Cryptographic material renewal

摘要

A method and apparatus for renewing cryptographic material are disclosed. In the method and apparatus a cryptographic material renewal entity of a computing resource service provider detects that cryptographic material stored by a secure module is to be renewed. Renewing the cryptographic material may include rekeying a private key associated with a certificate. Further, a digital certificate may be renewed, and the renewed certificate may be provided for use by the computing resource. The cryptographic material is used to fulfill requests made by a computing resource provisioned by the computing resource service provider for a customer. The renewed cryptographic material is provided to the secure module, whereby the renewed cryptographic material is used by the secure module to fulfill further requests made by the computing resource.

主权项

1. A computer-implemented method for renewing cryptographic material, comprising:
under the control of one or more computer systems configured with executable instructions,
receiving, from a customer of a plurality of customers of a computing resource service provider, a request to automatically renew cryptographic material made available for use by a virtual computer system provisioned for the customer by the computing resource service provider, the request being made as an application programming interface function call to the computing resource service provider;detecting, by a renewal agent of the computing resource service provider, that the cryptographic material made available for use by the virtual computer system is to be renewed, the detecting being based at least in part on the request to automatically renew the cryptographic material and the cryptographic material being stored by a secure module that includes a datastore and an associated cryptoprocessor configured to perform a set of cryptographic operations using the cryptographic material, the secure module logically attached to the virtual computer system;obtaining renewed cryptographic material; andproviding the renewed cryptographic material to the secure module in a manner enabling the virtual computer system to programmatically cause the secure module to use the renewed cryptographic material to perform cryptographic operations, providing the renewed cryptographic material being performed without updating a manner in which the virtual computer system programmatically interacts with the secure module.