公开(公告)号：US11997222B1

公开(公告)日：2024-05-28

申请号：US17732362

申请日：2022-04-28

Applicant: Amazon Technologies, Inc.

Inventor： Peter Zachary Bowen ,  Todd Lawrence Cignetti ,  Preston Anthony Elder, III ,  Brandonn Gorman ,  Ronald Andrew Hoskinson ,  Jonathan Kozolchyk ,  Kenneth Lawler ,  Marcel Andrew Levy ,  Kyle Benjamin Schultheiss ,  Sandeep Shantharaj ,  Param Sharma ,  Jose Maria Silveira Neto

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3268 ,  H04L9/0897 ,  H04L9/3247 ,  H04L9/3297

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by private certificate authorities. A private certificate authority hosted by the computing resource service provider is able to issue signed certificates to network entities within the customer enterprise. The certificate management service provides a network-accessible application programming interface to the private certificate authority that allows applications to create and deploy private certificates programmatically. The system provides the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

公开(公告)号：US11563590B1

公开(公告)日：2023-01-24

申请号：US16018009

申请日：2018-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Peter Zachary Bowen ,  Todd Lawrence Cignetti ,  Preston Anthony Elder, III ,  Brandonn Gorman ,  Ronald Andrew Hoskinson ,  Jonathan Kozolchyk ,  Kenneth Lawler ,  Marcel Andrew Levy ,  Kyle Benjamin Schultheiss ,  Sandeep Shantharaj ,  Param Sharma ,  Jose Maria Silveira Neto

IPC: H04L9/32

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, when a new certificate is generated, a certificate template is used to apply various settings and policies for the new certificate. In various examples, templates may be used to establish default values, enforce required and optional values, place restrictions on one or more data fields, and enforce signature requirements. In some embodiments, the template establishes rules for rejecting certificate requests that don't conform to the template.

公开(公告)号：US11888994B1

公开(公告)日：2024-01-30

申请号：US17364232

申请日：2021-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Josh Rosenthol ,  Todd Cignetti ,  Jonathan Kozolchyk

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3263 ,  H04L9/0825 ,  H04L9/0836 ,  H04L9/0891

Abstract: Described are automated systems and methods for providing a template design for a public-key infrastructure (PKI) system. For example, certain infrastructure information and stored PKI information can be processed to determine a PKI template, which can specify the configuration for a proposed PKI hierarchy. A configurable representation of the proposed PKI hierarchy can be generated and presented to the user, which can facilitate review, modification, and further customization of the proposed PKI hierarchy. Aspects of the present disclosure can also determine costs associated with the proposed PKI hierarchy, and can create and deploy the proposed PKI hierarchy.

公开(公告)号：US11671264B1

公开(公告)日：2023-06-06

申请号：US17024983

申请日：2020-09-18

Applicant: Amazon Technologies, Inc.

Inventor： Todd Cignetti ,  Trevoli Ponds-White ,  Michael S. Slaughter ,  Param Sharma ,  Kyle Benjamin Schultheiss ,  Chris Stoner

IPC: H04L9/40 ,  H04L9/32

CPC classification number: H04L9/3268 ,  H04L9/3247

Abstract: Techniques for validating digital certificate information before signing are described. A method of validating digital certificate information before signing may include generating a to-be-signed (TBS) certificate, providing the TBS certificate to a certificate pre-issuance validation service to perform one or more validations on the TBS certificate, and receiving a request to issue a signed certificate based on the TBS certificate following validation of the TBS certificate by the certificate pre-issuance validation service.

公开(公告)号：US12137175B1

公开(公告)日：2024-11-05

申请号：US17364160

申请日：2021-06-30

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Todd Cignetti ,  Josh Rosenthol ,  Jonathan Kozolchyk

IPC: H04L9/32 ,  H04L9/30

Abstract: Described are automated systems and methods for employing certificate authority meta-resources to facilitate automatic renewal and/or rotation of certificates and/or certificate authorities in a PKI hierarchy. For example, embodiments of the present disclosure can provide creating a certificate authority meta-resource, which can maintain and monitor certain information to facilitate automatic renewal and rotation of certificates and/or certificate authorities in a PKI hierarchy. The certificate authority meta-resource can also keep track of the active certificate authorities and certificates to ensure that trust is maintained without manual configuration of the PKI hierarchy.

公开(公告)号：US12088738B2

公开(公告)日：2024-09-10

申请号：US17541998

申请日：2021-12-03

Applicant: Amazon Technologies, Inc.

