Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The objection of claims 2 and 3 under 37 CFR 1.75(c) as being in improper has been withdrawn based on claim 3 being cancelled.
The rejection of claims 8-17 under 35 U.S.C. 101 as being directed to non-statutory subject matter has been withdrawn based on the amendments.
The rejection of claims 7-8, 10, 13-14, 16 and 19 under 35 U.S.C. 112(b) or 35 U.S.C. 112 as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention has been withdrawn based on the amendments.

Response to Arguments
Applicant's arguments filed April 17, 2022 have been fully considered but they are not persuasive to overcome the prior arts in record and place the claims in a better condition for allowance for the following reasons. 
In the response, the applicant recognizes that the primary reference Popoveniuce discloses that the certificate is digitally signed by the owner of the certificate, by a sequence of intermediate certificate authorities, and finally by a root certificate authority. And, the pointer 120 is an identifier of a network location, such as an IP address, a URL, or other URI.  However, the applicant argues by stating that the prior art Popoveniuce uses the process of issuing client applications through network services. Popoveniuce does not disclose that the client application is bound to a specific electronic device. Once the client application is stored in other electronic devices, the URL or URI should also change the pointing location. In other words, Popoveniuce does not issue certificates to electronic devices. Popoveniuce does not disclose that an electronic device issues a device certificate of the electronic device through an intermediate certificate device, and does not disclose transmit the device certificate and the IP location of a server to the electronic device. Thus, Popoveniuce fails to disclose "a server, configured to sign a device certificate corresponding to the electronic device through an intermediate certificate device after receiving the certificate application request, and transmit the device certificate and an Internet address of the server to the electronic device," as recited in claim 1.
The examiner disagrees with the applicant’s argument and analysis. During examination, the examination the broadest reasonable interpretation (BRI) consistent with the applicant’s disclosure as they would be understood and interpreted by one of ordinary skill in the art at the time of filing of the invention. Accordingly, an “Internet Address of the server” is broadly considered as any addressing mechanism to reach or access or identify the server behind a proxy over an Internet for X.509 Certificate implementation to reach a root certificate placed behind several layers of security protection, particularly when the applicant’s disclosure failed to provide sufficient context for the Internet addressing mechanism (See in [006-0007] where Internet Address of Server is mentioned in the disclosures also for and also for an Intermediate Certificate Device in [0021]). Under BRI, the Internet address of the server could be any addressing information or pointer to reach the server over the Internet including a Uniform Resource Locator (URL), a Uniform Resource Identifier (URI), a Uniform Resource Name (URN), an Internet Protocol (IP) address, or other information suitable for directing the client application to a location of the attribute and/or information associated with the attribute on the server (See the prior teaching this feature in [0013]. Popoveniuc, further discloses in [0022] that the pointer may include a URL to a server computer hosting the information or a record maintained by a Domain Name Server (DNS) containing the information. In addition, the DNS server may be used to determine a location of the remote certificate information store 124 based at least in part on the pointer 120. Any mechanism that may be used to direct the client computer system 108 to the location of information associated with the digital certificate is considered within the scope of the present disclosure.  Popoveniuc continues to disclose in [0024] that the certificate authority 106 may generate the pointer(s) 120 to be included in the digital certificate 104. In such embodiments, the certificate authority 106, after determining the one or more parameters and pointer(s) 120, then generates the digital certificate 104 and issues the digital certificate 104 to the service 102. From the above description, it is clear that the applicant’s analysis “the prior art Popoveniuce does not disclose that the client application is bound to a specific electronic device and once the client application is stored in other electronic devices, the URL or URI should also change the pointing location, in other words, Popoveniuce does not issue certificates to electronic devices” is incorrect and the arguments are not persuasive. Furthermore, there is no recitation in the applicant’s claim that “the client application is bound to a specific electronic device” unlike the applicant’s argument or assertion. The remaining applicant’s argument are based on this incorrect assertion that “the client application is bound to a specific electronic device” and the following incorrect conclusion by the applicant that “Once the client application is stored in other electronic devices, the URL or URI should also change the pointing location”. 
The applicant continues to argue that GUNTI even failed to disclose "a server, configured to sign a device certificate corresponding to the electronic device through an intermediate certificate device after receiving the certificate application request, and transmit the device certificate and an Internet address of the server to the electronic device," as recited in claim 1. The examiner disagrees with the applicant’s argument for the following reasons: First, the applicant's arguments against the references are directed to attack the references individually where the rejections are based on combinations of references (Popoveniuce in view of GUNTI). The prior art GUNTI is considered to discloses the device certificate is signed through an intermediate certificate device. Second, the applicant’s arguments are based only on few targeted initial paragraph citations [0020-0023] from GUNTI ignoring or failing to discusses the most relevant and more cited remaining sections from GUNTI ([0031-0037]: [0034] At 214, centralized management tool 120 requests a certificate signing request (CSR) from the node that is to be or just added to system 100. [0036] At 218, centralized management tool 120 provides the CSR to certificate authority 130. That is, the centralized management tool presents the CSR to the certificate authority on behalf of the node. In one embodiment, certificate metadata is provided to certificate authority 130. [0037] At 220, in response to receiving CSR from node 110 (via centralized management tool 120), certificate authority 130 generates certificates. For example, certificate authority 130 creates a certificate for node 110 and signs the certificate with a signing key. Finally, the applicant admits in the applicant’s disclosure the following: Since the root certificate must be placed behind several layers of security protection, the intermediate certificate device 22 is used as a proxy device to ensure that the key of the root certificate is absolutely inaccessible. Since the root certificate itself signs the intermediate certificate, the intermediate certificate can be used to sign the Secure Sockets Layer (SSL) for installation and maintenance. This is a standard technology, so it won't repeat here (See applicant’s disclosure in [0021: An Intermediate Certificate Device]).
For at least the above reasons, the applicant’s arguments are not persuasive to overcome the prior arts in record and place the claims 1, 8 and 14 in a better condition for allowance and therefore, the rejections are maintained. 

