| CPC H04L 9/3265 (2013.01) [H04L 9/3073 (2013.01)] | 16 Claims |
|
1. A computer-implemented method to automatically rotate a certificate authority (CA) of a public key infrastructure (PKI) hierarchy, comprising:
creating a plurality of CA meta-resources that correspond to a plurality of CAs, wherein:
a first CA meta-resource of the plurality of CA meta-resources corresponds to the CA, includes a first reference to the CA, and is configured to maintain and monitor a plurality of CA information associated with the CA; and
the plurality of CA information includes a first status associated with the first reference to the CA;
determining, using the first CA meta-resource and based at least in part on the plurality of CA information, that the CA is to be rotated with a new CA;
automatically creating the new CA, based at least in part on the plurality of CA information, to replace the CA;
activating the new CA;
creating a second reference in the first CA meta-resource to the new CA;
assigning, in the first CA meta-resource, a second status associated with the second reference to the new CA as active, such that calls to the first CA meta-resource for issuance of a certificate are assigned to the new CA;
modifying the first status associated with the first reference to the CA to deactivated;
notifying, by the first CA meta-resource, a trust store associated with the PKI hierarchy of the new CA;
distributing trust of the new CA to the PKI hierarchy;
identifying an issue with the PKI hierarchy in connection with the new CA; and
based at least in part on the identification of the issue:
modifying the second status associated with the second reference to the new CA to deactivated; and
modifying the first status associated with the first reference to the CA to activated, such that calls to the first CA meta-resource for issuance of certificates are assigned to the CA.
|