DEVICE CERTIFICATE MANAGEMENT FOR ZERO TOUCH DEPLOYMENT IN AN ENTERPRISE NETWORK

Abstract

Disclosed are techniques for dynamically creating policy-based intermediate certificates to sign device certificates of devices deployed in an enterprise network using ZTD. In one aspect, a method includes receiving network policy information to be used for creating policy-based intermediate certificates, each one of the policy-based intermediate certificates being used by a network controller for signing devices certificates of a different cluster of connected IoT devices; receiving, from an IoT device, a request for registration with the network controller; based on identifying information of the IoT device included in the request, determining one of the policy-based intermediate certificates to sign a device certificate of the loT device; and transmitting, to the IoT device, the device certificate signed using the one of the policy-based intermediate certificates.

Description

Claims

1. A method comprising: receiving network policy information to be used for creating policy-based intermediate certificates, each one of the policy-based intermediate certificates being used by a network controller for signing devices certificates of a different cluster of connected IoT devices;receiving, from an IoT device, a request for registration with the network controller;based on identifying information of the IoT device included in the request, determining one of the policy-based intermediate certificates to sign a device certificate of the IoT device; andtransmitting, to the IoT device, the device certificate signed using the one of the policy-based intermediate certificates.

2. The method of claim 1, further comprising: generating, by the network controller, the policy-based intermediate certificates based on the policy information, the policy information including parameters for organizing the connected IoT devices into a plurality of clusters.

3. The method of claim 2, wherein the parameters include one or more of a device type, device configurations, a geographical location of an IoT device, and a threshold number of IoT devices to be associated with each of the plurality of clusters.

4. The method of claim 3, wherein determining one of the policy-based intermediate certificates for signing the device certificate of the IoT device comprises associating the IoT device with one of the plurality of clusters based on the identifying information of the IoT device, the one of the plurality of clusters being associated with one of the policy-based intermediate certificates.

5. The method of claim 1, wherein each policy-based intermediate certificate is linked to a root certificate issued by a certificate authority.

6. The method of claim 1, further comprising: determining that one or more of the policy-based intermediate certificates are to be revoked;identifying a group of IoT devices associated with each of the one or more of the policy-based intermediate certificates that are to be revoked;revoking signed device certificates for the group of IoT devices; andsigning the device certificates for the group of IoT devices using a new policy-based intermediate certificate.

7. The method of claim 1, further comprising: dynamically generating the policy-based intermediate certificates when registration requests from one or more IoT devices are received at the network controller.

8. A network controller, comprising: one or more memories having computer-readable instructions stored therein; andone or more processors configured to execute the computer-readable instructions to: receive network policy information to be used for creating policy-based intermediate certificates, each one of the policy-based intermediate certificates being used by the network controller for signing devices certificates of a different cluster of connected IoT devices;receive, from an IoT device, a request for registration with the network controller;based on identifying information of the IoT device included in the request, determine one of the policy-based intermediate certificates to sign a device certificate of the IoT device; andtransmit, to the IoT device, the device certificate signed using the one of the policy-based intermediate certificates.

9. The network controller of claim 8, wherein the one or more processors are further configured to execute the computer-readable instructions to generate the policy-based intermediate certificates based on the policy information, the policy information including parameters for organizing the connected IoT devices into a plurality of clusters.

10. The network controller of claim 9, wherein the parameters include one or more of a device type, device configurations, a geographical location of an IoT device, and a threshold number of IoT devices to be associated with each of the plurality of clusters.

11. The network controller of claim 10, wherein the one or more processors are further configured to execute the computer-readable instructions to determine one of the policy-based intermediate certificates for signing the device certificate of the IoT device by associating the IoT device with one of the plurality of clusters based on the identifying information of the IoT device, the one of the plurality of clusters being associated with one of the policy-based intermediate certificates.

12. The network controller of claim 8, wherein the one or more processors are further configured to execute the computer-readable instructions to: determine that one or more of the policy-based intermediate certificates are to be revoked;identify a group of IoT devices associated with each of the one or more of the policy-based intermediate certificates that are to be revoked;revoke signed device certificates for the group of IoT devices; andsign the device certificates for the group of IoT devices using a new policy-based intermediate certificate.

13. The network controller of claim 8, wherein the one or more processors are further configured to execute the computer-readable instructions to dynamically generate the policy-based intermediate certificates when registration requests from one or more IoT devices are received at the network controller.

14. The network controller of claim 8, wherein the network controller is a Zero Touch Deployment (ZTD) controller of a ZTD service used in an enterprise network to on-board and manage connected IoT devices.

15. One or more non-transitory computer-readable media comprising computer-readable instructions, which when executed by one or more processors of a network controller, cause the network controller to: receive network policy information to be used for creating policy-based intermediate certificates, each one of the policy-based intermediate certificates being used by the network controller for signing devices certificates of a different cluster of connected IoT devices;receive, from an IoT device, a request for registration with the network controller;based on identifying information of the IoT device included in the request, determine one of the policy-based intermediate certificates to sign a device certificate of the IoT device; andtransmit, to the IoT device, the device certificate signed using the one of the policy-based intermediate certificates.

16. The one or more non-transitory computer-readable media of claim 15, wherein the execution of the computer-readable media by the one or more processors, further cause the network controller to generate the policy-based intermediate certificates based on the policy information, the policy information including parameters for organizing the connected IoT devices into a plurality of clusters.

17. The one or more non-transitory computer-readable media of claim 16, wherein the parameters include one or more of a device type, device configurations, a geographical location of an IoT device, and a threshold number of IoT devices to be associated with each of the plurality of clusters.

18. The one or more non-transitory computer-readable media of claim 17, wherein the execution of the computer-readable media by the one or more processors, further cause the network controller to determine one of the policy-based intermediate certificates for signing the device certificate of the IoT device by associating the IoT device with one of the plurality of clusters based on the identifying information of the IoT device, the one of the plurality of clusters being associated with one of the policy-based intermediate certificates.

19. The one or more non-transitory computer-readable media of claim 15, wherein the execution of the computer-readable media by the one or more processors, further cause the network controller to: determine that one or more of the policy-based intermediate certificates are to be revoked;identify a group of IoT devices associated with each of the one or more of the policy-based intermediate certificates that are to be revoked;revoke signed device certificates for the group of IoT devices; andsign the device certificates for the group of IoT devices using a new policy-based intermediate certificate.

20. The one or more non-transitory computer-readable media of claim 15, wherein the execution of the computer-readable media by the one or more processors, further cause the network controller to dynamically generate the policy-based intermediate certificates when registration requests from one or more IoT devices are received at the network controller.