Device certificate management for zero touch deployment in an enterprise network
US-2023299979-A1 · Sep 21, 2023 · US
KMS dedicated HSM design (direct access)
US12513005B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12513005-B2 |
| Application number | US-202418662429-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 13, 2024 |
| Priority date | May 16, 2023 |
| Publication date | Dec 30, 2025 |
| Grant date | Dec 30, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method of providing access to a hardware security module (HSM) partition may include receiving request for access to the HSM partition from a client device. The request may include a leaf certificate signed with a public key associated with a user and a secret key associated with the client device. The method may include verifying the request using the leaf certificate and a trust anchor certificate signed with a public key associated with the client device. The method may include a first connection between the HSM partition and the client device. The method may include verifying the request using the leaf certificate and an authentication certificate stored on the HSM partition. The method may include establishing a second connection between the client device and the HSM partition such that the computing system is isolated from the second connection.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method of providing access to a hardware security module (HSM) partition, comprising: receiving, by a control server of a computing system, request for access to the HSM partition from a client device, the request comprising a leaf certificate signed with a public key associated with a user and a secret key associated with the client device; verifying, by the control server of the computing system, the request using the leaf certificate and a trust anchor certificate signed with a public key associated with the client device; in response to verifying the leaf certificate: establishing, by the control server of the computing system, a first connection between the HSM partition and the client device; verifying, by a service executed on the HSM partition, the request using the leaf certificate and an authentication certificate stored on the HSM partition; and in response to verifying the request the leaf certificate and the authentication certificate stored on the HSM partition: establishing, by the computing system, a second connection between the client device and the HSM partition such that the computing system is isolated from the second connection. 2 . The method of claim 1 , wherein at least one of the first connection and the second connection is made via a private endpoint of a private cloud network. 3 . The method of claim 2 , wherein the private endpoint comprises an undiscoverable IP address. 4 . The method of claim 1 , wherein at least one of the first connection and the second connection is made via a load balancer with a public IP address. 5 . The method of claim 4 , wherein the load balancer comprises a port associated with the HSM partition. 6 . The method of claim 1 , wherein one or more replica partitions are hosted on respective HSMs, the replica partitions identical to the HSM partition. 7 . The method of claim 1 , wherein the second connection is used to receive instructions to create users and/or create keys. 8 . The method of claim 1 , wherein the first connection comprises an mTLS connection. 9 . The method of claim 1 , wherein the second connection comprises a TLS connection. 10 . A system, comprising: one or more processors; a control server; a certificate service; and a computer memory comprising instructions that, when executed by the one or more processors cause the system to perform operations to: receive, by the control server, request for access to an HSM partition from a client device, the request comprising a leaf certificate signed with a public key associated with a user and a secret key associated with the client device; verify, by the control server, the request using the leaf certificate and a trust anchor certificate signed with a public key associated with the client device; in response to verifying the leaf certificate: establish, by the control server, a first connection between the HSM partition and the client device; verify, by the certificate service executed on the HSM partition, the request using the leaf certificate and an authentication certificate stored on the HSM partition; and in response to verifying the request the leaf certificate and an authentication certificate stored on the HSM partition: establish, by the control server, a second connection between the client device and the HSM partition. 11 . The system of claim 10 , wherein at least one of the first connection and the second connection is made via a private endpoint of a private cloud network. 12 . The system of claim 11 , wherein the private endpoint comprises an undiscoverable IP address. 13 . The system of claim 10 , wherein at least one of the first connection and the second connection is made via a load balancer with a public IP address. 14 . The system of claim 13 , wherein the load balancer comprises a port associated with the HSM partition. 15 . The system of claim 10 , wherein one or more replica partitions are hosted on respective HSMs, the replica partitions identical to the HSM partition. 16 . The system of claim 10 , wherein the second connection is used to receive instructions to create users and/or create keys. 17 . A non-transitory computer-readable memory comprising instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving, by a control server of a computing system, request for access to an HSM partition from a client device, the request comprising a leaf certificate signed with a public key associated with a user and a secret key associated with the client device; verifying, by the control server of the computing system, the request using the leaf certificate and a trust anchor certificate signed with a public key associated with the client device; in response to verifying the leaf certificate: establishing, by the control server of the computing system, a first connection between the HSM partition and the client device; verifying, by a service executed on the HSM partition, the request using the leaf certificate and an authentication certificate stored on the HSM partition; and in response to verifying the request the leaf certificate and an authentication certificate stored on the HSM partition: establishing, by the computing system, a second connection between the client device and the HSM partition such that the computing system is isolated from the second connection. 18 . The non-transitory computer-readable memory of claim 17 , wherein at least one of the first connection and the second connection is made via a private endpoint of a private cloud network. 19 . The non-transitory computer-readable memory of claim 18 , wherein the private endpoint comprises an undiscoverable IP address. 20 . The non-transitory computer-readable memory of claim 17 , wherein at least one of the first connection and the second connection is made via a load balancer with a public IP address.
Assignees
Inventors
Classifications
- H04L9/3268Primary
using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL] · CPC title
using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM] · CPC title
using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates · CPC title
involving additional devices, e.g. trusted platform module [TPM], smartcard or USB · CPC title
- H04L9/3263Primary
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12513005B2 cover?
- A method of providing access to a hardware security module (HSM) partition may include receiving request for access to the HSM partition from a client device. The request may include a leaf certificate signed with a public key associated with a user and a secret key associated with the client device. The method may include verifying the request using the leaf certificate and a trust anchor cert…
- Who is the assignee on this patent?
- Oracle Int Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3268. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 30 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).