Abstract: System and method of providing administrative access to an endpoint server. In one example, the method includes receiving, at an admin server, a request for performing an admin operation on the endpoint server and a first portion of an admin key from a microservice server. The method also includes receiving, at the admin server, a second portion of the admin key. The method further includes generating, at the admin server, a copy of the admin key based at least in part on the first portion and the second portion of the admin key. The method also includes performing, via the admin server, the admin operation on the endpoint server using the copy of the admin key. The method further includes deleting the copy of the admin key on the admin server after performing the admin operation on the endpoint server.

Abstract: A method and is provided for obtaining a vetted certificate for a microservice in an elastic cloud environment. The microservice receives a one-time authentication credential. The microservice utilizes the one-time authentication credential to obtain a client secret. The microservice obtains an access token and CSR (Certificate Signing Request) attributes using the client secret and constructs a CSR utilizing the CSR attributes. The microservice requests a vetted certificate from a Certificate Authority (CA) and includes the access token and the CSR in the request. If the access token and the CSR pass vetting at the CA, the CA sends a vetted certificate to the microservice.

Abstract: A method and apparatus for issuing an incident-issued credential for an incident area network. One embodiment provides an identity server including an electronic processor configured to receive an agency-issued credential and retrieve a first set of attributes from the agency-issued credential. The electronic processor is also configured to map the first set of attributes to a scope of a service available through an incident area network. The electronic processor is further configured to generate the incident-issued credential for the incident area network including the scope and issue the incident-issued credential to a user device.

Abstract: System and method of providing administrative access to an endpoint server. In one example, the method includes receiving, at an admin server, a request for performing an admin operation on the endpoint server and a first portion of an admin key from a microservice server. The method also includes receiving, at the admin server, a second portion of the admin key. The method further includes generating, at the admin server, a copy of the admin key based at least in part on the first portion and the second portion of the admin key. The method also includes performing, via the admin server, the admin operation on the endpoint server using the copy of the admin key. The method further includes deleting the copy of the admin key on the admin server after performing the admin operation on the endpoint server.

Abstract: A method of enabling a lock screen of an electronic device operating an electronic device that includes an electronic processor and a display screen. The method includes receiving, by the electronic processor, a request to unlock the electronic device. The method further includes determining, by the electronic processor, an authentication state for the electronic device. The method further includes, determining, by the electronic processor, a lock screen authentication mode based on the authentication state, and displaying, on the display screen, a lock screen including the lock screen authentication mode. The electronic device includes a display screen and an electronic processor. The electronic processor is configured to receive a request to unlock the electronic device.

Abstract: A method and is provided for obtaining a vetted certificate for a microservice in an elastic cloud environment. The microservice receives a one-time authentication credential. The microservice utilizes the one-time authentication credential to obtain a client secret. The microservice obtains an access token and CSR (Certificate Signing Request) attributes using the client secret and constructs a CSR utilizing the CSR attributes. The microservice requests a vetted certificate from a Certificate Authority (CA) and includes the access token and the CSR in the request. If the access token and the CSR pass vetting at the CA, the CA sends a vetted certificate to the microservice.

Abstract: A method and apparatus for issuing an incident-issued credential for an incident area network. One embodiment provides an identity server including an electronic processor configured to receive an agency-issued credential and retrieve a first set of attributes from the agency-issued credential. The electronic processor is also configured to map the first set of attributes to a scope of a service available through an incident area network. The electronic processor is further configured to generate the incident-issued credential for the incident area network including the scope and issue the incident-issued credential to a user device.

Abstract: A method of enabling a lock screen of an electronic device operating an electronic device that includes an electronic processor and a display screen. The method includes receiving, by the electronic processor, a request to unlock the electronic device. The method further includes determining, by the electronic processor, an authentication state for the electronic device. The method further includes, determining, by the electronic processor, a lock screen authentication mode based on the authentication state, and displaying, on the display screen, a lock screen including the lock screen authentication mode. The electronic device includes a display screen and an electronic processor. The electronic processor is configured to receive a request to unlock the electronic device.

Abstract: A certificate issuer (210) can periodically request, receive, and store current server-based certificate validation protocol (SCVP) staples (225) for supported relying parties (205) from at least one server-based certificate validation protocol (SCVP) responder (215). The certificate issuer (210) can receive a contact initiation request (220) from one of the relying parties (205). Responsive to receiving the contact initiation request (220), the certificate issuer (210) can identify a current SCVP staple from the saved staples that is applicable to the relying party (205). The certificate issuer (210) can conveying a response to the contact initiation request (220) to the relying party (205). The response can comprise the identified SCVP staple and a public key infrastructure (PKI) certificate (230) of the certificate issuer. The SCVP staple can validate a certification path between the PKI certificate (230) and a different certificate trusted by the relying party (205).

Abstract: A single sign-on server associated with a single sign-on client authenticates a user of a device. Subsequent to the authenticating, the single sign-on client receives a request for an authentication token from a single sign-on enabled application operating on the device. The single sign-on client determines whether an application lock flag for the single sign-on enabled application is set. Responsive to the determining, the single sign-on client provides the authentication token to the single sign-on enabled application when the application lock flag is not set and withholds the authentication token from the single sign-on enabled application when the application lock flag is set.