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are:
an electronic device, configured to transmit a certificate application request in claim 1,
a server, configured to sign a device certificate corresponding to the electronic device after receiving the certificate in claim 1,
a server, configured to transmit the device certificate and an Internet address of the server to the electronic device in claim 1.
a server device, configured to receive a certification application in claim 8.
a server device, configured to issue a device certification in claim 8.
a server device, configured to transmit the device certification and an Internet address in claim 8.

Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 8-9, 14-15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Popoveniuc et al. (Hereinafter referred to as Popoveniuc, US. Pub. No.:US 20200052911) in view of GUNTI et al. (Hereinafter referred to as GUNTI, US 20170006022 A1).

As per claim 1:
Popoveniuc discloses a certificate management system, comprising:
an electronic device, configured to transmit a certificate application request (([0012]: A client application running on a computer system initiates a secure network connection to a network service. In response to receiving the connection request, the network service provides a digital certificate to the client application so that the client application is able to verify the identity of the network service. The digital certificate includes a number of attributes that describe properties of the digital certificate (e.g., validity range, usage restrictions, extensions, and various other attributes) and properties of the owner of the digital certificate. The digital certificate is verified using a chain of trust that is verifiable via a number of digital signatures. The certificate is digitally signed by the owner of the certificate, by a sequence of intermediate certificate authorities, and finally by a root certificate authority. The application verifies the information contained in the digital certificate by verifying the signatures in the chain of trust and by verifying that the certificate is still valid);
a server, configured to sign a device certificate corresponding to the electronic device after receiving the certificate application request ([0017]: In response to the request for a secure network connection and/or session, the service 102 provides the client computer system 108 with the digital certificate 104. the digital certificate 104 is an X.509 digital certificate that includes information contained in various fields such as an issuer field 112, a subject field 114, an issuer signature 116, and a subject signature 118. Various fields the digital certificate 104 include a pointer 120 (e.g., URL or URI) pointing to a remote certificate information store 124 that contains information describing the validity time period, signature algorithms used, serial number, usage restrictions and/or requirements, chain of trust associated, or other information with the digital certificate 104), and
transmit the device certificate and an Internet address of the server to the electronic device ([0013]: A portion of the attributes include a pointer or other reference value to direct the client application to a location containing information associated with a particular attribute. The point includes a Uniform Resource Locator (URL), a Uniform Resource Identifier (URI), a Uniform Resource Name (URN), an Internet Protocol (IP) address, or other information suitable for directing the client application to a location of the attribute and/or information associated with the attribute. The location may be a web server or other computing resource accessible over a network that maintains the attribute information, such as a remote certificate information store. The validity range of an X.509 digital certificate includes an URL pointer to a remote certificate information store that contains a value representing the validity range of the X.509 digital certificate. This value may be cryptographically signed by the CA that issued the X.509 digital certificate, for example using the CAs private key, to provide assurances of the validity and authenticity of the value; [0022]; [0049-0050]: the client obtains the first pointer to usage information included in the digital certificate. The digital certificate includes one or more pointers, the pointers may include information (e.g., URL or URI) directing the client to a remote certificate information store that maintains usage information associated with the digital certificate. The digital certificate may include a plurality of pointers which may direct the client device to one or more remote certificate information stores. In various embodiments, the client includes an application (e.g., a web browser) that includes executable instructions that, when executed, cause the client to detect the pointer in the digital certificate and generate a query to be transmitted over a network to the remote certificate information store to obtain the usage information to determine the validity of the digital certificate);
