|Publication number||US20050081029 A1|
|Application number||US 10/917,964|
|Publication date||Apr 14, 2005|
|Filing date||Aug 13, 2004|
|Priority date||Aug 15, 2003|
|Also published as||US7418597, US7568095, US7650496, US7650497, US7653810, US7698549, US7937583, US20050069136, US20050071630, US20050074124, US20050076199, US20050076200, US20050076201, US20050076202, US20050076203, US20050076204, US20050076205, US20050078830, US20050081025, US20050081026, US20050081027, US20050081028, US20050091484, US20060015716, US20090319783|
|Publication number||10917964, 917964, US 2005/0081029 A1, US 2005/081029 A1, US 20050081029 A1, US 20050081029A1, US 2005081029 A1, US 2005081029A1, US-A1-20050081029, US-A1-2005081029, US2005/0081029A1, US2005/081029A1, US20050081029 A1, US20050081029A1, US2005081029 A1, US2005081029A1|
|Inventors||Russell Thornton, Benjamin Hodson, Jayson Seegmiller|
|Original Assignee||Imcentric, Inc.|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (38), Referenced by (40), Classifications (15), Legal Events (5)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application claims the benefit of U.S. Provisional Application No. 60/495,864 filed Aug. 15, 2003 and U.S. Provisional Application No. 60/586,429 filed Jul. 8, 2004, both of which are hereby incorporated by reference in their entirety.
The claimed inventions relate generally to management of public key infrastructure server networks, and more particularly to systems that can automate the installation, renewal, detection or management of public key infrastructure digital certificates in a secure network system.
Disclosed herein are several digital certificate discovery and management systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.
Reference will now be made in detail to systems and methods for discovering and managing digital certificates which may include some more specific embodiments of the claimed inventions, examples of which are illustrated in the accompanying drawings.
Public key infrastructure (PKI) has recently become widespread in use, particularly with the availability of public networks that provide access to confidential sources or sinks of information, for example e-commerce over the Internet. PKI is utilized in many network systems to encrypt data transacted between a user on a client device and a server, and also to verify that the client is linked to an authentic server device, particularly when the data transactions pass through an uncontrolled or insecure network portion.
Data encryption generally is of one of two types, which are symmetric and asymmetric cryptography. Speaking at a basic level, in symmetric cryptography a single key is shared by the encryptor and the decryptor, i.e. the encryption key can be used to decrypt data encrypted with that key. In
In public key cryptography one of the keys may be made public, which may serve to either to secure data from unauthorized access or digitally sign transmitted data. By digitally signing data, the receiver may verify that the received data comes from a particular sender and that the data has arrived unmodified. Referring now to
Referring now to
In a variation of the procedure of
Public key infrastructure (PKI) is the equipment and software required to practice public key cryptography for real-world applications, and may take any number of forms. In one form, PKI may include a sender computer and a receiver computer, with software for encrypting and decrypting messages, such as email messages. Often, PKI provides a facility for the retrieval of a public key from the data sender or the intended recipient, permitting encrypted communication without the need of physical public key transfers. In another PKI form, public keys are provided by way of certificates. A PKI certificate is a data structure that provides a public key to others. PKI certificates may be made available by way of network servers to others with access to that network, thus providing an efficient way of distributing public keys.
In a commonly used PKI, certificates also include a signature to verify the source of the certificate. Again, PKI keys are provided in pairs, one being held private and the other distributed publicly. The recipient of a public key may communicate with the holder of the corresponding public key in a secure fashion, but if the recipient obtained the public key over a network he may not know what the source of that public key is. It is therefore possible, in that circumstance, for a third party to trick or “spoof” the recipient party into holding communications with him, if he can provide a substitute certificate to the recipient party and if the third party's communications are sufficiently authentic to complete the deception. In a related technique of interception, a third party may form an encrypted communications link with a destination server, provide a substitute certificate to a recipient, and masquerade as the destination server by passing data between the recipient party and the destination server. The third party may then view all traffic between the recipient and the destination server unencrypted. This technique is often referred to as a “man in the middle attack”, and can be a serious problem for many entities, such as banks or on-line stores, wishing to correspond with customers, employees and others over public and/or uncontrolled networks.
To solve this problem a number of Certificate Authorities (CAs), for example Verisign and Entrust, have created services for authenticating certificates. These entities hold themselves out as entities of trust, providing certificate signing services for certificate verification. The operation of a CA is generally as follows. First, a CA produces a set of asymmetric key pairs, and therefrom a set of root certificates. The private keys are secretly held by the CA, while the root certificates containing public keys are provided to others through controlled distribution. These root certificates are made widely available to the public, for example in the distribution of web browsers, operating systems or other software. Next, a CA receives unsigned certificates in Certificate Signing Requests (CSRs), which contain sufficient information to produce a signed certificate and optionally to verify the source of the individual CSRs. For individual CSRs, the CA may attempt to validate the CSR as coming from a known party, for example through the use of a password or other confidential information from the customer. Signed certificates are produced by choosing a root certificate, signing the certificate with the private key of the chosen root certificate, including identification of the root certificate with the signed certificate and returning the signed certificate to the requesting party.
A standard certificate specification, referred to as X509 has been established to provide a common readable certificate format for publicly accessible utilities. This format will be recognized by those of ordinary skill in the art, and will be only briefly commented herein. The X509 format provides an example of a usable certificate format, noteworthy format items being a version number (the version of the X509 standard being used), a public key, a signature value, a denotation of the signature algorithm used, a period of validity, and an issuer identification among other format items. Although this format has seen recent widespread use, especially in https and secure shell technologies, other formats may be used with equally good results.
A client receiving a certificate from a server may verify a signed certificate by doing the following. First the client may review the certificate to see what certificate was used for signing (i.e. a parent certificate). If the parent certificate is recorded at the client's location, it may locate it and extract the public key. If the parent certificate is not known to the client, the client may request the parent certificate from an accessible server. Upon receipt of the parent certificate, the client may extract the public key. Having the public key, the client may then verify the signing of the child certificate. If the parent certificate was obtained remotely, the client may continue by verifying the signing of the parent certificate. That procedure may continue through a chain of certificates until reaching a known certificate, or reaching an unsigned or unavailable certificate. Should the process end without reaching a known certificate, the client may consider the child certificate (and other certificates in the chain) to be untrustworthy, and may provide a warning to a user.
Referring now to
Certificate Life Cycle
A certificate is normally used for a limited amount of time for a number of reasons. Certificates are priced according to the length of the validity period. This pricing is not merely for profit making, as there is an expense associated with maintaining the certificate authority infrastructure, i.e. maintaining servers that can validate issued certificates. A service provider may therefore not wish to purchase a certificate lasting a lengthy period of time, particularly if the certificate is to be used in a test or uncertain venture. Additionally, the longer a certificate is in existence and/or service, the more likely the private key will be discovered. An attack on a PKI key pair is thought to best be performed by an exhaustive search for a private key that decrypts intercepted encrypted data. Test searches are known to have been successfully conducted using supercomputer clusters in a period of months against keys of typical size. A longer period of use means that, first, an attacker will have more time to perform the search and, second, an attacker may have more intercepted data to validate the resulting possible private keys that are found. Additionally, certificate validity periods may be especially important when considering insiders, administrators and other internal employees having access to SSL servers may have additional opportunity to compromise private keys through their administrative access.
Having a limited service life of certificates requires intervention and/or certificate renewal upon the expiration of the validity of those certificates. Recent experience with PKI enterprises has shown that certificates are too often not properly renewed before expiring. Should a certificate expire unnoticed, the associated service may become unavailable. Should the PKI continue to operate, users are likely to experience warning messages, which may cause those users to avoid using the service. The service may further be subjected to an increased probability of a compromise, with devastating consequences. Should a certificate renewal failure occur for a large enterprise, for example a large Internet seller or lender, significant revenues may be lost.
The causes of certificate renewal are many in number, a few of which are noted here. An entity may fail to note the expiration of a certificate. The certificate authority may send a reminder by postal or e-mail, with some chance of mis-delivery. For example, the certificate authority may have a postal or e-mail address that has changed due to the entity moving or changing its domain name. If the entity is located overseas, there is also an increased opportunity for the notification to suffer delay. If the entity maintains a manual certificate database, there is a chance for an erroneous or missing entry. Furthermore, a notification may be missed by an administrator, which individual may be busy, on vacation, incompetent or terminated. For larger organizations, there may be several administrators multiplying that problem. Additionally, the process of renewing certificates has been a manual process, and subject to typos and other technical errors.
Service entities have operated for months and years ignorant of the dangers of expiring certificates. When the problem is discovered, it may be too late to recover without downtime of the enterprise. Should an entity face such a crisis, there are presently no tools for surveying the certificates in service. The administrators may then find themselves visiting every server of the enterprise, creating a compilation of the certificates installed and the relevant expiration dates. As certificates are renewed, the administrators may update the compilation to get a handle on the schedule of certificate renewals. Again, this is a manual process and subject to human errors, which process puts an entity at risk of downtime and loss of income or services to clients or customers. For very large enterprises having thousands of certificates, the certificate renewal workload may require the attention of several administrators, which increases the expense of the operation.
Disclosed below are a number of systems and methods useful in environments of certificate management. Some of the disclosed systems serve a single function related to certificates. Others combine several of those functions into more comprehensive systems. Of the many potential combinations most, if not all, are useful, and therefore combinations may be chosen for particular circumstances of certificate management.
Individual disclosures herein may take the form of computer systems performing functions by software, software executable by a computing system, or a group of functions performable by a computing or software system to achieve various functions, or other forms. The reader should recognize that wherever disclosure is made of one of these types below, the others will also be made apparent.
Certificate Inventorying Systems
Certain of the systems disclosed herein relate to discovering and inventorying certificates installed to a set of network servers. In a first exemplary system, a database is maintained containing records relating to inventoried certificates. Each record identifies a certificate and a server to which the certificate resides or is installed. For each certificate, an expiration date or time may also be noted, by which the expiring of certificates may be noticed. Likewise, an expiration period may also be noted. Notation may also be made in certificate records for an issuing certificate authority. Other items of data relating to certificates may also be tracked, for example the common name, organization, an identification of a responsible individual, the strength of the encryption keys, etc. Expired certificates may also be tracked in a database, if desired.
Such a certificate database may be maintained using common file formats, for example CSV or dBase formats without becoming unwieldy, as the number of certificates tracked in a typical organization will be relatively small. A certificate database might also be maintained in a relational database server, which may provide additional search, remote access, encryption and other helpful database functions. Access to a certificate database may be controlled. In the exemplary system access to the database is provided only to authenticated persons and/or applications. A certificate database may take many other forms as desired, the details of which are not particularly important.
Entries and modifications to the certificate database may be performed manually, or applications may be provided for managing certificate entries in the database through the use of graphical user interfaces, web interfaces, or many other techniques. Entries may also be made by a certificate scanner, which will be described shortly. A database of related servers, i.e. servers on which certificates reside or servers within a defined network, may also be kept. Such a server database may be kept separately from a certificate database, or may be integrated in the same database, file or data structures.
A certificate database may be maintained to provide information regarding the state of certificates in a network at given times. This may be used, in one example, by an administrator to identify certificates due to expire, or certificates that have expired. In another use, certificates may be related to servers to identify unused or duplicate certificates. In yet another use, a survey may be conducted using the database to identify certificate authorities being used, a schedule of certificate renewals, encryption strengths, certificates on a particular domain, or other reviews useful to manage a secure network system.
A certificate inventorying system may additionally include a certificate discovery tool for locating certificates in a chosen network. The discovery tool may receive as input a network address range, which in one example includes an IP address and subnet mask for an IP protocol network. In another example, a list of IP address ranges are given. For other network types, a network name, SSID name or other identifier may be used in accordance with the network's addressing standards.
