Abstract: Technology is shown for establishing a chain of trust for an unknown root certificate in an isolated network that is verified using a chain of trust external to the network. A bootstrap executable and a leaf certificate rooted in the external chain of trust are configured with an OID. The leaf certificate is received in the isolated network and used to sign a new root certificate created in the isolated network to create a blob that is stored in a pre-determined location. The bootstrap executable is executed to instantiate a client machine, which retrieves the blob and verifies its signature using the leaf certificate. The client machine verifies that the OID values from the blob and bootstrap executable match. If the signature and OID checks are successful, then the new root certificate is distributed within the isolated network and installed in a PM certificate chain of trust.

Abstract: Technology is shown for verifying a leaf certificate in a PM chain of trust involving receiving a leaf certificate signed by an intermediate certificate embedded in the leaf certificate. The intermediate certificate is extracted from the received leaf certificate and its public key used to calculate a signature for the received leaf certificate. The calculated signature is compared to a signature included in the received leaf certificate. The received leaf certificate is verified when the calculated signature matches the signature included in the received leaf certificate. The intermediate certificate can be included as a X.509 property of the leaf certificate.

Abstract: Technology is shown for dynamically attaching secure properties to an identity certificate. Claims determining secure properties for an identity are signed and embedded in an identity certificate. Both the identity certificate and the signed claims in the certificate are verified. When a service request is received from the identity, the signed claims from the identity certificate are checked to determine if the request is permitted. If the request is permitted, then the service request is processed. Some examples involve creating claims determining the secure properties for the remote machine, signing the claims to create the signed claims, distributing the signed claims to a certificate authority, embedding the signed claims in the remote machine identity certificate, and distributing the remote machine identity certificate. The claims can be embedded in the certificate as X.509 properties.