Abstract: Operations may include receiving, from a first network entity, a first request for a first certificate revocation list (CRL) that identifies a first CRL distribution point (CDP) corresponding to the first CRL; mapping the first CDP to a first CRL identifier of a set of available CRL identifiers; locating, in a CRL repository, a first CRL based on the first CRL identifier; and transmitting the first CRL to the first network entity.

Abstract: Operations of a certificate bundle validation service may include receiving a first certificate bundle that includes a first set of one or more digital certificates, and a digital signature, associated with the first certificate bundle; determining, using a public key of an asymmetric key pair associated with a second set of one or more digital certificates, that the digital signature is generated using a private key of the asymmetric key pair; and responsive to determining that the digital signature is generated using the private key, storing the first certificate bundle in a certificate repository as a trusted certificate bundle.

Abstract: Operations of a certificate authority (CA) service may include aggregating in a certificate repository, a plurality of sets of CA certificates, in which each set of CA certificates is issued by a particular CA that is associated with a particular trust zone and that is trusted by a particular set of network entities located in the particular trust zone. The operations may further include distributing for access by an additional set of network entities, an aggregate set of CA certificates that includes the plurality of sets of CA certificates. The additional set of network entities may utilize the plurality of sets of CA certificates to authenticate network entities located in different trust zones.

Abstract: Operations of a certificate bundle distribution service may include: detecting a trigger condition to distribute a certificate bundle that includes a set of one or more certificate authority certificates; partitioning each particular network entity of a plurality of network entities associated with a computer network into one of a plurality of certificate distribution groups based on a network address of the particular network entity, in which each particular certificate distribution group includes a particular subset of network entities from the plurality of network entities; selecting a particular certificate distribution group, of the plurality of certificate distribution groups, for distribution of the certificate bundle; and transmitting the certificate bundle to the particular subset of network entities in the particular certificate distribution group.

Abstract: Operations of a digital signature manager may include detecting, in a certificate repository on a first virtual cloud network, set of one or more new certificate authority (CA) certificates; transmitting, to a key management service hosted on a second virtual cloud network, a CA dataset that includes the set of one or more new CA certificates; receiving, from the key management service, a digital signature of the CA dataset generated based at least on a global private key stored on the second virtual cloud network in a private key repository associated with the key management service; and storing the digital signature in the certificate repository in a data structure that associates the digital signature with the CA dataset.

Abstract: Techniques for updating certificate bundles may include receiving, at an entity associated with a virtual cloud network, a certificate bundle that includes an updated set of certificate authority (CA) certificates. The techniques may include applying a validation process to an entity certificate based on the certificate bundle, with the entity certificate having been issued to the entity prior to the entity receiving the certificate bundle. The validation process may include validating, by the entity, a certificate chain that includes the entity certificate and a CA certificate included in the updated set of CA certificates. The techniques may include, responsive to validating the certificate chain, installing the certificate bundle in a storage medium associated with the entity, and utilizing, by the entity, the certificate bundle to authenticate at least one additional entity associated with the virtual cloud network.