Referring now to
At each address iterated through, steps 1212 through 1222 are executed in a subroutine. First, an attempt to connect with the device at the currently iterated device is made over the network, as in step 1212. If the attempt is unsuccessful, the subroutine may exit, as in step 1214. Should a successful connection be made, an attempt to retrieve a certificate will be made, as in step 1216. If a certificate is not available, decision 1218 causes an exit of the subroutine, as there is no certificate information to record. Otherwise, the subroutine parses a received certificate for items of interest, as in step 1220. The items of interest may be any information related to the received certificate, but might be a certificate identifier, an expiration date, in one example. The parsed information may then be recorded to an entry in the scan database, as in step 1222, optionally with other related information such as the current network address, server type, or other information.
The procedure shown in
A discovery system may provide for log production of the discovery process. The log might show any of items such as: addresses scanned, ports scanned, failed and/or successful connection attempts, addresses with no response, certificate identifiers and other certificate information, server software types and version numbers, modifications to an existing certificate database, and many other items as desired. A discovery system may additionally combine the results of scans conducted at different times, which may be useful to catch servers which may have been inoperative at a particular time. Although the procedure of
A certificate discovery system may detect certificates that are not used, and may report those unused certificates to an administrator. Discovered certificates may also be archived, avoiding the need to provisioning of new certificates should a server crash or otherwise become inoperable. If private keys are also discovered, those can also be archived if desired. Other systems as disclosed below may also report unused certificates or archive certificates as desired, managed or otherwise.
Certificate Installation/Renewal Systems
Other systems may be fashioned to assist with the installation and renewal of PKI certificates. Those systems may assist with the issuance of a certificate and may perform steps to install certificates to appropriate server destinations and other PKI devices.
Referring now to
The installation of newly issued certificates may proceed as follows. First, it may be necessary to request and receive a certificate from a certificate authority, if it is not desired to use an internally-generated certificate. A common method of certificate receipt is by e-mail received at the same computer from which a certificate signing request was submitted. For a signed certificate received from a certificate authority, it may be necessary to determine a destination server for the certificate upon receipt. For example, if the certificate is a renewed certificate for a certificate about to expire, it may be desirable to install the certificate to the server storing the expiring certificate. Alternatively, a certificate may under some circumstances be held prior to installation. In one situation, it may be desirable to request renewed certificates well in advance of the expiration of old certificates. The old certificate is, in that situation, allowed to age before installing the renewal certificate. In another situation, a collection of servers may serve the same network address, through network address translation or other techniques. A collection of renewal certificates may, in that situation, be maintained in a store until needed, at which time the oldest renewal certificate may be installed to servers having certificates about to expire.
Regardless of the situation, a fresh or renewal certificate is associated to a destination network server at the time it is signed. A destination network server is therefore identified as corresponding to the received signed certificate. After a server is identified the server type is determined, in order to choose the proper method of installation. For example, if the server is serving web pages over the HTTPS protocol, there are a number of possible web server products that might be installed. For example, the Apache web server might dictate that certificates be installed through a file placement to a specified directory, a modification of particular configuration files (especially for non-renewed certificates), and restarting of the web server daemons. In another example, an iPlanet web server might provide a web administrator interface. In that circumstance the text of the certificate might be cut and pasted from an email into a text entry field, following which the web administrator installs the certificate text in the correct location. It may also be necessary to restart the PKI application and/or computer to flush the old certificates out of memory. Installation scripts might be written to support a number of PKI platforms, for example iPlanet, Apache, IIS, Netscape, Websphere in a multiplicity of versions.
In many if not most installation procedures, an authentication step will be required to access the certificate store on the destination device. This may involve offering an administrator username and password, a passphrase, a certificate or other authorization object. An authorization object may be stored within or accessible to the installation system prior to the installation activities.
The installation system has access to installation instructions which constitute a set of installation steps for installing certificates to particular server types. These installation instructions may take many forms, the content of which will depend on the type of interface used to perform the installation steps.
In a first example, the installation instructions define a set of shell commands. An exemplary set of shell commands for installing a certificate to an apache server might be: (1) log onto the destination server using an SSH connection and using a pre-stored username and password, (2) use the “cd” command to change the current directory to the certificate directory store, i.e. “cd/etc/ssl/apache”, (3) remove the old certificate, i.e. “rm-f./server.crt”, (4) install the new certificate, i.e. “echo MIIDBTCCA . . . >server.crt”, (5) install the new private key, i.e. “echo MIICXQ . . . >server.key”, (6) restart the web server, i.e. “apachectl restart”, and (7) terminate the SSH connection. Now, the directories given above may vary between operating system distributions and even between installations if an administrator has changed the directory configuration from the default. If it is desired to support an expanded range of server configurations, it may be desirable to examine the server configuration files. In the above example, which assumes a default Apache 2.0.47 server installed to a Linux Mandrake 9.1 operating system, the location of the ssl certificate and key can be found using the commands “grep SSLCertificateFile /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf” and “grep SSLCertificateKeyFile /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf”, assuming that root access is available. Similar installation instructions may be fashioned through a study of other server products to be supported.
A second installation instructional example utilizes file transfer protocols to deposit the certificate and key to a destination server. This example includes the steps of (1) using the scp protocol to transfer the certificate to the server, i.e. “scp -B server.crt /etc/ssl'server.crt”, (2) use the scp protocol to transfer the private key to the server, i.e. “scp -B server.key /etc/ssl/server.crt”, and (3) notify the administrator that the server needs to be restarted, for example by an e-mail message. Other file transfer protocols can be used, such as FTP or NFS, however it should be kept in mind that using insecure protocols over public networks may comprimise the security of the destination server.
A third example utilizes a web interface provided with the server application. A web interface is sometimes provided with a web server or other server application, by which control of the operation of the server may be commanded through a web browser. The web interface, if enabled, is accessible typically at a default relative URL, which might be at a special IP port, directory, CGI or other executable web script or program. In this example, the instructions are configured for a program that acts as a web browser, sending input back to the server's web interface as if the input came from a person operating a browser. This exemplary set of instructions includes (1) a command to go to the login URL of the web interface, (2) submit a form to the web interface containing an administrator usemame and password, (3) receiving the resulting web page, (4) a command to go to the certificate entry URL of the web interface, (5) submitting a second form to the web interface containing the new certificate and key, (6) confirming the submission of a new certificate and key in a third form, (7) a command to go to the web interface page including a “restart server” button, and (8) sending a fourth form containing a selection of the “restart server” button.
The third example might be implemented in any number of ways. For example, a PERL script to perform the steps might be written utilizing an http protocol library. In another example, a web scripting language is utilized to provide a shortenend and simplified interaction script. Likewise, any number of scripting or programming languages may be used to provide controlled interaction with a server's web interface.
In a fourth example, an agent may be pre-installed to the destination server. In that example the agent monitors some communication channel for instructions to install certificates and keys. That communication channel might take several forms, such as a TCP/IP connection, an SMTP receiver, an RPC interface, or the agent might periodically review a configuration file located on the destination server or at another location. Likewise XML web service interfaces, web interfaces, and other secure and non-secure layers or custom protocols might also be used. That agent would include support for the server type such that incoming certificates are properly deposited in the correct location. Such an agent may also include authentication measures to prevent unauthorized agent activity. The agent may optionally also cause a restart of the server application or a reboot of the server itself.
A certificate installation system might utilize one or several methods of certificate installation. Such a system might incorporate a table selecting an installation method and/or script to execute depending on the server type, i.e. the server's operating system and server applications installed thereon.
In a fifth related installation, information is first retrieved to effect contacting and install the certificate to the destination web server, accelerator or other device, that information including at least some of the platform type, the operating system, a detault protocol such as telnet, SSH, HTTP, HTTPS, etc., the certificate text, the destination server's IP address or hostname, a user name and password to log onto the destination, a password for the certificate store, the certificate common name, and a port number to initiate contact with the destination. Next, the certificate text is formatted to be in X.506 base 64 encoded format. The destination is then connected to using the port number, IP address and protocol specified. For certain server applications such as the Apache web server, an IBM web server, an IPlanet server or accelerator, the OpenSSL service is started. Next, the command “find / -name ssl.conf”, or a similar command, is executed to locate the SSL configuration file. The command “find / -name httpd.conf”, or a similar command, is also executed to locate the server configuration file. Next the certificate and key name are extracted from the configuration file using “grep \SSLCertificateFile/” or a similar command. A new configuration file is then generated either including or referencing the new certificate, and written to the destination server. If needed, the “make” command may be executed to roll out the updated certificate information to all server files. The connection is then terminated and the server restarted.
Now in the above examples, a new private key is installed for every new certificate. The use of several keys over a period of time tends to increase the difficulty of discovering the keys, or at least may prevent an attacker from discovering a key while it is in use. The use of new keys is not strictly required, however, and an installation procedure may install a new signed certificate containing an old public key, if desired.
Also in the above examples, no provision is made to reconfigure a server application to support PKI operation. Any of the above examples may be expanded to configure PKI supporting applications, for example by modifying files or accessing a web interface. By reconfiguring a server automatically, a laborious process of configuring servers for SSL or HTTPS support may be avoided.
Provision may also be provided in the certificate installation system for approvals. Upon receipt of a certificate signed by a certificate authority an administrator may be notified, for example by email. The received certificate may be held pending approval by the administrator. The installation system may provide an approval interface, for example accessible by a web browser, by which an administrator may authenticate himself to the system and select certificates approved to be installed. The interface may additionally provide for bulk approvals, i.e. presentation and approval of a group of certificates in a single approval step. The interface may additionally present certificates sorted in order of expiration date or priority, providing for ease of administrator selection. Optionally, certificates may also be presented in order of risk according to certificate risk profiles. Following approval, the certificates may be installed to the appropriate servers, for example using automated processes as suggested above.
An installation and renewal system may also include provisions for monitoring expiring certificates. In such a system, certificates may be enrolled in a certificate watch program. On a periodic basis, for example daily, weekly or monthly, a certificate database is reviewed for certificates expiring within a future period. Finding certificates in need of renewal, a notification may be sent to an administrator, which for example might be by e-mail or by a display upon login at an administrator interface. The administrator may then select certificates to be renewed, upon which a process of certificate renewal may be initiated as described below. Alternatively, the renewal system may be configured to initiate certificate renewal without approval, to prevent late certificate renewal should an administrator be unavailable to approve. If more than one administrator is configured, the renewal system may contact other administrators if first administrators do not timely respond to requests for approval.
In an alternate mode, a renewal system may scan the servers of a network periodically, as in the discovery processes discussed above, to detect certificates due to expire within a future period. In that system certificates might not be enrolled, but rather servers might be enrolled in a server watch list. In another alternate mode, agents are installed to the servers being monitored. Each agent periodically reviews the certificates for expiration, and may notify an administrator or a central system of any certificates about to expire, for example by email.
A manual certificate renewal process is typically initiated at the server to which the certificate will be installed. The process begins first by the generation of a public/private key pair. Now the key pair might be generated externally to the server, but that method introduces some risk of compromise in that the private key could be discovered in the process of moving it to the server. Following the generation of the key pair, a certificate signing request (CSR) is generated, which is basically a partially completed certificate in that it contains the public key and server identification, but is not otherwise associated to a certificate authority or a root certificate. Having a certificate signing request, it may either be sent to a certificate authority or it may be signed in-house. If a certificate is to be used externally, it should either be signed by a certificate authority or by using an intermediate root certificate itself signed by a certificate authority. Certificates to be used for internal use only may be signed by an internally generated root certificate, because those certificates maintained by an organization may be considered to be trusted. The signing process generates and attaches a signature to the certificate, which signature is generally an encrypted hash value generated from an unsigned certificate generated from the CSR information and from other information, such as the location of the root certificate and the validity period, which is encoded by the private key corresponding to a public key of a root certificate. The signed certificate is then ready for installation to the server.
