Details for Patent: 9,729,321
✉ Email this page to a colleague
Title: | Autonomous private key recovery |
Abstract: | Approaches described herein allow a stateless device to recover at least one private key. In particular, a stateless device can provide service-account credentials to a directory service to establish a first session and acquire a certificate and private key using information associated with the stateless device. The stateless device can store its private key before the first session ends. A stateless device can then provide user-account credentials to the directory service to establish a second session. After the second session begins, a private key can be acquired by the stateless device. |
Inventor(s): | Mayers; Christopher Morgan (Histon, GB) |
Assignee: | CITRIX SYSTEMS, INC. (Fort Lauderdale, FL) |
Filing Date: | Apr 29, 2015 |
Application Number: | 14/699,712 |
Claims: | 1. A device having one or more processors, the device comprising: a memory configured to store account credentials; and a stateless machine comprising one or more certificate-using services and a certificate distributor that is configured to: provide a directory service with the account credentials associated with the one or more certificate-using services for establishing a first session; acquire a certificate and a private key using the account credentials and information associated with the stateless machine; store the private key in the directory service before the first session ends; provide the directory service with user-account credentials for establishing a second session, wherein the user-account credentials are associated with a device hosting the stateless machine; and acquire the private key, using credential roaming, after the second session begins. 2. The device of claim 1, wherein the account credentials are provided to log on to a domain that includes the directory service. 3. The device of claim 1, wherein the user-account credentials are provided to log on to a domain that includes the directory service. 4. The device of claim 1, wherein the private key is stored in the directory service using a credential roaming mechanism, and wherein the private key is acquired after the second session begins using the credential roaming mechanism. 5. The device of claim 1, wherein the certificate distributor is included in the stateless machine. 6. The device of claim 1, wherein the memory configured to store account credentials is persistent. 7. The device of claim 1, wherein the certificate distributor is further configured to receive the private key before an autoenrollment mechanism is executed on the certificate distributor. 8. A method for recovering a private key, the method being performed by one or more processors associated with a stateless machine and comprising: providing a directory service with account credentials associated with one or more certificate-using services of the stateless machine for establishing a first session; acquiring a certificate and a private key using the account credentials and information associated with the stateless machine; storing the private key in the directory service before the first session ends; providing the directory service with user-account credentials for establishing a second session, wherein the user-account credentials are associated with a device hosting the stateless machine; and acquiring the private key, using credential roaming, after the second session begins. 9. The method of claim 8, wherein the account credentials are provided to log on to a domain that includes the directory service. 10. The method of claim 8, wherein the user-account credentials are provided to log on to a domain that includes the directory service. 11. The method of claim 8, wherein the private key is stored in the directory service using a credential roaming mechanism, and wherein the private key is acquired after the second session begins using the credential roaming mechanism. 12. The method of claim 8, wherein providing the directory service with account credentials is performed by a certificate distributor included in the stateless machine. 13. The method of claim 8, wherein memory is configured to store account credentials and is persistent. 14. The method of claim 8, wherein a certificate distributor is configured to receive the private key before an autoenrollment mechanism is executed on the certificate distributor. 15. A nontransitory computer readable storage medium storing a set of instructions that are executable by at least one processor associated with a stateless machine, to cause the stateless machine to perform a method for recovering a private key, the method comprising: providing a directory service with account credentials associated with the one or more certificate-using services of the stateless machine for establishing a first session; acquiring a certificate and a private key using the account credentials and information associated with the stateless machine; storing the private key in the directory service before the first session ends; providing the directory service with user-account credentials for establishing a second session, wherein the user-account credentials are associated with a device hosting the stateless machine; and acquiring the private key, using credential roaming, after the second session begins. 16. The nontransitory computer readable storage medium of claim 15, wherein the account credentials are provided to log on to a domain that includes the directory service. 17. The nontransitory computer readable storage medium of claim 15, wherein the user-account credentials are provided to log on to a domain that includes the directory service. 18. The nontransitory computer readable storage medium of claim 15, wherein the private key is stored in the directory service using a credential roaming mechanism, and wherein the private key is acquired after the second session begins using the credential roaming mechanism. 19. The nontransitory computer readable storage medium of claim 15, wherein memory configured to store account credentials is persistent. 20. The nontransitory computer readable storage medium of claim 15, wherein a certificate distributor of the stateless machine is configured to receive the private key before an autoenrollment mechanism is executed on the certificate distributor. |