| CPC H04L 9/3268 (2013.01) [H04L 9/0825 (2013.01); H04L 9/0861 (2013.01)] | 11 Claims |
|
1. A computer-implemented method comprising:
receiving a request to generate a specialized certificate authority, the request received by a certificate management service of a multi-tenant provider network, the request including a selection of only one customer-specified template to be associated with the specialized certificate authority for a lifetime of the specialized certificate authority;
generating, in response to the request to generate the specialized certificate authority, the specialized certificate authority to have the lifetime and configured to issue for the lifetime of the specialized certificate authority only one type of digital certificate using the only one customer-specified template;
wherein generating the specialized certificate authority comprises storing an encrypted form of a private key of the specialized certificate authority used to issue new certificates in a highly available data store of the multi-tenant provider network;
wherein the specialized certificate authority is hosted by a host of a control plane of a customer service that is implemented in the multi-tenant provider network;
receiving a plurality of requests via an endpoint for the specialized certificate authority during the lifetime of the specialized certificate authority, each request of the plurality of requests to issue a respective new digital certificate for a respective instance being added to a cluster of instances of the customer service;
issuing, for each request of the plurality of requests, the respective new digital certificate as the only one type of digital certificate and using the only one customer-specified template;
wherein the respective new digital certificate comprises a respective digital signature created using a decrypted form of the private key of the specialized certificate authority;
wherein issuing, for each request of the plurality of requests, the respective new digital certificate comprises:
obtaining, by a hardware security module in the multi-tenant provider network, the encrypted form of the private key from the highly available data store,
decrypting, by the hardware security module, the encrypted form of the private key to yield the decrypted form of the private key, and
providing the decrypted form of the private key to the specialized certificate authority for use by the specialized certificate authority to create the respective digital signature of the respective new digital certificate; and
returning, in response to each request of the plurality of requests, the respective new digital certificate to the control plane of the customer service, wherein the control plane of the customer service provides the respective new digital certificate to the respective instance being added to the cluster of instances of the service.
|