wherein the electronic device stores the device certificate and the Internet address of the server to complete a certificate issuance operation ([0018] A pointer 120 may be information that facilitates obtaining usage information associated with a digital certificate 104.  The pointer 120 is an identifier of a network location, such as an IP address, a URL, or other URI. Furthermore, the pointer may be another identifier of a system, such as an identifier that is usable by a service to lookup a network location, a particular computer system of a set of computer systems implementing the service, a storage location. Such an identifier may comply with a standard or may be specific to the service, etc. The digital certificate may include a plurality of pointers 120 of the same or different types. The digital certificate 104 includes a first pointer comprising a URL to a web server hosting a database containing validity range information associated with the digital certificate 104 and a second pointer comprising an identifier of a storage service and storage location maintained by the storage service containing information indicating a number of times the digital certificate may be used; [0022]; [0049-0050]).

Popoveniuc does not explicitly disclose the device certificate is signed through an intermediate certificate device. GUNTI, in analogous art however, discloses the device certificate is signed through an intermediate certificate device ([0020-0023]: Centralized management tool 120 is a suite of virtualization tools (e.g., vSphere suite), allows for the management of multiple ESX servers and virtual machines from different ESX servers through a single console application that can be stored and executed on one the hosts (e.g., node 110 or node 112) or can be stored and executed on another physical device (e.g., client device) that is communicatively coupled with system 100. It enables a user (e.g., IT administrator) to manage system 100 from a single or centralized tool, via a user interface. It automates the provisioning of SSL certificates to the nodes. Certificate authority 130, is a root certificate authority or an intermediary certificate authority to another certificate authority. [0031-0037]: The centralized management tool 120, at 210 connects/provisions node 110 to system 100. Node 110 is an ESX host that is configured to host various virtual machines in a virtualization infrastructure. At 212, an unsigned SSL certification is transmitted to centralized management tool 120. It is noted that when node 110 is added to system 100, node 110 self-signs a certificate. However, a self-signed certificate is not deemed trustworthy in system 100. As such, communication with node 110 is not deemed to be to be trustworthy. At 214, centralized management tool 120 requests a certificate signing request (CSR) from the node that is to be or just added to system 100. In general, a CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate. Additionally, a CSR is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in the certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR. At 216, node 110 provides a CSR to centralized management tool 120. At 218, centralized management tool 120 provides the CSR to certificate authority 130. That is, the centralized management tool presents the CSR to the certificate authority on behalf of the node. In one embodiment, certificate metadata is provided to certificate authority 130. At 220, in response to receiving CSR from node 110 (via centralized management tool 120), certificate authority 130 generates certificates. For example, certificate authority 130 creates a certificate for node 110 and signs the certificate with a signing key).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the certificate application request disclosed by Popoveniuc to include the device certificate is signed is through an intermediate certificate device. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide an automated provisioning of certificates to a distributed computing environment that includes virtualization infrastructure as suggested by GUNTI (0016-0019).