The following method may be useful to generate a certificate signing request remotely using shell commands through an SSH, Telnet or other shell connection. First, the information needed as input to generate the certificate signing request is provided, including at least some of the protocol to be used, an email address, an IP address, the locality of the certificate including the country, state and city, the organization name, a certificate store password, and a port number to initiate a connection with the remote platform. Next, the remote shell is opened to the remote platform, utilizing known usernames and passwords or other authentication means. A command is then executed to set the remote platform to configure mode, followed by a command to enter an SSL configuration utility. The certificate store is then remotely opened and the default SSL certificate selected. Next, the current private key is removed from the certificate store. A new private key, for example a 1024 bit DES key, is generated and placed in the certificate store. A new PEM file or PKCS file is then created using the newly created private key. A further command is then sent to exit the SSL configuration utility. The “gencsr key” command is then used to create a new certificate signing request file with the city, state, country, organization name/unit, common name and email address provided in the earlier input or obtained from default set values. The output of the CSR text between the string identifiers “ - - - BEGIN CERTIFICATE REQUEST - - - ” and “ - - - END CERTIFICATE REQUEST - - - ” may then be captured and optionally placed in a database for storage until needed. Housekeeping activities and disconnection may follow the capture of the certificate signing request.
A simplified certificate renewal process is depicted in
The public/private key pair may be generated off the destination server, particularly if the server does not include software to generate the key pair (many operating systems include a well-known product called openssl). If that is done, it may be desirable to ensure the network between the generating computer and the destination is secure to avoid private key discovery.
The submitting a certificate signing request to a certificate authority is typically performed through a network connection over the Internet. The certificate authority (CA) presents an interface, for example in a web browser, in which an administrator may enter the CSR and other information related to the request, such as the requesting entity's identification, account number or a challenge phrase. If desired, the CA may permit the use of default values, in which case it may be possible to initiate a request by submitting only a CSR and identification of the requester. Upon receiving the CSR, the CA may take steps to verify the identity of the requester so as to avoid others from impersonating a proper requester and receiving valid and/or trusted certificates. After a period of time, usually at least several hours but typically not more than a few days, the CA issues the signed certificate. The issuing typically takes the form of sending the issued certificate to the administrator in an e-mail message, although other transference methods might be used equally well.
In other communications with certificate authorities, specialized protocols may be used. One exemplary protocol called the XML Key Management Specification (XKMS), the specification of and description of which is available from the World Wide Web Consortium, may be used as a starting point for a certificate signing request transmission protocol. Web interfaces suitable for human access may also be used through http automation tools. Screen scraping, data manipulation, key stroke automation, mouse click simulation and other forms of automation can be used to interact with such a web interface. Direct socket communication might also be used.
A certificate renewal system may include facilities for automating certificate signing, as will be presently described. As with certificate installation, certificate signing requests may be subject to approval. As expiring certificates are identified, they may be presented to an administrator for renewal. If it is desired to continue use of particular certificates or servers, an administrator may select those for certificate renewal. Approved certificates may be reviewed and parsed for informational items to be recycled, for example the server identity and the owning entity identity. A new certificate signing request is generated, either locally or remotely, for example at the server to receive the certificate. If a CSR is generated locally, the generation uses the identity of the destination server. If desired, the CSR may then be sent to a CSR for signing. Alternatively, if a root or intermediate root certificate is to be used and is available locally, the renewal system may sign and issue the certificate.
If a CSR is submitted to a CA, a period of time will elapse before issuance of the corresponding signed certificate. It may therefore be desirable to suspend the renewal process until the certificate arrives. For interacting with CAs that issue certificates by email, the system may monitor the incoming email messages. If desired, the system may include a specialized SMTP module to receive emails, in the event that an SMTP client isn't provided by the hosting operating system. Alternatively, an email filter may be applied to an existing SMH system to route messages from CAs to a renewal program. Regardless, the renewal system reviews the incoming email messages for issued certificates, and extracts them from the emails as needed. Alternatively, a CA may issue certificate by download. In that event, the renewal system may periodically access the CA's website. Of course, if a certificate is issued locally, for example if a management system is configured to act as a CA, it is immediately available for installation. Once a certificate is received or otherwise available, it may be held pending approval or immediately installed as in the examples above.
The CA may have policy regarding the issuance of certificates, for example declaring how an issued certificate may be used. A certificate renewal system may be fashioned to be not only compatible with the protocol requirements of CAs, but also with any policy requirements set forth.
In an exemplary certificate renewal method, challenge phrases used in the submission of CSRs to CAs are stored in the renewal system privately, and may also be encrypted if further security is desired. If a CA requires the submission of an administrator certificate or other object to accompany the submission of a CSR, those objects may be stored at the renewal system and made accessible for transmission to the CA in accordance with existing protocol. Internal CAs may also be used, i.e. certificate authorities controlled internally by a certificate using entity, for example if public validation of certificates with trusted CAs is not required.
CSRs may also include custom fields, such as accounting codes, group identifiers, usage notations, and other information associated with a particular issuing certificate. In one example, custom fields are included providing accounting codes that may be used to track operational expenses. In another example, usage notations are included in CSRs to provide, encoded in the issuing certificates, instructions where to install the certificates. Many other uses of custom fields may be used as desired, and may be facilitated by a renewal system.
A renewal system may also include access control for users and groups of users. The system may maintain a record of users authorized to view, change, renew and otherwise manage certificates. Authentication may be made through the use of passwords, certificates or other identifying objects. Certificates may be assigned to be managed by a single user or several users. Likewise, user groups may be configured to permit individuals within the user group to manage certificates.
Throughout the renewal and/or installation progress a log may be maintained by the system. The log may track activity at any level of detail desired, which might be in one example programmable. Entries might include logins, logouts, certificates approved for renewal, certificates approved for installation, which certificate authority was used to renew particular certificates, which server a certificate was installed to, which version of automation scripts were used and many other possible events.
If it is desired to use intermediate root certificates to sign end certificates, before creating a CSR an examination of available intermediate root certificates may be performed to ensure the period of validity of the end certificate is within the period of validity of a selected intermediate root certificate. Should an intermediate root certificate expire before the desired end certificate period of validity, or the root certificate become valid after the start of the period of validity of the end certificate, an administrator may be notified of a problem. The administrator may choose to renew the intermediate root certificate, obtain a new intermediate root certificate with an appropriate validity period, defer the renewal of an end certificate, or choose to have a certificate to be renewed signed by a publicly available root certificate.
Likewise, an installation or renewal system may also handle the installation and renewal of intermediate root certificates. In that system, it may be desirable to provide backup for intermediate root certificates and private keys from which those certificates have been generated, so as to prevent the loss of private keys necessitating the obtaining of new intermediate root certificates for issuing new end certificates. A database may also be maintained including information about the relationship of intermediate root certificates and end certificates issued from those root certificates. Other information may be stored in such a database, such as the attributes of intermediate root certificates, which devices contain those certificates, what certificate authorities issued those certificates, a history of end certificates issued from intermediate root certificates, and other related information.
A certificate renewal system or a certificate signing requesting system may make use of a certificate authority abstractor, which permits certificate related interaction with two or more certificate authorities using a common schema of operation. A number of certificate authorities presently make their services available, however each presents a different interface and procedures to administrators who wish to submit certificate signing requests. Thus an administrator may be required to learn the various web pages and/or software interfaces, functions, administrations, reporting and delivery systems of several certificate authorities.
The conceptual elements of a certificate authority abstractor are depicted in
CA abstractor 115 also presents a uniform interface 119 for receiving information pertaining to the submission of an individual certificate signing request 112. Interface 119 provides a uniform set of entries for at least the informational items required in a certificate signing request generally. These entries may provide for such items as a common certificate name, a period of validity, a locality identification, a public key, user defined fields or other fields in many combinations.
In a first exemplary abstractor, the certificate request information contains only a certificate signing request generated externally, for example at the server destined to receive a signed certificate. In a second exemplary abstractor, the certificate request information contains information sufficient to complete a certificate signing request by the CA abstractor using a transferred public key. Many other data transference schemas can be implemented as desired with attention to the details of any larger certificate automation system.
Abstractor 115 further receives a selection of a certificate authority 116, which may occur one time through a default setting, or a CA choice may be presented each time a certificate request information record 112 is submitted. The selection of certificate authority determines which script will be executed and which certificate authority record will be executed. In some circumstances and as shown, the abstractor will interact with one of certificate authorities 118 a or 118 b by way of an external network 117, which may be the Internet. Alternatively, if a locally maintained certificate authority is available, external network 117 may be replaced with an internal network or other communicative objects. Once certificate authority records are received, certificate request records may be submitted to the abstractor, whereby the all required items by the selected certificate authority may be provided. The interaction by the script 114 may then communicate a request that in its totality constitutes a certificate signing request associated with the requesting entity.
In an alternative abstractor the abstractor acts as a proxy application to the true certificate authorities. An administrator or system, for example a certificate renewal system, may interact with the abstractor as if it were a true certificate authority, passing the same informational types using similar interfaces, as desired. Additionally, although interaction with two certificate authorities is shown, the concepts disclosed above may be extended to support operation with any number of certificate authorities.
A certificate installation or renewal system may also perform a verification operation to verify that a newly requested certificate has been installed correctly and is available for use. In an exemplary method, the system may act as a client for the particular service for which the certificate is being used. For example, if a new certificate is for a web server supporting HTTPS, the installation/renewal system may attempt a secure HTTPS connection with the destination server. The verification may include checking for use of the new certificate and general operation of the secure use. Notifications may be sent to an administrator on success or failure, which may be after a timeout period if verification does not immediately follow certificate installation. In an exemplary system, alerts may be sent to more than one administrator, the system contacting further administrators if administrators previously notified haven't resolved a problem. That system may also submit periodic messages, such as what certificates are due for renewal in the near future, for example a period of 14 days.
Presently, it is difficult for enterprises to switch between certificate authorities, as the certificates under use may be expiring at different times and the enterprise may wish to continue to use existing certificate services paid for through the end of that term. In a manual system, as certificates expire an administrator is required to track certificates individually, renewing each certificate with the new authority. This activity can be relatively expensive and is susceptible to error.
In a certificate renewal system, a default certificate authority may be selected. That selected CA may then be used to renew certificates, by transferring information from the old certificates into CSRs to the new selected CA. If desired, a renewal system might also be commanded to replace all or a part of a set of managed certificates, swapping out certificates one or more several undesirable certificate authorities with a selected certificate authority. In an exemplary renewal system a “migrate” function is provided permitting automatic transfer of certificates managed by unsupported certificate authorities to a default certificate authority for which certificate requests are supported.
Systems for Managing Certificates in an Enterprise
A more complete system for managing certificates in an enterprise will include facilities not only for monitoring certificates, but also for requesting renewed certificates and installing those certificates to the enterprise. Another simplified method depicted in
A scanner 57 may be provided to scan the network for certificates to be managed, which in this case would scan any or all of servers 53 a-d, accelerators 54 a and 54 b, and internal CA 60 if provided. Upon finding servers and certificates installed thereon, scanner 57 may provide resulting information to a database 58 containing information identifying certificates, expiration dates, and issuing CAs for the certificates. An installer 56 may also be provided to automate the installation of new certificates on servers 53 a-d or accelerators 54 a and 54 b. Installer 56 may further automate the installation of intermediate root certificates to internal CA 60, if desired. A renewer 55 may be provided to monitor the expiration of certificates of which information is stored in database 58 and may provide functions related to the renewal of expiring certificates. One function is to notify an administrator of an expiring certificate. Another function is to initiate the renewal of a certificate through the automated generation of a certificate signing request, optionally after administrative approval. Another renewal function is the delivery and/or installation of renewed certificates to servers. The system of
Referring now to
The configuration of
An exemplary certificate management computer system is packaged in a rack-mountable form-factor and includes a Pentium 4 processor operating at 1.7 GHz or higher, 512 MB of 400 MHz SD-RAM, a RAID system including two 40 GB hard drives in a data mirroring configuration, redundant power supplies, two redundant 10/100 Base TX network ports, two 9-pin serial ports, one parallel port, four USB ports, and a graphics port supporting VGA video modes and higher. Other computer systems may be utilized in various circumstances, for example if a relatively small number of certificates are to be managed or if network access is provided through a non-Ethernet connection. Likewise, the computer system may have other software installed thereon, provided that sufficient processing power and network resources are provided to handle the total operating loads on the system.
The exemplary certificate manager includes a user interface accessible through the HTTPS protocol, of which FIGS. 15 to 48 are representative. That user interface will now be described.