Abstract: A certificate management processor (CMP) in a public key infrastructure (PKI) receives a request for a certificate management operation. The CMP determines that the request is associated with at least one of an end entity and a service. The CMP identifies a certificate management identifier associated with at least one of the end entity and the service. The CMP retrieves at least one status associated with the certificate management identifier and/or at least one status associated with the certificate management operation. The CMP performs the certificate management operation on a certificate when the retrieved at least one status is determined to not be suspended.

Abstract: A Public Key Infrastructure (PM) device receives a certificate signing request (CSR) from an end entity. The PKI device obtains at least one of: a controlling attribute of at least one PKI device associated with processing of the certificate signing request and a controlling attribute associated with the CSR. The PKI device obtains an end entity policy object (EEPO) to be associated with the end entity based on at least one obtained controlling attribute. Based on the obtained EEPO, the PKI device determines at least one attribute and at least one value associated with the attribute this is to be included in a certificate and issues, to the end entity, the certificate including the at least one attribute.

Abstract: In a method a public key infrastructure (PKI) device receives a certificate signing request (CSR) and an identity assertion cryptographically bound to an end entity issuing the CSR. The PKI device validates the authenticity and integrity of the CSR using the identity assertion. In response to validating the authenticity and integrity of the CSR, the PKI device issues a certificate based on at least one of the CSR and fields in the identity assertion.

Abstract: A certificate issuer (210) can periodically request, receive, and store current server-based certificate validation protocol (SCVP) staples (225) for supported relying parties (205) from at least one server-based certificate validation protocol (SCVP) responder (215). The certificate issuer (210) can receive a contact initiation request (220) from one of the relying parties (205). Responsive to receiving the contact initiation request (220), the certificate issuer (210) can identify a current SCVP staple from the saved staples that is applicable to the relying party (205). The certificate issuer (210) can conveying a response to the contact initiation request (220) to the relying party (205). The response can comprise the identified SCVP staple and a public key infrastructure (PKI) certificate (230) of the certificate issuer. The SCVP staple can validate a certification path between the PKI certificate (230) and a different certificate trusted by the relying party (205).

Abstract: A certificate issuer (210) can periodically request, receive, and store current server-based certificate validation protocol (SCVP) staples (225) for supported relying parties (205) from at least one server-based certificate validation protocol (SCVP) responder (215). The certificate issuer (210) can receive a contact initiation request (220) from one of the relying parties (205). Responsive to receiving the contact initiation request (220), the certificate issuer (210) can identify a current SCVP staple from the saved staples that is applicable to the relying party (205). The certificate issuer (210) can conveying a response to the contact initiation request (220) to the relying party (205). The response can comprise the identified SCVP staple and a public key infrastructure (PKI) certificate (230) of the certificate issuer. The SCVP staple can validate a certification path between the PKI certificate (230) and a different certificate trusted by the relying party (205).

Abstract: Methods, systems and apparatus are provided for distributing wireless local area network (WLAN) access information to a wireless communication device based on a current coverage area that the wireless communication device is located in. A location services server can determine, based on a current location of the wireless communication device, a current coverage area of the wireless communication device, and transmit information identifying the current coverage area to a directory services server. Based on the current coverage area, the public safety directory services server can determine relevant WLAN access information for the current coverage area, and transmit a message to the wireless communication device that includes the relevant WLAN access information.

Abstract: Methods and apparatuses for validating the status of digital certificates include a relying party receiving at least one digital certificate and determining if the at least one digital certificate is to be validated against a private certificate status database. The relying party accesses the private certificate status database and cryptographically validates the authenticity of data in the private certificate status database. The relying party also validates the at least one digital certificate based on information in at least one of the private certificate status database and a public certificate status database.

Abstract: A method and apparatus for attaching a wireless device to a foreign wireless domain of a 3GPP communication system using an alternative authentication mechanism, wherein wireless device performs the method, which includes: sending a first attach request message to an infrastructure device in the foreign wireless domain; receiving an attach reject message from the infrastructure device upon an unsuccessful attempt to obtain authentication credentials for the wireless device from a home wireless domain of the wireless device using a standard 3GPP authentication mechanism; responsive to the attach reject message sending a second attach request message to the infrastructure device, wherein the second attach request message indicates an alternative authentication mechanism to the standard 3GPP authentication mechanism; and receiving an attach accept message from the infrastructure device when the wireless device is successfully authenticated using the alternative authentication mechanism.

Abstract: A relying party obtains a certificate of a certificate subject and acquires a status information object for the certificate. The relying party validates the certificate using information in the status information object and compares authorization attributes present in the status information object with policy attributes associated with the requested service. A policy attribute is a set of constraints used by the relying party to determine if the authorization attributes associated with the certificate subject are sufficient to allow the certificate subject to access the requested service. If the authorization attributes present in the status information object match the policy attributes associated with the requested service, the relying party may grant the certificate subject access to the requested service.

Abstract: A method and device for confirming authenticity of a public key infrastructure (PKI) transaction event between a relying node and a subject node in a communication network enables improved network security. According to some embodiments, the method includes establishing at a PKI event logging (PEL) server a process to achieve secure communications with the relying node (step 705). Next, the PEL server processes reported PKI transaction event data received from the relying node (step 710). The reported PKI transaction event data describe the PKI transaction event between the relying node and the subject node. The reported PKI transaction event data are then transmitted from the PEL server to the subject node (step 715). The subject node can thus compare the reported PKI transaction event data with corresponding local PKI transaction event data to confirm the authenticity of the PKI transaction event.