As per claim 2:
GUNTI discloses  wherein the intermediate certificate device is located in the server ([0020]: Centralized management tool 120 is a suite of virtualization tools (e.g., vSphere suite), allows for the management of multiple ESX servers and virtual machines from different ESX servers through a single console application that can be stored and executed on one the hosts (e.g., node 110 or node 112) or can be stored and executed on another physical device (e.g., client device) that is communicatively coupled with system 100);
the intermediate certificate device is an X.509 certificate device ([0022]: Centralized management tool 120 automates the provisioning of SSL certificates to the nodes. In general, SSL Certificates are small data files that digitally bind a cryptographic key to an organization's details. The digital certificates are X.509 certificates); and
the device certificate generated by the intermediate certificate device is an X.509 certificate ([0022]: The digital certificates are X.509 certificates);
wherein the X.509 certificate is a leaf certificate in an X.509 certificate chain technology, and the X.509 certificate is encrypted with an asymmetric key ([0037]: At 220, in response to receiving CSR from node 110 (via centralized management tool 120), certificate authority 130 generates certificates. For example, certificate authority 130 creates a certificate for node 110 and signs the certificate with a signing key. [0051] At 330, accessing a signed certificate from the certificate authority for the computing node. For example, centralized management tool 120 receives signed X.509 certificates from certificate authority 130).

As per claims 8-9:
Claims 8-9 are directed to the certificate management system having substantially similar corresponding limitation of respective claims 1-2 and therefore claims 8-9 are rejected with the same rationale given above to reject claims 1-2.

As per claims 14-15 and 20:
Claims 14-15 and 20 are directed to the certificate management method having substantially similar corresponding limitation of respective claims 1-2 and therefore claims 14-15 and 20 are rejected with the same rationale given above to reject claims 1-2.

Claims 4-7, 10-13 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Popoveniuc et al. (Hereinafter referred to as Popoveniuc, US. Pub. No.:US 20200052911) in view of GUNTI et al. (Hereinafter referred to as GUNTI, US 20170006022 A1) and in further view of Fu (Hereinafter referred to as Fu, US 20110213966 A1).