Referring first to
Field name Contents Common Name: Specifies the fully qualified hostname used in DNS lookups (for example, www.imcentric.com). This is the hostname in the URL that a browser uses to connect to the server on which the certificate is located. It is important that these two names are the same. Otherwise, a client may notice that the certificate name does not match the site name, which often makes users doubt the authenticity of the certificate. Organization Name: Specifies the official, legal name of the company, educational institution, or other organization owning the certificate. Organization Unit: Specifies a description of an organizational unit within the organization. Contact: Specifies an individual who is responsible for this certificate. City: Specifies a description of the city, principality, or country for the organization. State: Specifies the state or province in which the business is located. Country: Specifies the two-character abbreviation of the country name (in ISO format) of the business location. Valid From: Specifies the effective date of the certificate. Valid To: Specifies the expiration date of the certificate. Certificate Strength: Specifies the bit strength of the keys of the certificate. Renewing Certificate Authority: Specifies the CA through which the certificate is to be renewed. Server: Specifies the server on which the certificate is or will be installed. Secure Server Name: Specifies the instance or name of the web server where the certificate is or will be used.
If an administrator selects to view or edit a server record, a screen similar to that of
Field name Contents Host Name Specifies the hostname of the server. IP Address IP Address of the server. Description Description of server. Port Port used to access the server, some common ports are ssh(22), telnet(23), or web(8888). Username Username used to access server. Is SSL Enabled Specifies if the admin pages are accessed via SSL. (Note: only used on Netscape 3.6 and Iplanet.)
In the exemplary certificate manager users may be grouped together to ease the administration of user privileges.
Field name Contents First Name First name of the user. Last Name Last name of the user. Title Position Title for the user. Company Company with which the user is employed. Department The user's department in the company. Address Street address (home or office) for user. City City in which the address is located. Zip Postal code for the city. Email address for user. Work Phone Work phone number for user. State State in which the city is located. Country Country in which the state is located. Fax Number Fax number for user. Username The identifier index of the user. Password The password of the user (may be hashed).
Additionally included in the screens shown in
The CA setup screens may be modifiable by program updates from the seller, manufacturer or licensor to adapt to changes in the operation of the certificate authorities made available for use. Those program updates may also include updates to the scripts (or other programmable elements) used to interact with the certificate authorities intended to be usable to the administrator.
A second exemplary certificate manager may be set up as a replicator for a first manager, providing failover functionality. Shown in
The exemplary certificate manager may also manage intermediate root certificate authorities and intermediate certificate authorities, such as might be the case with a Windows 2003 CA above. The configuration of the intermediate root certificate authority settings for the manager may be controlled in a screen similar to that shown in
The exemplary certificate manager may also scan for intermediate certificates on the discovery network. The manager may discriminate an end certificate from an intermediate root certificate by a review of certificate contents, or the manager may examine the chain of authority for certificates for parents located on the discovery network.
The exemplary certificate manager additionally permits the generation of various reports. Depicted in
Of the reports available, several historical reports may be generated by the exemplary manager. Depicted in
The logs generated by the exemplary manager are also viewable.
Further in the exemplary manager, user roles may be assigned to users. A user may thereby be given authorization to perform various administrative actions, for example authorizing the request of new certificates or merely viewing the certificate database. The exemplary manager may additionally act as a firewall to the management software, permitting communication only to selected ports in the network protocol. For example, a manager might enable port 443 for HTTPS administrative user interface access and port 25 for receiving email in a TCP/IP protocol supporting manager. Providing firewall functionality may prevent attacks from worms, buffer overflow attacks or other attacks, and make make a manager suitable to be connected directly to a public network such as the Internet.
The certificate database of the exemplary certificate manager may additionally be encrypted. Optionally, the manager may generate a self-signed certificate initially to encrypt the database. The self-signed certificate may be protected from user access by user privileges, by encryption with a fixed key, encoding in a non-readable or specialized format, or other method. Private keys used to generate CSRs are not stored on the exemplary manager, but are stored on the destination servers (where they may have been generated by the creation of a CSR).
The exemplary manager may further include an updating tool. The updating tool checks for security or bug fix updates to the system periodically, and downloads and installs any updates automatically. The manager may further include one or more fail-safe mechanisms that run system diagnostics on a periodic basis to gauge the health of the system and attempt error recovery. Administrators may be notified by email if error recovery is unsuccessful. The manager may further include a database backup feature functional to restore and archive the state of the system.
Systems for Managing Digital Certificates to Client Devices
Systems described above permit the automatic maintenance of certificates on server devices of various types. Systems may also be constructed to install and maintain certificates on client devices as well. Referring now to
If the client presents a certificate for authentication, tested in step 1306, the server may proceed to validate the certificate as in step 1308. The server may also test for certificate revocation, for example by comparing the certificate against a list of revoked certificates. If the certificate has been revoked, or if the certificate is not valid for the authentication purposes, tested in step 1310, the server may proceed to issue a new certificate to the client. Proceeding from one of steps 1306 or 1310 to step 1312, the user is authenticated using an alternate procedure, as a valid certificate was not presented. The alternate procedure may take many forms, such as the entry of a known usemame and password, a passphrase, an account number and PIN number, or any other procedure which may identify the user of the device to the satisfaction of the service provider. Alternatively, if it is merely needed to identify the client device upon subsequent accesses, the user authentication need not be performed.
Upon successful alternate authentication, a new certificate is delivered to the client. Under some circumstances it may be desirable to maintain a store of new certificates, to avoid delays in a service due to the time required to issue a new certificate. Alternatively, a new certificate may be created about the time of delivery, which might be created by in internal or external certificate authority entity. Once a new certificate is delivered to a client, transactions may proceed with the client device under an assurance of authentication, as in step 1320.
If in step 1308, the client certificate delivered to the server is found to be valid and not revoked, a check for an expired certificate may be performed in step 1316. If the certificate is not expired, authenticated transactions may proceed in step 1320. Otherwise, a process of renewing a certificate may commence, in step 1318. In that step, the old certificate is renewed with the appropriate certificate authority, which might be internal or external, and the renewed certificate delivered to the client. The renewal of a certificate might occur at the time of the connection attempt by the client, however a small delay may be introduced, especially if an external certificate authority is used. Alternatively, a process may periodically run on the service side, checking issued certificates for expiration. Certificates may be renewed prior to a request for connection for services from a client, avoiding the small delay, provided that the client certificates are stored in the service system.
In the exemplary method described above, agents may be fashioned for particular client devices. Through the method, an installed agent may act to communicate with the service provider to receive certificates therefrom. An agent may also, if desired, provide an interface for presenting certificates to the service provider. An agent may also provide for management of client certificates in a local store, if local client facilities are not provided or not used otherwise. An agent may, if desired, remove managed certificates from a client device at the time the agent is uninstalled. The agent might also be fashioned to be more comprehensive in function, and may manage a session or transactions with the service provider.
Agents may be fashioned for several kinds of client devices. For example, an agent might be fashioned as a background executable process or daemon communicating with a service provider on a selected TCP port, executables being provided for a number of operating system types such as WinCE, PalmOS, PocketPC, Windows XP, MacOS, Linux, etc. In another example, an agent might be downloaded from the service provider about the time the request for connection for services is made. That agent might be written in a platform-independent interpretive language, such as Java, or might be an executable program provided by a server based on the perceived client type. In that example, the agent might only reside on the client for a fixed period, although the client certificates may reside at the client locally. In another example, the agent might be a browser plugin, which may be automatically downloaded from a predefined location at the time a user first attempts to access a service provider. In yet a further example, an operating system may provide access services sufficient to perform the agent functions, in which case the operating system may be equivalent to a certificate agent.
As to a client certificate, a client may be identified in several different ways. In a first example, a client certificate contains an encrypted identifier assigned by the service provider, the encryption performed with a secret key known to the service provider but not by others generally. The identifier may be associated with an individual's service, for example a bank account number or a user identifier for an information subscription service. The encrypted identifier might include a user identifier and a passphrase, for example a usemame and password or an account number and PIN number.
The identification data may not necessarily be kept secret. For example, if a service provider is in the business of providing access to databases and literature for a fee, the impact of discovery or monitoring the activities of the user might be negligible, although it may be desirable for the service provider to ensure that the user is subscribed. In that example, a certificate might contain a subscription number digitally signed by a key maintained by the provider.
Now in the above client certificate management methods the service provider may identify the individual or group using the service using a presumption that other individuals will not be permitted access to the client device. For example, if the client device is a personal data assistant (PDA), it may be presumed that that device is for a particular individual only, which individual will retain control of to prevent unauthorized use of the service provider's services. If that assumption is made, a service provider may authenticate using a certificate on a client device alone, and need not require the entry of passwords or other user authenticating items.
The service provider may also wish to prevent the transfer of a certificate from one client device to another. In that case, the certificate may include information unique to the client device, for example a MAC address, a fixed IP address, a serial number or a processor ID. The signature of the certificate may further be obtained by encoding the unique information, causing a signature mismatch should the certificate be moved. In an alternative system, an agent may provide the unique information to the service provider so as to avoid an unauthorized user masquerading a different client device for the original device.
Referring now to
An agent server 1414 may also be provided to assist with the download and installation of agents to clients. An internal certificate authority 1416 may be provided to produce encryption/decryption keys or facilities for digitally signing certificates. In one example, internal certificate authority 1416 is in communicative proximity to service provider 1408 so as to avoid substantial delays in data processing. Optionally, an external certificate authority 1418 may be used, which may be operated independently of the entity operating the service provider 1408. If an external certificate authority is used, a certificate may be used to sign user transactions which are afterward publicly verifiable. A certificate store 1402 is provided at client 1400 to store certificates issued by the service provider, making them available in later accesses between client 1400 and service provider 1408.
Now it is to be understood that service provider 1408, optional certificate store 1410, revoked certificate database 1412, agent server 1414 and internal certificate authority 1416 might be completely separate computing systems connected by a network. Alternatively, elements of those may be combined as desired on shared computing resources. In another example, not shown, each of service provider 1408, certificate store 1410, revoked certificate database, agent server 1414 are elements residing on a single server or distributed servers, with internal certificate authority 1416 being optionally included thereon. The operation of a system according to the principles set forth above is illustrated in
Referring now to
In the exemplary service, each client device may be assigned trust levels, the selection of which is shown in
In the exemplary client authorization system above may provide for authentication of a user under the requirements that (1) the user is using a device made trusted earlier and (2) for transactions considered highly sensitive, that a usemame and password or other higher form of authentication be used. In the exemplary system above, it may not be necessary for a user to manage digital certificates, enrollments or digital signing dialogs, although the client system may provide for such activities for advanced use. Also in that system, a global certificate may be provided by the system to various service providers to sign online transactions, or several certificates may be created and stored at the client for signing transactions for several service providers. The exemplary system may also require confirmation by return email to add or remove a client device from the registration list. Additionally, an intruder must not only obtain a usemame and password to create a fraudulent transaction, but must also perform his actions from one of the registered client devices. This makes fraudulent activity much more difficult to accomplish than with present systems that rely only on a usemame and password for user identification.
Now although examples above may have included servers utilizing SSL or TLS protocols, the examples above may be modified as will be understood by those skilled in the art to encompass other protocols, such as message queuing systems, VPN systems, S/MIME systems, IPsec systems, code signatures, 802.11x EAP devices, encrypting file systems (EFS), and client web authenticators, as well as other server types and protocols. Likewise, the above examples have referenced web servers utilizing digital certificate. Those examples may also be modified to include other server types such as application servers, databases, SSL offloading devices, SSL accelerators, or any other type of server or device having the ability to utilize an SSL certificate to communicate securely over a network connection. The above examples have also made use of SSL certificates. Other types of certificates of varying formats and protocols may also be used in the above disclosed systems with minor modification to operate with virtually any conceivable public key infrastructure.
While a number of digital certificate discovery and management systems have been described and illustrated in conjunction with a number of specific configurations and methods, those skilled in the art will appreciate that variations and modifications may be made without departing from the principles herein illustrated, described, and claimed. The present invention, as defined by the appended claims, may be embodied in other specific forms without departing from its spirit or essential characteristics. The configurations described herein are to be considered in all respects as only illustrative, and not restrictive. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.
