Certificate chain compression to extend node operational lifetime
US-2021021434-A1 · Jan 21, 2021 · US
Secure certificate chain transition
US12470405B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12470405-B2 |
| Application number | US-202418589143-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 27, 2024 |
| Priority date | Feb 27, 2024 |
| Publication date | Nov 11, 2025 |
| Grant date | Nov 11, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Some embodiments provide proxies or other servers in a computing network with independent certificate chains which facilitate mitigation of certificate problems. Independence criteria are enforced against two or more installed certificate chains on a given server, identifying and avoiding dependencies such as cross-certification, shared certificate authorities, shared revocation lists, or shared certificate status protocol endpoints between the certificate chains. Some embodiments serve independent certificates concurrently in an active-active certificate server configuration. The certificate chains' coexistence and their independence from one another facilitates transitioning the network from a failing issuer or a failed chain to a chain that works better, thereby improving network resilience and limiting damage from certificate problems. By dynamically updating certificate bindings, some embodiments also facilitate safe deployment of new certificates during migration from one issuer to another. Certificate distributions are computed from issuer ratios, network topology, or both.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method of managing, in a computing network, certificates issued by certificate authorities, the method comprising automatically: establishing or ascertaining a first certificate chain which comprises a first binding between a first certificate issued by a first certificate authority and an identity in the computing network, such that the first certificate authority is specified in the first certificate, and the first certificate belongs to a first certificate chain; establishing or ascertaining a second certificate chain which comprises a second binding between a second certificate issued by a second certificate authority and the identity, such that the first binding and the second binding coexist in the computing network, the second certificate authority is specified in the second certificate, the second certificate belongs to a second certificate chain, and the first certificate chain and the second certificate chain are independent from one another in that: the certificate chains do not share any root certificate with each other, and the certificate chains do not share any intermediate certificate authority certificate with each other; selecting between the first certificate and the second certificate; serving the selected certificate; wherein the first certificate and the second certificate are issued by at least two certificate servers in an active-active certificate server configuration; and wherein during at least two time periods of no more than five minutes in duration, the time periods being separated by at least ten minutes and no more than thirty minutes, the active-active certificate server configuration serves the first certificate in multiple instances interleaved with multiple instances of serving the second certificate. 2 . The method of claim 1 , further comprising verifying that the first certificate chain and the second certificate chain are independent from one another, prior to serving the selected certificate, or atomically with the selecting, or both. 3 . The method of claim 1 , wherein selecting between the first certificate and the second certificate comprises selecting according to at least one of: a percentage allocated to the chain of the selected certificate; a topology of the computing network; or a random or quasi-random variable. 4 . The method of claim 1 , further comprising detecting that one of the issuers is an unhealthy issuer according to a health metric, and wherein the selecting does not select a certificate that is in a chain of the unhealthy issuer. 5 . The method of claim 1 , wherein over multiple instances of the selecting the method comprises incrementally altering a selection percentage of a particular issuer. 6 . A computing system configured to manage, in a computing network, certificates issued by certificate authorities, the computing system comprising: at least one digital memory; at least two certificate servers in an active-active certificate server configuration; and at least one hardware processor in operable communication with the at least one digital memory, the at least one hardware processor configured to perform a certificate management method which comprises: (a) establishing or ascertaining a first certificate chain which comprises a first binding between a first certificate issued by a first certificate authority and an identity in the computing network, such that the first certificate authority is specified in the first certificate, and the first certificate belongs to a first certificate chain; (b) establishing or ascertaining a second certificate chain which comprises a second binding between a second certificate issued by a second certificate authority and the identity, such that the first binding and the second binding coexist in the computing network, the second certificate authority is specified in the second certificate, the second certificate belongs to a second certificate chain, and the first certificate chain and the second certificate chain are independent from one another in that: the certificate chains do not share any root certificate with each other, and the certificate chains do not share any intermediate certificate authority certificate with each other; (c) selecting between the first certificate and the second certificate; (d) serving the selected certificate; and (e) wherein, during at least two time periods of no more than five minutes in duration, the time periods being separated by at least ten minutes and no more than thirty minutes, the active-active certificate server configuration serves the first certificate in multiple instances interleaved with multiple instances of serving the second certificate. 7 . The computing system of claim 6 , wherein the identity comprises at least one of: a domain name; an IP address; a port identifier; a server name indication; or a client identity. 8 . The computing system of claim 6 , wherein each of the certificate chains is also independent of each of the other certificate chains in that no certificate in the certificate chain of one of the certificate authorities is signed by a certificate of any other of the certificate authorities. 9 . The computing system of claim 6 , wherein each of the certificate chains is also independent of each of the other certificate chains in that the certificate chains do not share any certificate revocation list with each other. 10 . The computing system of claim 6 , wherein each of the certificate chains is also independent of each of the other certificate chains in that the certificate chains do not share any certificate revocation list distribution point with each other. 11 . The computing system of claim 6 , wherein each of the certificate chains is also independent of each of the other certificate chains in that the certificate chains do not share any online certificate status protocol endpoint with each other. 12 . The computing system of claim 6 , wherein the identity comprises a server name indication. 13 . The computing system of claim 6 , wherein the active-active certificate server configuration comprises at least two gateway machines in machines configured to perform the certificate management method. 14 . The computing system of claim 6 , wherein the computing system is further configured to verify that the first certificate chain and the second certificate chain are independent from one another, prior to serving the selected certificate, or atomically with the selecting, or both. 15 . A non-transitory computer-readable storage device configured with data and instructions which upon execution by a processor perform a method of managing, in a computing network, certificates issued by certificate authorities, the method comprising automatically: establishing or ascertaining a first certificate chain which comprises a first binding between a first certificate issued by a first certificate authority and an identity in the computing network, such that the first certificate authority is specified in the first certificate, and the first certificate belongs to a first certificate chain; establishing or ascertaining a second certificate chain which comprises a second binding between a second certificate issued by a second certificate authority and the identity, such that the first binding and the second binding coexist in the computing network, the second certificate authority is specified in the second certificate, the second certificate belongs to a second certificate chain, and the first certificate chain and the second certificate chain are independent from one another in that
Assignees
Inventors
Classifications
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
using certificates · CPC title
Protecting data integrity, e.g. using checksums, certificates or signatures · CPC title
- H04L9/3265Primary
using certificate chains, trees or paths; Hierarchical trust model · CPC title
- H04L63/0823Primary
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12470405B2 cover?
- Some embodiments provide proxies or other servers in a computing network with independent certificate chains which facilitate mitigation of certificate problems. Independence criteria are enforced against two or more installed certificate chains on a given server, identifying and avoiding dependencies such as cross-certification, shared certificate authorities, shared revocation lists, or share…
- Who is the assignee on this patent?
- Microsoft Technology Licensing Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3265. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 11 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).