As per claim 4:
GUNTI discloses wherein when the electronic device completes the certificate issuance operation ([0037] At 220, in response to receiving CSR from node 110 (via centralized management tool 120), certificate authority 130 generates certificates. For example, certificate authority 130 creates a certificate for node 110 and signs the certificate with a signing key); the electronic device sends a connection request and the device certificate to the server ([0034]: At 214, centralized management tool 120 requests a certificate signing request (CSR) from the node that is to be or just added to system 100); and confirming that the device certificate is a leaf certificate in the X.509 certificate chain technology ([0040]: the root certificate is the signing certificate of the certificate authority that signs the node's certificate).
Popoveniuc and GUNTI do not explicitly disclose the server uses the Public Key Infrastructure (PKI) identity authentication mechanism to trigger the intermediate certificate device to perform a number of verification operations on the device certificate, wherein the verification operations comprise: confirming that the electronic device does possess the device certificate, checking that the device certificate is not in a certificate revocation list, and checking that a valid time of the device certificate has not expired.
Fu, in analogous art however, discloses the server uses the Public Key Infrastructure (PKI) identity authentication mechanism to trigger the intermediate certificate device to perform a number of verification operations on the device certificate ([0017-0018]: the certificate operations may include requesting certificates, checking status of certificate requests, retrieving certificates, putting certificates on hold, removing certificates from being on hold, and revoking certificates. These certificate operations may be performed by the CA. To prevent direct access to the CA by the client computing system, a registration authority (RA) of the identity management system operates as a front-end of the CA, wherein the RA is a trusted manager of the CA. The RA may be embedded into an XML-RPC back end as a plug-in of the identity management system, for example. The RA will be responsible for validating the permission of the client, sending a proxy of the client's request to the CA, collecting the response from the CA, and sending the response back to the client computing system. Embodiments of the present invention provide an improved identity management system. By integrating the RA into the identity management server that uses Kerberos authentication to establish a secure connection with a client computing system, the RA can bootstrap the authentication for PKI from the Kerberos authentication established between the identity management server and the client computing system. Since the RA is a trusted manager of the CA and since the identity management system has authenticated the client, the certificate operation requests received by the RA over the secure Kerberos connection can be performed by the CA without PKI authentication of the certificate operation requests. [0029]: The client 102 communicates with the identity management system 110 securely using an authentication protocol that uses symmetric-key cryptography, such as Kerberos authentication protocol. In the depicted embodiment, the identity management system 110 includes a Kerberos key distribution center (KDC) 112 to establish the secure connection using Kerberos authentication protocol. Using the Kerberos authentication established between the identity management system 110 and the client 102, the RA 116 can bootstrap the PKI authentication for certificate requests from the Kerberos authentication), wherein the verification operations comprise: confirming that the electronic device does possess the device certificate ([0031]: Certificate authorities (CAs) validate identities and issue certificates), checking that the device certificate is not in a certificate revocation list ([0031]: the CA server 106 includes an online certificate status responder (OSCP) that can verify whether a certificate is valid, on hold, revoked, or the like), and checking that a valid time of the device certificate has not expired ([0045]: Upon verification, the ticket-granting service 208 creates and stores a user session using a current time (e.g., timestamp) and an expiration date, for example, eight hours, and creates an encryption key). 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the device certificate disclosed by Popoveniuc and GUNTI to include the server uses the Public Key Infrastructure (PKI) identity authentication mechanism to trigger the intermediate certificate device to perform a number of verification operations on the device certificate, wherein the verification operations comprise: confirming that the electronic device does possess the device certificate, checking that the device certificate is not in a certificate revocation list, and  checking that a valid time of the device certificate has not expired. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide authentication identity management system managed by Kerberos authentication that uses a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner as suggested by Fu (0007).

As per claim 5:
Fu discloses when the device certificate passes all the verification operations, the server sends a verification success message to the electronic device; when the device certificate fails to pass all the verification operations, the server sends a verification failure message to the electronic device ([0068]: retrieve a service principal record associated with the client and determine if the service principal record already has a user certificate attribute. If the processing logic determines that the service principal record does not have the user certificate attribute, processing logic allows the CSR to be sent to the CA, otherwise the processing logic stops the request. If the processing logic determines that the service principal record does not exist, the processing logic determines if an add argument is received in connection with the CSR. The add argument requests permission to modify the user certificate attribute. If the processing logic determines that the add argument was received and that the client has permission to modify the user certificate (e.g., listed in the service principal record as an administrator or listed in the managedBy attribute), the processing logic allows the CSR to be sent to the CA, otherwise the processing logic stops the request).