The following is a list of possible error codes, descriptions, and suggested resolutions.
ERROR CODE DESCRIPTION 0 Success 100 No results found for the given query 101 Could not insert row into table 102 Could not update the information in the table 103 The database query has failed 1200 Specified service was not found 1201 User is not authorized for this service 1202 Service file was not found 1203 Service is not active 3000 Failed to retrieve certificates 3001 Failed to process certificate 3002 Failed to post a CSR to the web site 3003 Failed approving certificate renewal on web site 4000 Could not find the first search string of the common name 4001 Could not find the second search string of the common name 4002 Could not find the first search string of the certificate 4003 Could not find the second search string of the certificate 4004 Could not find the common name 4005 Could not find the certificate 4006 Certificate extraction failed 4007 Could not save certificate. Check ID and common name 4008 Could not find \“C:\\Inetpub\\mailroot\\Drop\” folder 5000 Could not establish a connection with the telnet server 6000 Could not create the CSR for this platform 6001 Could not install the Certification on the platform 6500 Exception in Create Csr 6501 Invalid initial login password 6502 Invalid password config 6503 Could not find the config-ssl prompt 6504 Sonicwall already in use elsewhere - could not connect to configure ssl interface 6505 Could not find the config-ssl-server prompt 6527 Exception in Install Certificate 6528 Invalid initial login password 6529 Invalid password config 6530 Could not find the config-ssl prompt 6531 Sonicwall already in use elsewhere - could not connect to configure ssl interface 6600 IPlanet Install Certificate: Document Complete Never Fired 6601 IPlanet Install Certificate: Invalid username or password 6602 IPlanet Install Certificate: Invalid certificate text 6603 IPlanet Install Certificate: Missing certificate text (the text was empty) 6604 IPlanet Install Certificate: Missing the key pair database password (the password was empty) 6605 IPlanet Install Certificate: Invalid key pair database password 6606 IPlanet Install Certificate: Could not find the Key Pair Password field on the HTML page 6607 IPlanet Install Certificate: Could not find the MessageText radio button on the HTML page 6608 IPlanet Install Certificate: Could not find the MessageText text area box on the HTML page 6609 IPlanet Install Certificate: Could not find the OK button to install the certificate on the HTML page 6610 IPlanet Install Certificate: Could not find the Replace button to confirm the install on the HTML page 6611 IPlanet Install Certificate: Could not find the Server On button to restart the server 6612 IPlanet Install Certificate: The automation did not occur or was not completed successfully. (m_bIsFinished was already true) 6613 IPlanet Install Certificate: Could not find the Add Server Certificate Button 6614 IPlanet Install Certificate: Alias value not found in select box 6615 IPlanet Install Certificate: Navigation to admin page failed. Possible heavy internet traffic or no network connection. 6616 IPlanet Install Certificate: Navigation to install certificate page failed. Possible heavy internet traffic or no network connection. 6617 IPlanet Install Certificate: Server user name blank 6618 IPlanet Install Certificate: Server password blank 6619 IPlanet Install Certificate: IP address blank 6620 IPlanet Install Certificate: Secure server name blank 6621 IPlanet Install Certificate: Key pair password blank 6622 IPlanet Install Certificate: Certificate text blank 6623 IPlanet Install Certificate: Navigation to confirmation page failed. Possible heavy internet traffic or no network connection. 6624 IPlanet Install Certificate: Replace certificate confirmation window not found 6625 IPlanet Install Certificate: Add certificate confirmation window not found 6626 IPlanet Install Certificate: Alias blank 6090 Verisign Retrieve Organization: Navigation to main page failed. Possible heavy internet traffic or no network connection. 6091 Verisign Retrieve Organization: Error retrieving data collection of organization information 6100 Verisign Post CSR: Document Complete never fired 6101 Verisign Post CSR: Automation did not complete (m_bIsFinished == true) 6102 Verisign Post CSR: Missing the First Name parameter 6103 Verisign Post CSR: A duplicate CSR was posted to Verisign's site which cannot be issued 6104 Verisign Post CSR: Missing the Last name parameter 6105 Verisign Post CSR: Invalid email format, must be in format firstname.lastname@example.org 6106 Verisign Post CSR: Missing Challenge Phrase 6107 Verisign Post CSR: Missing the Organization Name 6108 Verisign Post CSR: Invalid Organization Name 6109 Verisign Post CSR: Invalid CSR Text or missing CSR Text Fields 6110 Verisign Post CSR: Verisign MPKI URL blank 6111 Verisign Post CSR: First Name blank 6112 Verisign Post CSR: Last Name blank 6113 Verisign Post CSR: Contact email blank 6114 Verisign Post CSR: Challenge phrase blank 6115 Verisign Post CSR: Missing CSR text 6116 Verisign Post CSR: Additional Fields data table NULL 6117 Verisign Post CSR: Navigation to post CSR page has failed. Possible heavy internet traffic or no network connection. 6118 Verisign Post CSR: Could not find text field for CSR text 6119 Verisign Post CSR: Could not find text field for First Name 6120 Verisign Post CSR: Could not find text field for Last Name 6121 Verisign Post CSR: Could not find text field for Email address 6122 Verisign Post CSR: Could not find text field for Challenge Phrase 6123 Verisign Post CSR: Could not find text field for Challenge Phrase confirm 6124 Verisign Post CSR: Could not find drop down box for Application Server Type 6125 Verisign Post CSR: Your challenge phrase and reconfirmation do not match. 6126 Verisign Post CSR: Please enter a valid IP Address. 6127 Verisign Post CSR: Error finding additional fields 6128 Verisign Post CSR: Navigation to CSR Result page failed. Possible heavy internet traffic or no network connection. 6129 Verisign Post CSR: Could not find additional fields 6130 Verisign Post CSR: One or more additional fields has invalid data. The information entered should contain only alphabetical or numerical characters... 6131 Verisign Post CSR: Unable to start up and connect a browser instance. 6132 Verisign Post CSR: Unable to Navigate the browser. 6133 Verisign Post CSR: An error occurred while checking for ‘First Name’ error message. 6134 Verisign Post CSR: An error occurred while checking for ‘Last Name’ error message. 6135 Verisign Post CSR: An error occurred while checking for an invalid email format error message. 6136 Verisign Post CSR: An error occurred while checking for the Challenge Phrase error message. 6137 Verisign Post CSR: An error occurred while checking for the company name error message. 6138 Verisign Post CSR: An error occurred while checking for an invalid Organization Name error message. 6139 Verisign Post CSR: An error occurred while checking for Invalid CSR Text error message. 6140 Verisign Post CSR: An error occurred while checking for duplicate cert error message. 6141 Verisign Post CSR: An error occurred while checking to see if the Enrollment of the CSR Text was complete. 6142 Verisign Post CSR: An unknown error occurred while posting the CSR Text. Unable to confirm if Enrollment was complete. 6143 Verisign Post CSR: Invalid CA type passed to Postcard 6650 Entrust Retrieve Domains: The automation did not occur or was not completed successfully. 6651 Entrust Retrieve Domains: Document Complete Never Fired 6652 Entrust Retrieve Domains: Username/ID box not found on login page 6653 Entrust Retrieve Domains: Password field not found on login page 6654 Entrust Retrieve Domains: Login button not found on login page 6655 Entrust Retrieve Domains: Username or password not valid 6656 Entrust Retrieve Domains: Less than two select boxes were found on contract information page. 6657 Entrust Retrieve Domains: More than two select boxes were found on contract information page. 6658 Entrust Retrieve Domains: Could not find the Domain Information select box. 6659 Entrust Retrieve Domains: The User Id passed to Entrust Retrieve Domains was blank 6660 Entrust Retrieve Domains: The Password passed to Entrust Retrieve Domains was blank 6661 Entrust Retrieve Domains: Could not complete navigation to Logon page 6662 Entrust Retrieve Domains: Could not complete navigation to Management page 6663 Entrust Retrieve Domains: Could not complete navigation to Contract Information page 6675 Entrust Retrieve Organization Names: The automation did not occur or was not completed successfully. 6676 Entrust Retrieve Organization Names: Document Complete Never Fired 6677 Entrust Retrieve Organization Names: Username/ID box not found on login page 6678 Entrust Retrieve Organization Names: Password field not found on login page 6679 Entrust Retrieve Organization Names: Login button not found on login page 6680 Entrust Retrieve Organization Names: Username or password not valid 6681 Entrust Retrieve Organization Names: Less than two select boxes were found on contract information page. 6682 Entrust Retrieve Organization Names: More than two select boxes were found on contract information page. 6683 Entrust Retrieve Organization Names: Could not find the Organization Name select box 6684 Entrust Retrieve Organization Names: The User Id passed to Entrust Retrieve Organization Names was blank 6685 Entrust Retrieve Organization Names: The Password passed to Entrust Retrieve Organization Names was blank 6686 Entrust Retrieve Organization Names: Could not complete navigation to Logon page 6689 Entrust Retrieve Organization Names: Could not complete navigation to Management page 6690 Entrust Retrieve Organization Names: Could not complete navigation to Contract Information page 6700 IPlanet Create CSR: Document Complete Never Fired 6701 IPlanet Create CSR: Could not find the CA Email Address field on the main HTML page 6702 IPlanet Create CSR: Could not find the Key Pair database field on the main HTML page 6703 IPlanet Create CSR: Could not find the Requestor Name field on the main HTML page 6704 IPlanet Create CSR: Could not find the Telephone Number field on the main HTML page 6705 IPlanet Create CSR: Could not find the Common Name field on the main HTML page 6706 IPlanet Create CSR: Could not find the Email Address field on the main HTML page 6707 IPlanet Create CSR: Could not find the Organization field on the main HTML page 6708 IPlanet Create CSR: Could not find the Organization Unit field on the main HTML page 6709 IPlanet Create CSR: Could not find the Locality field on the main HTML page 6710 IPlanet Create CSR: Could not find the State or Province field on the main HTML page 6711 IPlanet Create CSR: Could not find the Country field on the main HTML page 6712 IPlanet Create CSR: Could not find the OK button on the main HTML page 6713 IPlanet Create CSR: Invalid UserName or Password 6714 IPlanet Create CSR: Missing the CA Email Address (the text was empty) 6715 IPlanet Create CSR: Missing the Key Pair Database Password (the text was empty) 6716 IPlanet Create CSR: Invalid Key Pair Database Password 6717 IPlanet Create CSR: Missing the Requestor Name (the text was empty) 6718 IPlanet Create CSR: Missing the Telephone Number (the text was empty) 6719 IPlanet Create CSR: Missing the Common name (the text was empty) 6720 IPlanet Create CSR: Missing the Email Address (the text was empty) 6721 IPlanet Create CSR: Missing the Organization Name (the text was empty) 6722 IPlanet Create CSR: Missing the Country (the text was empty) 6723 IPlanet Create CSR: Invalid Country (only a single letter was entered —must be two letters) 6724 IPlanet Create CSR: The automation did not occur or was not completed successfully. (m_bIsFinished was already true) 6725 IPlanet Create CSR: Invalid Country Code. 6726 IPlanet Create CSR: Alias value not found in select box 6727 IPlanet Create CSR: Trust database has not been initialized 6728 IPlanet Create CSR: User name blank 6729 IPlanet Create CSR: Password blank 6730 IPlanet Create CSR: IP Address blank 6731 IPlanet Create CSR: Secure server name blank 6732 IPlanet Create CSR: Common name blank 6733 IPlanet Create CSR: Organization name blank 6734 IPlanet Create CSR: Organization unit blank 6735 IPlanet Create CSR: City blank 6736 IPlanet Create CSR: State blank 6737 IPlanet Create CSR: Country blank 6738 IPlanet Create CSR: Contact email blank 6739 IPlanet Create CSR: Contact first name blank 6740 IPlanet Create CSR: Contact last name blank 6741 IPlanet Create CSR: Contact work phone number blank 6742 IPlanet Create CSR: Key pair password blank 6743 IPlanet Create CSR: Navigation to admin page failed. Possible heavy internet traffic or no network connection. 