Abstract: A certificate authority service receives a request to issue a long-duration digital certificate from an entity for validation purposes between the entity and the service. Upon issuance of the long-duration digital certificate, the entity submits a request to the service for issuance of a short-duration digital certificate that includes a shorter validity period than the long-duration digital certificate. The service may utilize the long-duration digital certificate to validate the entity and, upon validating the entity, issues the short-duration digital certificate to the entity. The entity may subsequently utilize the short-duration digital certificate to enable a user client to authenticate the entity and securely communicate with the entity.

Abstract: An example method of updating code or variables may include storing a program and/or variables of the program in a memory of a computer. The program may be executed using at least a first processor in the computer. After receiving a request over a network from a hot patching service, a second processor may execute patch software. The second processor may be exposed as a peripheral device to the computer, the second processor having access to the memory of the computer. Without stopping execution of the program, the program and/or variables of the program may be updated using the patch software by changing the stored program and/or variables in the memory using the second processor. The computer may be a server computer used in a multi-tenant virtual environment, and the program may be a hypervisor running on the server computer.

Abstract: An administrator may issue a credential to a user and may define a policy that authorizes its use based on a predefined location. The policy and the credential may be bound in a digital certificate signed by a trusted party. When the user operates a computing device to access a resource, the computing device may present the digital certificate to the resource. In turn, the resource may use the digital certificate to authenticate the user and to verify that the policy authorizes his or her access.

Abstract: A method for provisioning digital certificates in a compute service environment may include authorizing a customer entity for using and/or controlling a network resource in the compute service environment. Upon completing the authorization, a digital certificate may be issued to the customer entity. The digital certificate may be associated with the network resource and may be issued for a limited duration period. The use and/or control of the network resource by the customer entity may be monitored. Reissuance of the digital certificate may be conditioned on whether the customer entity is still using and/or controlling the network resource in the compute service environment. If the customer entity is still using and/or controlling the network resource in the multi-tenant environment, the digital certificate may be automatically reissued for another limited duration period. The automatically reissuing may take place without receiving a certificate reissue request from the customer entity.

Abstract: A method for provisioning digital certificates in a multi-tenant network environment may include receiving an API request for a digital certificate from a representative of a customer entity. Existing account information of the representative may be retrieved, the existing account information associated with at least one service provided within the multi-tenant network environment and used by the representative. The identity of the representative may be verified based at least in part on digital certificate authentication information within the API request. At least one fraud metric may be generated for the representative based on the retrieved existing account information. The at least one fraud metric may be indicative of fraudulent activity associated with the representative. The identity verification and the at least one fraud metric may be used to determine whether to issue the digital certificate to the customer entity.

Abstract: Techniques are disclosed for secure and efficient communication from a source to a destination through an intermediary. The disclosed techniques employ a source-to-intermediary encryption algorithm to encrypt the communication from the source to the intermediary. The disclosed techniques also employ an intermediary-to-destination encryption algorithm to encrypt the communication from the intermediary to the destination. Thus, a more optimal encryption algorithm may be employed for communication between the intermediary and the destination, even if the more optimal encryption algorithm is not supported by the source. Also, a more optimal encryption algorithm may be employed for communication between the source and the intermediary, even if the more optimal encryption algorithm is not supported by the destination.

Abstract: A session identifier is used during negotiation of a secure connection between a client and an endpoint that includes both session information and client identification information. For example, a client connects to a load balancer using transport layer security (TLS). The load balancer may pass client information, such as session information, on to an application server that determines client information to put in a TLS session identifier. The application may send the client information to include in the TLS session identifier back to the load balancer. The load balancer may combine TLS session information for resuming TLS communications and client information for identifying the client into the session identifier. The session identifier may be passed to the client for use in later communication. TLS negotiation between the client and the load balancer may be completed and a secure connection begun. The application may monitor actions performed by the client.

Abstract: A method for provisioning digital certificates in a compute service environment may include authorizing a customer entity for using and/or controlling a network resource in the compute service environment. Upon completing the authorization, a digital certificate may be issued to the customer entity. The digital certificate may be associated with the network resource and may be issued for a limited duration period. The use and/or control of the network resource by the customer entity may be monitored. Reissuance of the digital certificate may be conditioned on whether the customer entity is still using and/or controlling the network resource in the compute service environment. If the customer entity is still using and/or controlling the network resource in the multi-tenant environment, the digital certificate may be automatically reissued for another limited duration period. The automatically reissuing may take place without receiving a certificate reissue request from the customer entity.