As per claim 6:
Fu discloses when the electronic device receives the verification success message, and the server does not receive any request from the electronic device for more than a receiving time, the server determines that the electronic device is missing or has a problem, and the server removes the device certificate and writes the device certificate into the certificate revocation list ([0085]:  At 610, user 605 (e.g., administrator of system 100) revokes certificates in node 110 by way of centralized management tool 120. For example, the user is made aware that node 110 is untrustworthy and desires to revoke certificates of node 110 via a UI or CLI. At 612, centralized management tool 120 transmits instructions to certificate authority 130 to revoke the certificates of node 110 (as instructed by user 605). As a result, node 110 is deemed to be untrustworthy. At 614, the user provides instructions to remove node 110 from the system because it is untrustworthy. At 616, centralized management tool 120 removes node 110 from system 100. As a result, node 110 is no longer a security risk to system 100).

As per claim 7:
GUNTI discloses when the server checks that the valid time of the device certificate is less than a date threshold, the server sends a certificate expire message to the electronic device ([0074; 0082]: An impending certificate expiration is determined based on various time thresholds, as described above. For example, if a certificate is set to expire within a first time frame (e.g., 8 months), then it is determined that the certificate has an impending certificate expiration. Likewise, if a certificate is set to expire within a second time frame (e.g., 1-8 months), then it is determined that the certificate has an impending certificate expiration. Similarly, if a certificate is set to expire within a third time frame (e.g., 1 month), then it is determined that the certificate has an impending certificate expiration);
wherein the electronic device sends a certificate update request to the server after receiving the certificate expire message ([0049] Accessing a certificate signing request from a computing node by a centralized management tool of the computing system, receives a CSR from node 110 that is initiated to be added to system 100; transmits the CSR (received from node 110) to certificate authority) and the server sends an update certificate to the electronic device ([0051]: accessing a signed certificate from the certificate authority for the computing node).

As per claims 10-13:
Claim 10-13 are directed to the certificate management system having substantially similar corresponding limitation of respective claims 4-7 and therefore claims 10-13 are rejected with the same rationale given above to reject claims 4-7.

As per claim 16-19:
Claim 16-19 are directed to the certificate management method having substantially similar corresponding limitation of respective claims 4-7 and therefore claims 16-19 are rejected with the same rationale given above to reject claims 4-7.


BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as they would be interpreted by one of ordinary skill in the art at the time of filing of the invention. In order to construe, appraise boundary and scope of the claimed limitations, the following claim words or terms or phrases or languages have been given to them their BRI considerations and context in view of the applicant’s disclosure. For example, for the following claim words or terms or phrases or languages, the examiner recites BRI considerations from the applicant’s disclosure as follows:

Internet Address of a Server:		[0006-0007] In order to solve the above problems, the present disclosure provides a certificate management system. The certificate management system includes an electronic device and a server. The electronic device is configured to transmit a certificate application request. The server is configured to sign a device certificate corresponding to the electronic device through an intermediate certificate device after receiving the certificate application request, and transmit the device certificate and the Internet address of the server to the electronic device. The electronic device stores the device certificate and the Internet address of the server to complete the certificate issuance operation.

An Intermediate Certificate Device:	[0021] In one embodiment, the server 20 includes an intermediate certificate device 22. In one embodiment, the intermediate credential device 22 can be implemented by an integrated circuit such as a micro controller, a microprocessor, a digital signal processor, an application specific integrated circuit (ASIC), or a logic circuit. In one embodiment, the intermediate credential device 22 can be implemented by software, firmware, or hardware. Since the root certificate must be placed behind several layers of security protection, the intermediate certificate device 22 is used as a proxy device to ensure that the key of the root certificate is absolutely inaccessible. Since the root certificate itself signs the intermediate certificate, the intermediate certificate can be used to sign the Secure Sockets Layer (SSL) for installation and maintenance. This is a standard technology, so it won't repeat here.   See also in the Attached NPL (X.509 Certificate Policy for the Government Printing Office key Infrastructure-PKI standard Published on April 22, 2020 for Intermediate or Subordinate Certificate Authority -SCA standard).

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TECHANE GERGISO/Primary Examiner, Art Unit 2494