6744 IPlanet Create CSR: Invalid secure server name 6745 IPlanet Create CSR: Navigation to create CSR page failed. Possible heavy internet traffic or no network connection. 6746 IPlanet Create CSR: Navigation to CSR page failed. Possible heavy internet traffic or no network connection. 6747 IPlanet Create CSR: Error retrieving CSR 6748 IPlanet Create CSR: Invalid length for the common name 6749 IPlanet Create CSR: Alias blank 6750 IPlanet Create CSR: Could not find alias field 6751 IPlanet Create CSR: Could not find alias value 6760 Entrust Verify Login: The automation did not occur or was not completed successfully. (m_bIsFinished was already true) 6761 Entrust Verify Login: Document Complete Never Fired 6762 Entrust Verify Login: Username/ID box not found on login page 6763 Entrust Verify Login: Password field not found on login page 6764 Entrust Verify Login: Login button not found on login page 6765 Entrust Verify Login: Username or password not valid 6766 Entrust Verify Login: The User Id passed to Entrust Verify Login was blank 6767 Entrust Verify Login: The Password passed to Entrust Verify Login was blank 6768 Entrust Verify Login: Could not complete navigation to Logon page 6769 Entrust Verify Login: Could not complete navigation to Management page 6775 Verisign Approve: Document Complete Never Fired 6776 Verisign Approve: Could not find the Process Requests link on the main HTML page 6777 Verisign Approve: Could not find the Continue button on the HTML page 6778 Verisign Approve: The automation did not occur or was not completed successfully. (m_bIsFinished was already true) 6779 Verisign Approve: Common name was not found 6780 Verisign Approve: Approve link was not found 6781 Verisign Approve: Could not complete navigation to main MPKI page. Possible heavy internet traffic or no network connection. 6782 Verisign Approve: Could not complete navigation to Process Requests (approval) page. Possible heavy internet traffic or no network connection. 6783 Verisign Approve: Could not complete navigation to approval result page. Possible heavy internet traffic or no network connection. 6784 Verisign Approve: Could not complete navigation to next approval page. Possible heavy internet traffic or no network connection. 6785 Verisign Retrieve Organization Names: Could not find the organization names ‘Org:’ label 6786 Verisign Retrieve Organization Names: Document complete did not fire 6787 Verisign Retrieve Organization Names: Error occurred during retrieval of names from elements on page 6788 Verisign Retrieve Organization Names: Could not complete navigation to Verisign's main MPKI page. Possible heavy internet traffic or no network connection. 6790 Verisign retrieve organization names: Unable to start up and connect a browser instance. 6791 Verisign retrieve organization names: Unable to Navigate the browser. 6792 Verisign retrieve organization names: An error occurred while searching for the OrgName label. 6800 Autocert Utilities Service: Verisign certificate is neither a standard nor global certificate. 6801 Autocert Utilities Service: Unable to update the standard mpki url to the Certificate Authority table. 6802 Autocert Utilities Service: Unable to update the global mpki url to the Certificate Authority table. 6803 Autocert Utilities Service: Unable to delete the domain name from the domain verification table. 6804 Autocert Utilities Service: Unable to insert the domain name to the domain verification table. 6805 Autocert Utilities Service: Unable to delete the organization name from the organization verification table. 6806 Autocert Utilities Service: Unable to insert the organization name to the organization verification table. 6807 Autocert Utilities Service: Initialization of WinINet functions failed. 6808 Autocert Utilities Service: Failed to establish session with web site. 6809 Autocert Utilities Service: Failed to create Http request handle. 6810 Autocert Utilities Service: Failed to retrieve certificate from store. Verify certificate is installed. 6811 Autocert Utilities Service: Failed to attach certificate to http request. 6812 Autocert Utilities Service: SPC system store failed to open. 6813 Autocert Utilities Service: Failed to send request to server. 6814 Autocert Utilities Service: Global certificate file not uploaded. Upload certificate before retrieving information. 6815 Autocert Utilities Service: Standard server certificate file not uploaded. Upload certificate before retrieving information. 6816 Autocert Utilities Service: Could not find Verisign standard account information. Verify correct certificate was uploaded. 6817 Autocert Utilities Service: Could not find Verisign global account information. Verify correct certificate was uploaded. 6818 Entrust Post CSR: The User Id passed to Entrust Post Csr was blank. 6819 Entrust Post CSR: The Password passed to Entrust Post Csr was blank 6820 Entrust Post CSR: The Certificate Id passed to Entrust Post Csr was blank 6821 Entrust Post CSR: The Organization name passed to Entrust Post Csr was blank 6822 Entrust Post CSR: The Csr passed to Entrust Post Csr was blank 6823 Entrust Post CSR: The UserID edit box on the login page could not be found. 6824 Entrust Post CSR: The Password edit box on the login page could not be found. 6825 Entrust Post CSR: The Log in button on the login page could not be found. 6826 Entrust Post CSR: The Create/Renew button on the status page could not be found. 6827 Entrust Post CSR: The Organization Name select box could not be found on the Create/Renue page. 6828 Entrust Post CSR: The Certificate Type select box could not be found on the Create/Renue page. 6829 Entrust Post CSR: The Standard option could not be found as a selection in the Certificate Type select box on the Crate/Renue page. 6830 Entrust Post CSR: The Create Certificate button could not be found on the Create/Renew page. 6831 Entrust Post CSR: The Certificate signing request text area could not be found on the Create/Renew page. 6832 Entrust Post CSR: The Tracking information edit box could not be found on the Create/Renew page. 6833 Entrust Post CSR: The Confirm button was not found on the confirmation page. 6834 Entrust Post CSR: The CSR provided has already been posted, duplicate csr. 6835 Entrust Post CSR: The CSR does not begin with -----BEGIN (five dashes and BEGIN) which is required by Entrust. 6836 Entrust Post CSR: The CSR if for an invalid domain. 6837 Entrust Post CSR: The CSR has an invalid country code. 6838 Entrust Post CSR: The company is using all of its SSL Server Certificates. 6850 Entrust Post CSR: Document Complete did not fire 6851 Entrust Post CSR: could not complete automation. 6852 Entrust Post CSR: An invalid UserId or Password was used. 6853 Entrust Post CSR: Could not complete navigation to Logon page 6854 Entrust Post CSR: Could not complete navigation to certificate management page 6855 Entrust Post CSR: Could not complete navigation to post CSR page 6856 Entrust Post CSR: Could not complete navigation to post CSR confirmation page 6857 Entrust Post CSR: Could not complete navigation to post CSR finished page 6858 Entrust Post CSR: Confirmation page not found 6859 Entrust Post CSR: Unable to navigate to Login Page 6861 Entrust Post CSR: Unable to Locate the Username Element in any of the Frames of the Web Browser Document. 6862 Entrust Post CSR: Unable to authenticate the login. The username and/or password are incorrect or refused by Entrust. 6863 Entrust Post CSR: Unable to start up and connect a browser instance. 6864 Entrust Post CSR: An error occurred while searching for the CSR header sting in the Html text from the WebBrowser document. 6865 Entrust Post CSR: An error occurred while searching for the Tracking label string in the Html text from the WebBrowser document. 6866 Entrust Post CSR: An error occurred while checking if the CSR is a duplicate. 6875 Entrust Post CSR: An error occurred while checking the CSR for five dashes 6876 Entrust Post CSR: An error occurred while checking if all the SSL Server Certs have been used for the login account. 6877 Entrust Approve Certificate: Document Complete Never Fired 6878 Entrust Approve Certificate: The automation did not occur or was not completed successfully. (m_bIsFinished was already true) 6879 Entrust Approve Certificate: Username/ID box not found on login page 6880 Entrust Approve Certificate: Password field not found on login page 6881 Entrust Approve Certificate: Login button not found on login page 6882 Entrust Approve Certificate: Username or password not valid 6883 Entrust Approve Certificate: Certificate was not found 6884 Entrust Approve Certificate: The User Id passed to Entrust Approve Certificate was blank 6885 Entrust Approve Certificate: The Password passed to Entrust Approve Certificate was blank 6886 Entrust Approve Certificate: The Certificate Id passed to Entrust Approve Certificate was blank 6887 Entrust Approve Certificate: Could not complete navigation to Logon page 6888 Entrust Approve Certificate: Could not complete navigation to certificate management page 6889 Entrust Approve Certificate: Could not find ‘Ready’ text in the TR tag 6890 Entrust Approve Certificate: Could not find Entrust generated tracking id 6891 Entrust Approve Certificate: Could not find Ready link with Entrust generated tracking id 6892 Entrust Approve Certificate: Could not complete navigation to Csr Posting Finished page 6900 Entrust Retrieve Certificate: Document Complete did not fire 6901 Entrust Retrieve Certificate: Automation did not complete 6902 Entrust Retrieve Certificate: Could not find the Unique Id field on the Entrust Login frame 6903 Entrust Retrieve Certificate: Could not find the Password field on the Entrust Login frame 7000 Entrust Retrieve Certificate: Could not find the Log in button 7001 Entrust Retrieve Certificate: Invalid Entrust Username or Password 7002 Entrust Retrieve Certificate: Certificate id was not found 8000 Entrust Retrieve Certificate: Could not find the BEGIN CERTIFICATE or END CERTIFICATE identifiers 8001 Entrust Retrieve Certificate: Could not find the Certificate page section identifier 8002 Entrust Retrieve Certificate: The User Id passed to Entrust Retrieve Certificate was blank 8010 Entrust Retrieve Certificate: The Password passed to Entrust Retrieve Certificate was blank 9003 Entrust Retrieve Certificate: The Certificate Id passed to Entrust Retrieve Certificate was blank 9011 Entrust Retrieve Certificate: Could not complete navigation to Logon page 9012 Entrust Retrieve Certificate: Could not complete navigation to Management page 9013 Entrust Retrieve Certificate: Could not find active text 9014 Entrust Retrieve Certificate: Could not find tracking ID 9015 Entrust Retrieve Certificate: Could not find active link 9016 Entrust Retrieve Certificate: Could not complete navigation to Finish page 9017 IIS 6.0: Could not create the private key 9018 IIS 6.0: Could not create the CSR 9019 IIS 6.0: Could not create the PFX 9020 IIS 6.0: Could not install the PFX 9021 AutocertMonitor: An exception occurred while calling the auto-update web service 9022 AutocertMonitor: Error loading local xml manifest document 9023 AutocertMonitor: Error occurred during LoadManifest call 9024 SMImport: Error connecting to csv file. Check file location. 9025 SMImport: Data type(s) incorrect in csv file. Check numerical data. 9026 SMImport: Data format incorrect in csv file. Verify that data in each field is correctly formatted. 