US Patent 11909889 Secure digital signing

A public-private key cryptographic scheme is described for granting authenticating a client to a remote device or service in order to access a secure resource. The client is provided the public key, but the private key is stored in a hardware security module (HSM) that the client is not able to access. The client requests a digital signature be generated from the private key from a secure vault service. The secure vault service accesses the HSM and generates the digital certificate, which is then passed to the client. The digital certificate may be added to a security token request submitted to an identity provider. The identity provider determines whether the digital signature came from the private key. If so, the identity provider provides authenticates the client and provides an access token that is usable by the client for authentication to the remote device with the secure resource