Inventor： Josh Rosenthol ,  Param Sharma ,  Kyle Benjamin Schultheiss ,  Marcel Andrew Levy ,  Todd Cignetti

IPC: G06F21/00 ,  H04L9/08 ,  H04L9/32 ,  H04L9/40

CPC classification number: H04L9/3268 ,  H04L9/0825 ,  H04L9/3213 ,  H04L63/102 ,  H04L63/20

Abstract: Techniques are described for enabling users of a certificate management service to create certificate issuance policies that can be applied to certificate issuance requests across both public and private certificate authorities (CAs) and other certificate-related services. According to embodiments described herein, a certificate issuance policy includes one or more certificate issuance rules to be applied to requests associated with one or more specified user accounts or roles for certificate-related resources (e.g., public certificates, private certificates, etc.). The application of a certificate issuance rule can be conditioned on a particular request context (e.g., based on a user account or role associated with a request, a type of certificate requested, a subject name identified in the request, etc.) and can specify a wide range of actions to be performed on requests matching a rule (e.g., allowing or denying a request, modifying one or more parameters of the request, etc.).

公开(公告)号：US12034872B1

公开(公告)日：2024-07-09

申请号：US17411740

申请日：2021-08-25

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Todd Cignetti

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3268 ,  H04L9/0825 ,  H04L9/0861

Abstract: Techniques for providing specialized certificate authorities are described. A method of providing specialized certificate authorities may include receiving a request to generate a private certificate at a specialized certificate authority, the specialized certificate authority configured to generate only one type of digital certificate using a user-specified template, generating a certificate based on the customer-specified template, and returning the certificate.

公开(公告)号：US12166904B1

公开(公告)日：2024-12-10

申请号：US17957665

申请日：2022-09-30

Applicant: Amazon Technologies, Inc.

Inventor： Trevor Freeman ,  Param Sharma ,  Todd Cignetti

IPC: H04L9/32 ,  H04L9/00

Abstract: Approaches presented herein relate to the management of secure secrets, such as digital certificates. When an operation is performed by a certificate authority (CA) with respect to a digital certificate, information for the operation is written to a blockchain (or other distributed and verifiable ledger) in addition to a secure database accessible to the CA. The ability of an external party to access the blockchain and independently verify information about a digital certificate can help to increase a level or assurance in the integrity of the CA, which can be important when an entity wants to act as (or offer) their own private certificate authority. Information in the blockchain can also help to identify “dark” certificates, which may appear valid but were not issued by a CA using a valid and secure process, and thus can be identified by a lack of valid transactions included in the corresponding blockchain.

公开(公告)号：US11888997B1

公开(公告)日：2024-01-30

申请号：US16018014

申请日：2018-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Peter Zachary Bowen ,  Todd Lawrence Cignetti ,  Preston Anthony Elder, III ,  Brandonn Gorman ,  Ronald Andrew Hoskinson ,  Jonathan Kozolchyk ,  Kenneth Lawler ,  Marcel Andrew Levy ,  Kyle Benjamin Schultheiss ,  Sandeep Shantharaj ,  Param Sharma ,  Jose Maria Silveira Neto

IPC: H04L9/32 ,  H04L9/08

CPC classification number: H04L9/3268 ,  H04L9/0897 ,  H04L9/3247 ,  H04L9/3297

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, customers may use the certificate management service to generate private certificate authority which can issue signed certificates to network entities within the customer enterprise. In an embodiment, the private certificate authority is hosted by the computing resource service provider, and the certificate management service automates the renewal and management of active certificates. In an embodiment, the certificate management service allows customer applications to create, renew, and revoke certificates issued by both private and public certificate authorities via an application programming interface.

公开(公告)号：US11533185B1

公开(公告)日：2022-12-20

申请号：US16910010

申请日：2020-06-23

Applicant: Amazon Technologies, Inc.

Inventor： Param Sharma ,  Jonathan Kozolchyk ,  Todd Cignetti ,  Kyle Benjamin Schultheiss ,  Josh Rosenthol ,  Jose Maria Silveira Neto ,  Yiwen Wu

IPC: H04L9/32

Abstract: Systems and method for generating and managing certificate authorities. For instance, a certificate service may provide one or more user interfaces for creating certificate authorities, such as a root certificate authority, a subordinate certificate authority, and/or an intermediate certificate authority. For example, a user may use a user device to create a certificate hierarchy. The certificate service may also provide one or more user interfaces for issuing certificates using the certificate authorities. One or more computing resources may then use the end-entity certificates issued from the certificate authority hierarchy for authentication and/or encryption. For security purposes, the certificate authority may also allow the user to set policies representing users that are able to access and/or utilize the certificate authorities to perform actions, such as issuing certificates. The certificate service may also generate audit reports indicating certificates that are created using the certificate authorities.