9027 SMCertificate: Unable to update the Valid From and To dates in the Database 9028 ACLog: Could not get log configuration 9029 SMCertificate: Could not get certificate 9030 SMCertificate: Could not get certificates by status code 9031 SMCertificate: Could not get and sort certificates by status code 9032 SMCertificate: Could not get certificates in renewal window 9033 SMCertificate: Could not get all certificates 9034 SMCertificate: Could not get and sort all certificates 9035 SMCertificate: Could not get all certificates over max attempt number 9036 SMCertificate: Could not get and sort all certificates over max attempt number 9041 SMCertificate: Could not get generated CSR data 9042 SMCertificate: Could not insert certificate 9043 SMCertificate: Could not update certificate 9044 SMCertificate: Could not update certificate edited by the user 9045 SMCertificate: Could not update the certificate csr text 9046 SMCertificate: Could not update the certificate active flag 9047 SMCertificate: Could not update the certificate status code 9048 SMCertificate: Could not update the certificate attempt count 9049 SMCertificate: Could not update the certificate text 9050 SMCertificate: Could not update certificate private key text 9051 SMCertificate: Could not update certificate valid from/to date 9052 SMCertificate: Could not get certificate ID by common name 9053 SMCertificate: No certificate given to split 9054 SMCertificate: Unable to retrieve all custom field titles 9055 SMCertificate: Unable to get all custom fields 9056 SMCertificate: Unable to read valid dates from certificate text 9061 SMCertificate: Could not update the certificate CA tracking value 9062 SMCertificate: Count not get certificates in process 9063 SMCertificateAuthority: Could not get all certificate authorities 9064 SMCertificateAuthority: Could not get certificate authority 9065 EXCEPTION_SMCERTIFICATEAUTHORITY_ GETCERTIFICATEAUTHORITYSETUPCOMPLETESORT 9066 SMCertificateAuthority: Could not update certificate authority setup complete 9067 SMCertificateAuthority: Could not update certificate authority username and password 9068 SMCertificateAuthority: Could not update certificate authority post csr url 9069 SMCertificateAuthority: Could not get any certificate authority setup complete 9071 SMCertificateAuthority: Could not get domain verifications by CA 9072 SMCertificateAuthority: Could not insert domain verification 9073 SMCertificateAuthority: Could not delete domain verification 9081 SMCertificateAuthority: Could not get organization verifications by CA 9091 SMCertificateAuthority: Could not insert organization verification 9092 SMCertificateAuthority: Could not delete organization verification 9093 SMCertificateAuthority: Could not get Entrust domain organization verification 9094 SMCertificateAuthority: Could not get semaphore error code 9095 SMCertificateAuthority: Could not update semaphore error code 9096 SMContact: Could not update contact 9097 SMContact: Could not update contact active flag 9098 SMContact: Could not insert contact 9099 SMContact: Could not get all contacts 9101 SMContact: Could not get and sort all contacts 9102 SMContact: Could not get contact 9103 SMContact: Could not get contact by certificate serial number 9104 SMContact: Could not get contact certificate serial number 9105 SMContact: Could not verify user rights 9106 SMDatabase: Could not backup database 9107 SMDatabase: Could not restore database 9108 SMDatabase: Unable to get all status codes 9112 SMMailParse: Could not process mail 9113 SMServer: Could not get all servers 9114 SMServer: Could not get all server type codes 9115 SMServer: Could not get and sort all servers 9116 SMServer: Could not get server 9117 SMServer: Could not insert server 9118 SMServer: Could not update the server active flag 9121 SMServer: Could not update server 9122 SMServer: Could not get server type code by certificate ID 9123 SMServer: Could not get server type code 9124 SMSettings: Could not get all settings 9125 SMSettings: Could not get settings 9126 SMSettings: Could not update settings critical error email 9127 SMSettings: Could not update settings database backup path 9128 SMSettings: Could not update settings database last backup date 9129 SMSettings: Could not update settings database last backup path 9130 SMSettings: Could not update settings database backup interval 9131 SMSettings: Could not update settings proxy server address 9132 SMSettings: Could not get settings critical error email 9133 SMSettings: Could not get settings database backup path 9134 SMSettings: Could not get settings max attempt number 9135 SMSettings: Could not get settings automation interval 9136 SMSettings: Could not get settings server email 9137 SMSettings: Could not get settings database backup interval 9231 SMSettings: Could not get settings proxy server address 9232 ACCryptography: Could not install verisign admin certificate 9233 ACCryptography: Could not remove verisign admin certificate 9234 ACCryptography: Exception occurred while reading pfx file 9235 ACCryptography: Not a valid pfx file 9141 ACCryptography: Incorrect password 9142 ACCryptography: Opening of pfx file failed 9143 ACCryptography: ‘MY’ system store failed to open in InstallVerisignAdminCertificate 9144 ACCryptography: Import of certificate to ‘MY’ store failed 9145 ACCryptography: Empty parameter for file path passed to InstallVerisignAdminCertificate 9146 ACCryptography: Empty parameter for password passed to InstallVerisignAdminCertificate 9147 ACCryptography: ‘MY’ system store failed to open in RemoveVerisignAdminCertificate 9148 ACCryptography: Failed to remove certificates from ‘MY’ store 9149 ACCryptography: Exception occurred while reading pfx file 9150 ACCryptography: Not a valid pfx file 9151 ACCryptography: Incorrect password 9152 ACCryptography: Empty parameter for file path passed to VerifyPfxFile 9160 ACCryptography: Empty parameter for password passed to VerifyPfxFile 9161 ACTelnet: Could not receive from server 9162 ACTelnet: Could not send to server 9163 ACTelnet: Could not process options 9164 ACTelnet: Could not respond to options 9165 ACTelnet: Could not arrange reply 9166 AutoCertService: Exception in Main() 9167 AutoCertService: Unable to get expiring certificates 9171 AutoCertService: Unable to generate CSR 9172 AutoCertService: Unable to post CSR 9173 AutoCertService: Manual bulk approval failed 9174 AutoCertService: Unable to approve certificates 9200 AutoCertService: Unable to retrieve certificates 9201 AutoCertService: Unable to split certificates 9202 AutoCertService: Unable to install certificates 9203 AutoCertService: Unable to verify certificates 9204 AutoCertService: Unable to set proxy settings 9205 AutoCertService: Unable to set proxy settings 9206 Unable to connect to server while creating csr 9207 Exiting create csr 9208 Unable to connect to server while installing certificate 9209 Installation of certificate failed 9210 Unable to connect to server while creating csr 9211 Exiting create csr 9212 Unable to connect to server while installing certificate 9213 Installation of certificate failed 9214 Access denied, Please check the username and password (for the Certificate Authority) and try again 9215 Unable to retrieve the certificate 9216 Unable to approve the certificate 9217 Unable to post the CSR 9450 Common name exceeded maximum length 9451 Domain name must be at the end of the common name 9501 ServerID not found 9502 ContactID not found 9503 Server email not found 9511 SMCertificateAuthority: Domain Name already exists in the database 9512 SMCertificateAuthority: Organization Name already exists in the database 9521 SMCertificate: No certificate given to split 9522 SMCertificate: Server certificate not found 9600 Verisign Global Setup: Error occurred while stopping service. 9601 Verisign Global Setup: Error occurred while starting service. 9602 Verisign Standard Setup: Error occurred while stopping service. 9603 Verisign Standard Setup: Error occurred while starting service. 9604 Command prompt not received after terminal type input 9605 Command ‘genconf’ common name prompt not received 9606 Command ‘genconf’ country name prompt not received 9607 Command ‘genconf’ state prompt not received 9608 Command ‘genconf’ city prompt not received 9609 Command ‘genconf’ organization name prompt not received 9610 Command ‘genconf’ organizational unit prompt not received 9611 Command ‘genconf’ Are these correct? prompt not received 9612 Command ‘genconf’ command prompt not received 9613 Command ‘genkey’ key file already exists 9614 Command ‘genkey’ Are these correct? prompt not received 9615 Command ‘genkey’ country name prompt not received 9616 Command ‘genkey’ state prompt not received 9617 Command ‘genkey’ city prompt not received 9618 Command ‘genkey’ organization name prompt not received 9619 Command ‘genkey’ organizational unit prompt not received 9620 Command ‘genkey’ common name prompt not received 9621 Command ‘genkey’ second country name prompt not received 9622 Command ‘genkey’ second state prompt not received 9623 Command ‘genkey’ second city prompt not received 9624 Command ‘genkey’ second organization name prompt not received 9625 Command ‘genkey’ second organizational unit prompt not received 9626 Command ‘genkey’ second common name prompt not received 9627 Command ‘genkey’ second hit return prompt not received 9628 Command ‘genkey’ encrypt prompt not received 9629 Command ‘genkey’ passphrase prompt not received 9630 Command ‘genkey’ verify passphrase prompt not received 9631 Command ‘genkey’ command prompt not received after verify passphrase 9632 Command ‘cat’ command prompt not received 9633 Command prompt not received after echo 9634 Command ‘genkey’ key file already exists 9635 Command ‘genkey’ Hit return prompt not received 9636 Command ‘genkey’ command prompt not received 9637 Command ‘genkey’ remove key prompt not received 9638 Command ‘genkey’ command prompt not received after key removed 9639 Command ‘genkey’ remove csr prompt not received 9640 Command ‘genkey’ command prompt not received after csr remove 9641 Command ‘genkey’ remove crt prompt not received 9642 Command ‘genkey’ command prompt not received after crt remove 9643 Command prompt not received after terminal type input 9644 Command ‘genconf’ common name prompt not received 9645 Command ‘genconf’ country name prompt not received 9646 Command ‘genconf’ state prompt not received 9647 Command ‘genconf’ city prompt not received 9648 Command ‘genconf’ organization name prompt not received 9649 Command ‘genconf’ organizational unit prompt not received 9650 Command ‘genconf’ Are these correct? prompt not received 9651 Command ‘genconf’ command prompt not received 9652 Command ‘genkey’ Hit return prompt not received 9653 Command ‘genkey’ command prompt not received 9654 Command ‘genkey’ remove key prompt not received 9655 Command ‘genkey’ command prompt not received after key removed 9656 Command ‘genkey’ remove csr prompt not received 9657 Command ‘genkey’ command prompt not received after csr remove 9658 Command ‘genkey’ remove crt prompt not received 9659 Command ‘genkey’ command prompt not received after crt remove 9660 Command ‘genkey’ key file already exists 9661 Command ‘genkey’ Are these correct? prompt not received 9662 Command ‘genkey’ country name prompt not received 9663 Command ‘genkey’ state prompt not received 9664 Command ‘genkey’ city prompt not received 9665 Command ‘genkey’ organization name prompt not received 9666 Command ‘genkey’ organizational unit prompt not received 9667 Command ‘genkey’ common name prompt not received 9668 Command ‘genkey’ second country name prompt not received 9669 Command ‘genkey’ second state prompt not received 9670 Command ‘genkey’ second city prompt not received 9671 Command ‘genkey’ second organization name prompt not received 9672 Command ‘genkey’ second organizational unit prompt not received 9673 Command ‘genkey’ second common name prompt not received 9674 Command ‘genkey’ second hit return prompt not received 9675 Command ‘genkey’ encrypt prompt not received 9676 Command ‘genkey’ passphrase prompt not received 9700 Command ‘genkey’ verify passphrase prompt not received 9701 Command ‘genkey’ command prompt not received after verify passphrase 9702 Command ‘cat’ command prompt not received 9703 Command prompt not received after echo 9704 Verisign Retrieve Domains: Unable to start up and connect a browser instance. 9705 Verisign Retrieve Domains: Could not complete navigation to Verisign's MPKI main page 9776 Verisign Retrieve Domains: Error occurred during building of user services url 9777 Verisign Retrieve Domains: Could not complete navigation to user services page 9778 Verisign Retrieve Domains: Could not complete navigation to domains page 9779 Verisign Retrieve Domains: Error occurred during retrieving of domain names from page 9801 A timeout occurred while posting the csr, this may be due to network traffic or the server may be down 9802 A timeout occurred while approving the csr, this may be due to network traffic or the server may be down 9803 A timeout occurred while retrieving the certificate, this may be due to network traffic or the server may be down 9804 Unable to start the Windows2003Ca Process this could be due to a misconfiguration in the Windows 2003 Certificate Authority setup, please check the settings to make sure they are correct −1 ERROR UNKNOWN
