公开(公告)号：US12034872B1

公开(公告)日：2024-07-09

申请号：US17411740

申请日：2021-08-25

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Todd Cignetti

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3268 ,  H04L9/0825 ,  H04L9/0861

Abstract: Techniques for providing specialized certificate authorities are described. A method of providing specialized certificate authorities may include receiving a request to generate a private certificate at a specialized certificate authority, the specialized certificate authority configured to generate only one type of digital certificate using a user-specified template, generating a certificate based on the customer-specified template, and returning the certificate.

公开(公告)号：US20250047504A1

公开(公告)日：2025-02-06

申请号：US18923396

申请日：2024-10-22

Applicant: Amazon Technologies, Inc.

Inventor： Trevor Freeman ,  Param Sharma ,  Todd Cignetti

IPC: H04L9/32 ,  H04L9/00

Abstract: Approaches presented herein relate to the management of secure secrets, such as digital certificates. When an operation is performed by a certificate authority (CA) with respect to a digital certificate, information for the operation is written to a blockchain (or other distributed and verifiable ledger) in addition to a secure database accessible to the CA. The ability of an external party to access the blockchain and independently verify information about a digital certificate can help to increase a level or assurance in the integrity of the CA, which can be important when an entity wants to act as (or offer) their own private certificate authority. Information in the blockchain can also help to identify “dark” certificates, which may appear valid but were not issued by a CA using a valid and secure process, and thus can be identified by a lack of valid transactions included in the corresponding blockchain.

公开(公告)号：US12132722B1

公开(公告)日：2024-10-29

申请号：US16457478

申请日：2019-06-28

Applicant: Amazon Technologies, Inc.

Inventor： Todd Cignetti ,  Michael S. Slaughter ,  Dayong Hao

IPC: H04L9/40

CPC classification number: H04L63/0823 ,  H04L63/108 ,  H04L63/164

Abstract: Methods, systems, and computer-readable media for a certificate management system with forced certificate renewal are disclosed. The certificate management system may receive a request to renew a digital certificate. The request may be received at a selected time prior to an automatic renewal date for the certificate, and the automatic renewal date may be stored by the certificate management system. The certificate management system may acquire, based at least in part on the request to renew the certificate, a renewed certificate from a certificate authority. The renewed certificate may be obtained prior to the automatic renewal date. The renewed certificate may be exported from the certificate management system and bound to a computing resource (e.g., a server) prior to the automatic renewal date.

公开(公告)号：US20240097918A1

公开(公告)日：2024-03-21

申请号：US17947957

申请日：2022-09-19

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Todd Cignetti ,  Trevor Freeman

IPC: H04L9/32

CPC classification number: H04L9/3268 ,  H04L9/321

Abstract: Approaches presented herein relate to the management of secure secrets in a distributed environment. In particular, various embodiments provide for the management of unique digital identities across multiple regions, where each region can include its own certificate authority. While these certificate authorities may operate independently, they can be part of a multi-primary system where unique identities and keys are stored redundantly across environments. In the event of a failure of a certificate authority in one region, another certificate authority in another region can continue security and authentication management, without a need to issue new identities or change operation of any of the regions. Parties to secure communications, such as application containers, can each receive their own unique identity which can be shared across various regions to allow related tasks (e.g., certificate issuance or revocation) to be performed identically from any of those regions.