| 摘要 |
Techniques for credentials management in large scale virtual private network (VPN) deployment are disclosed. In some embodiments, credentials management in large scale VPN deployment includes generating a public/private key pair and a certificate signing request at a satellite device; automatically communicating the certificate signing request to a portal over a public, untrusted network to authenticate the satellite device using a serial number associated with the satellite device, in which the certificate signing request and the serial number are verified by the portal; and receiving a certificate from the portal for using to establish VPN connections and configuration information for the satellite device, in which the certificate includes a credential signed by a trusted certificate authority, and the configuration information includes gateway configuration information identifying a plurality of gateways to which the satellite device is configured to connect using VPN connections. |
| 主权项 |
1. A system for credentials management in large scale virtual private network (VPN) deployment, comprising:
a processor of a satellite device configured to:
generate a public/private key pair and a certificate signing request;automatically communicate the certificate signing request to a portal over a public, untrusted network to authenticate the satellite device using a serial number associated with the satellite device, wherein the satellite device automatically communicates with the portal at a portal address to register the satellite device with the portal by executing a boot-up process or script, and wherein the certificate signing request and the serial number are verified by the portal;receive a certificate from the portal for using to establish VPN connections and configuration information for the satellite device, wherein the certificate includes a credential signed by the portal as a trusted certificate authority, and wherein the configuration information includes gateway configuration information identifying a plurality of gateways to which the satellite device is configured to connect using VPN connections; andautomatically attempt to connect the satellite device to each of the plurality of gateways using the certificate to authenticate the satellite, wherein the satellite attempts to establish VPN connections with each of the plurality of gateways, wherein each of the plurality of gateways verifies the certificate based on Online Certificate Status Protocol (OCSP) status information, and in the event that the certificate is valid and has not been revoked, allows the attempt to establish the VPN connection, and wherein de-authorization of the satellite device includes removing the serial number associated with the satellite device from a portal configuration, and wherein the certificate for the satellite device is automatically revoked; and a memory coupled to the processor and configured to provide the processor with instructions. |