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5903882 *||Dec 13, 1996||May 11, 1999||Certco, Llc||Reliance server for electronic transaction system|
|US6044462 *||Apr 2, 1997||Mar 28, 2000||Arcanvs||Method and apparatus for managing key revocation|
|US6134658 *||Jun 9, 1997||Oct 17, 2000||Microsoft Corporation||Multi-server location-independent authentication certificate management system|
|US6185678 *||Oct 2, 1998||Feb 6, 2001||Trustees Of The University Of Pennsylvania||Secure and reliable bootstrap architecture|
|US6269456 *||Jan 11, 2000||Jul 31, 2001||Network Associates, Inc.||Method and system for providing automated updating and upgrading of antivirus applications using a computer network|
|US6304974 *||Nov 6, 1998||Oct 16, 2001||Oracle Corporation||Method and apparatus for managing trusted certificates|
|US6367013 *||Dec 1, 1999||Apr 2, 2002||Eoriginal Inc.||System and method for electronic transmission, storage, and retrieval of authenticated electronic original documents|
|US6438690 *||Dec 31, 1998||Aug 20, 2002||International Business Machines Corp.||Vault controller based registration application serving web based registration authorities and end users for conducting electronic commerce in secure end-to-end distributed information system|
|US6615347 *||Jun 30, 1998||Sep 2, 2003||Verisign, Inc.||Digital certificate cross-referencing|
|US6640301 *||Jul 8, 1999||Oct 28, 2003||David Way Ng||Third-party e-mail authentication service provider using checksum and unknown pad characters with removal of quotation indents|
|US6662217 *||Jan 19, 1999||Dec 9, 2003||Microsoft Corporation||Distributed and automated test administration system for administering automated tests on server computers over the internet|
|US6853988 *||Sep 20, 2000||Feb 8, 2005||Security First Corporation||Cryptographic server with provisions for interoperability between cryptographic systems|
|US7120929 *||Apr 8, 2005||Oct 10, 2006||Geotrust, Inc.||Methods and systems for automated authentication, processing and issuance of digital certificates|
|US7209479 *||Jun 6, 2001||Apr 24, 2007||Science Application International Corp.||Third party VPN certification|
|US7209563 *||Dec 15, 1999||Apr 24, 2007||Bull, S.A.||Process for creating and managing at least one cryptographic key, and system for its implementation|
|US7275155 *||Nov 1, 2000||Sep 25, 2007||Northrop Grumman Corporation||Chain of trust processing|
|US20010011255 *||Dec 7, 1998||Aug 2, 2001||Alan Asay||Reliance management for electronic transaction system|
|US20020023037 *||Nov 5, 2001||Feb 21, 2002||White Newton B.||Exchange method and apparatus|
|US20020062438 *||Aug 31, 2001||May 23, 2002||Alan Asay||Reliance server for electronic transaction system|
|US20020071563 *||Dec 12, 2000||Jun 13, 2002||Kurn David Michael||Method and apparatus for cryptographic key rollover during operation|
|US20020087479 *||Aug 7, 2001||Jul 4, 2002||Peter Malcolm||Information management system|
|US20020147746 *||Nov 30, 2001||Oct 10, 2002||Lee Michele C.||Delivering output XML with dynamically selectable processing|
|US20020152382 *||Jan 25, 2002||Oct 17, 2002||Sihai Xiao||Trust information delivery scheme for certificate validation|
|US20020184493 *||May 21, 2002||Dec 5, 2002||Rees Robert Thomas Owen||Digital certificate expiry notification|
|US20030035547 *||Mar 27, 2001||Feb 20, 2003||John Newton||Server with multiple encryption libraries|
|US20030037234 *||Aug 17, 2001||Feb 20, 2003||Christina Fu||Method and apparatus for centralizing a certificate revocation list in a certificate authority cluster|
|US20030110374 *||Apr 18, 2002||Jun 12, 2003||Masaaki Yamamoto||Terminal communication system|
|US20030126431 *||Oct 15, 2002||Jul 3, 2003||Beattie Douglas D.||Methods and systems for automated authentication, processing and issuance of digital certificates|
|US20030126433 *||Dec 27, 2001||Jul 3, 2003||Waikwan Hui||Method and system for performing on-line status checking of digital certificates|
|US20030131233 *||Jan 4, 2002||Jul 10, 2003||Avaya Technology Corp.||Efficient packet encryption method|
|US20030131244 *||Jan 6, 2003||Jul 10, 2003||Dream Team S.R.L.||Method and system for identifying users and authenticating digital documents on data communications networks|
|US20040030887 *||Aug 7, 2002||Feb 12, 2004||Harrisville-Wolff Carol L.||System and method for providing secure communications between clients and service providers|
|US20040080528 *||Apr 16, 2001||Apr 29, 2004||Watchit.Com,Inc.||Systems and methods for presenting interactive programs over the internet|
|US20040243805 *||Mar 19, 2004||Dec 2, 2004||Tomoaki Enokida||Digital certificate management system, digital certificate management apparatus, digital certificate management method, program and computer readable information recording medium|
|US20040268152 *||Jun 25, 2004||Dec 30, 2004||Wrq, Inc.||Computer-based dynamic secure non-cached delivery of security credentials such as digitally signed certificates or keys|
|US20050005097 *||Sep 29, 2003||Jan 6, 2005||Minolta Co., Ltd.||Communication system and method in public key infrastructure|
|US20050033957 *||Jun 24, 2004||Feb 10, 2005||Tomoaki Enokida||Digital certificate management system, digital certificate management apparatus, digital certificate management method, update procedure determination method and program|
|US20060036850 *||Oct 25, 2005||Feb 16, 2006||Tomoaki Enokida||Digital certificate management system, digital certificate management apparatus, digital certificate management method, update procedure determination method and program|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7681034||Feb 12, 2002||Mar 16, 2010||Chang-Ping Lee||Method and apparatus for securing electronic data|
|US7703140||Sep 30, 2003||Apr 20, 2010||Guardian Data Storage, Llc||Method and system for securing digital assets using process-driven security policies|
|US7707427||Jul 19, 2004||Apr 27, 2010||Michael Frederick Kenrich||Multi-level file digests|
|US7729995||Jul 22, 2002||Jun 1, 2010||Rossmann Alain||Managing secured files in designated locations|
|US7783765||Feb 12, 2002||Aug 24, 2010||Hildebrand Hal S||System and method for providing distributed access control to secured documents|
|US7836310||Nov 1, 2002||Nov 16, 2010||Yevgeniy Gutnik||Security system that uses indirect password-based encryption|
|US7890990||Dec 20, 2002||Feb 15, 2011||Klimenty Vainstein||Security system with staging capabilities|
|US7913311||Aug 10, 2007||Mar 22, 2011||Rossmann Alain||Methods and systems for providing access control to electronic data|
|US7921284||May 31, 2002||Apr 5, 2011||Gary Mark Kinghorn||Method and system for protecting electronic data in enterprise environment|
|US7921288||Mar 20, 2002||Apr 5, 2011||Hildebrand Hal S||System and method for providing different levels of key security for controlling access to secured items|
|US7921450||Nov 15, 2002||Apr 5, 2011||Klimenty Vainstein||Security system using indirect key generation from access rules and methods therefor|
|US7930756||Mar 31, 2003||Apr 19, 2011||Crocker Steven Toye||Multi-level cryptographic transformations for securing digital assets|
|US7950066||Dec 21, 2001||May 24, 2011||Guardian Data Storage, Llc||Method and system for restricting use of a clipboard application|
|US8108917 *||Dec 21, 2006||Jan 31, 2012||Brother Kogyo Kabushiki Kaisha||Management apparatus|
|US8127366 *||Sep 30, 2003||Feb 28, 2012||Guardian Data Storage, Llc||Method and apparatus for transitioning between states of security policies used to secure electronic documents|
|US8170931||Oct 28, 2008||May 1, 2012||Dell Products L.P.||Configuring user-customized services for networked devices|
|US8438628||Jun 29, 2010||May 7, 2013||Riverbed Technology, Inc.||Method and apparatus for split-terminating a secure network connection, with client authentication|
|US8473620||Jul 26, 2010||Jun 25, 2013||Riverbed Technology, Inc.||Interception of a cloud-based communication connection|
|US8478986||Dec 3, 2008||Jul 2, 2013||Riverbed Technology, Inc.||Reducing latency of split-terminated secure communication protocol sessions|
|US8606875 *||Jun 30, 2004||Dec 10, 2013||Oracle America, Inc.||Method and system for automatic distribution and installation of a client certificate in a secure manner|
|US8613071||Jul 18, 2006||Dec 17, 2013||Riverbed Technology, Inc.||Split termination for secure communication protocols|
|US8621205||Feb 12, 2010||Dec 31, 2013||Microsoft Corporation||Certificate remoting and recovery|
|US8671274 *||Oct 28, 2008||Mar 11, 2014||Dell Products L.P.||Delivery of multiple third-party services to networked devices|
|US8700892||Jul 29, 2010||Apr 15, 2014||F5 Networks, Inc.||Proxy SSL authentication in split SSL for client-side proxy agent resources with content insertion|
|US8707043||Mar 3, 2009||Apr 22, 2014||Riverbed Technology, Inc.||Split termination of secure communication sessions with mutual certificate-based authentication|
|US8745375||Nov 8, 2010||Jun 3, 2014||International Business Machines Corporation||Handling of the usage of software in a disconnected computing environment|
|US8832430 *||Sep 17, 2010||Sep 9, 2014||Microsoft Corporation||Remote certificate management|
|US9009808||Jan 27, 2014||Apr 14, 2015||Dell Products L.P.||Delivery of multiple third-party services to networked devices|
|US9027141 *||Apr 12, 2012||May 5, 2015||Netflix, Inc.||Method and system for improving security and reliability in a networked application environment|
|US9077759||Mar 15, 2013||Jul 7, 2015||Apple Inc.||Conflict resolution for keychain syncing|
|US9100370||Mar 18, 2011||Aug 4, 2015||F5 Networks, Inc.||Strong SSL proxy authentication with forced SSL renegotiation against a target server|
|US20070150727 *||Dec 21, 2006||Jun 28, 2007||Brother Kogyo Kabushiki Kaisha||Management Apparatus|
|US20090083537 *||Dec 3, 2008||Mar 26, 2009||Riverbed Technology, Inc.||Server configuration selection for ssl interception|
|US20110066848 *||Sep 17, 2010||Mar 17, 2011||Microsoft Corporation||Remote certificate management|
|US20110161662 *||Jun 30, 2010||Jun 30, 2011||Hong Fu Jin Precision Industry (Shenzhen) Co., Ltd||System and method for updating digital certificate automatically|
|US20130276089 *||Apr 12, 2012||Oct 17, 2013||Ariel Tseitlin||Method and system for improving security and reliability in a networked application environment|
|US20140237091 *||Feb 15, 2013||Aug 21, 2014||Digicert, Inc.||Method and System of Network Discovery|
|US20140281540 *||Mar 15, 2013||Sep 18, 2014||Apple Inc.||Keychain syncing|
|WO2010045706A1 *||Mar 25, 2009||Apr 29, 2010||Research In Motion Limited||Pushing certificate chains to remote devices|
|WO2013093209A1 *||Dec 21, 2012||Jun 27, 2013||Ssh Communications Security Oyj||Automated access, key, certificate, and credential management|
|International Classification||G06F3/00, H04L9/32, H04L29/06, H04L9/00|
|Cooperative Classification||H04L63/04, H04L63/0823, H04L63/105, H04L63/20, H04L2209/76, H04L9/3271, H04L9/3263, H04L2209/56, H04L2209/34, H04L9/3226|
|Dec 16, 2004||AS||Assignment|
Owner name: IMCENTRIC, INC., UTAH
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:THORNTON, RUSSELL S.;HODSON, BENJAMIN;SEEGMILLER, JAYSON;REEL/FRAME:016080/0355
Effective date: 20041115
|May 16, 2005||AS||Assignment|
Owner name: IMCENTRIC, INC, UTAH
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:THORNTON, RUSSELL S.;HODSON, BENJAMIN;SEEGMILLER, JAYSON;REEL/FRAME:016566/0888
Effective date: 20041115
|Oct 21, 2005||AS||Assignment|
Owner name: VENAFI, INC.,UTAH
Free format text: CHANGE OF NAME;ASSIGNORS:THORNTON, RUSSELL S.;HODSON, BENJAMIN;SEEGMILLER, JAYSON;AND OTHERS;REEL/FRAME:017111/0526
Effective date: 20050301
|Jul 15, 2011||AS||Assignment|
Owner name: SILICON VALLEY BANK, COLORADO
Free format text: SECURITY AGREEMENT;ASSIGNOR:VENAFI, INCORPORATED;REEL/FRAME:026597/0819
Effective date: 20110714
|May 13, 2014||AS||Assignment|
Owner name: SILICON VALLEY BANK, CALIFORNIA
Free format text: SECURITY INTEREST;ASSIGNOR:VENAFI, INC.;REEL/FRAME:032875/0450
Effective date: 20140508