Office Action Predictor
Last updated: April 16, 2026
Application No. 18/417,169

Systems and methods for automated certificate generation and management inside zero trust private networks

Non-Final OA §103
Filed
Jan 19, 2024
Examiner
JOHNSON, AMY COHEN
Art Unit
2400
Tech Center
2400 — Computer Networks
Assignee
Zscaler, INC.
OA Round
2 (Non-Final)
57%
Grant Probability
Moderate
2-3
OA Rounds
2y 6m
To Grant
59%
With Interview

Examiner Intelligence

Grants 57% of resolved cases
57%
Career Allow Rate
282 granted / 497 resolved
-1.3% vs TC avg
Minimal +2% lift
Without
With
+2.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
356 currently pending
Career history
853
Total Applications
across all art units

Statute-Specific Performance

§101
3.8%
-36.2% vs TC avg
§103
55.6%
+15.6% vs TC avg
§102
21.3%
-18.7% vs TC avg
§112
11.5%
-28.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 497 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see pages 6-7, filed September 24, 2025, with respect to the rejection(s) of claim(s) 1-20 under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of US patent 12,506,622 granted to Narayanaswamy et al. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 6-13 and 16-21 are rejected under 35 U.S.C. 103 as being unpatentable over US patent publication 20190372783 granted to Martinez et al and further in view of US patent 9,294,468 granted to Kilbourn and US patent 12,506,622 granted to Narayanaswamy et al. Regarding claim 1, Martinez discloses a method and system for monitoring access to one or more private applications; responsive to identifying a request to access an application of the one or more private applications, generating a certificate {see Abstract, paragraph [0030] (automatically generating app-specific certificates in response to access permission or launch of the packaged application)}. Martinez further teaches utilizing the generated certificate to provide access to the application by stitching together a connection between a user and the application {see paragraph [0037] (establish a connection between the server and the client in the packaged application using the automatically generated certificates)}. Martinez further teaches utilizing one or more Certificate Authority (CA) certificates to sign the generated certificate, thereby confirming an authenticity of the generated certificate {see Martinez, paragraph [0040] (the connection component 134 can identify the web server 106 as a trusted certificate authority and use the public key of the web server 106 to authenticate a digital signature included in the received certificate)}. Martinez fails to specifically teach providing the generated certificate to a broker. In an analogous art, Kilbourn discloses a method and system where a brokering service is used for coordinating the generation and maintenance of application-level certificates (see column 2, lines 47-64). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kilbourn's broker service with Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the two in order to reduce the need for long-lived certificates by a central authority for every application on the network system (see Kilbourn; Column 1, lines 49-53.). Martinez and Kilbourn as combined fail to specifically teach receiving one or more CA certificates. In an analogous art, Narayanaswamy teaches a method for securely connecting users and cloud apps where a chain of certificates are received and used to sign a certificate generated for an end-entity {see Abstract; column 15, lines 1-33 (Certificate 900A, respective to intermediate certificate authority 844 and signed by root certificate authority 864 . . .); column 17, lines 30-55 (. . . intermediate domain-specific certificate authority that holds a certificate authority (CA) certificate that operation browsers, operated by users in the organization, recognize to be authorized to sign end-entity certificates by virtue of being chained to a root certificate . . . Many implementations of the disclosed method comprise the inspection proxy receiving . . . organization certificate from the organization CA . . .) and Figure 9}. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Narayanaswamy’s method for securely connecting users and cloud apps with Kilbourn's broker service and Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the references in order to reduce the risk of a customer’s data from being leaked to an unauthorized entity (see Narayanaswamy; column 3, lines 50-64). Regarding claim 2, Martinez as modified discloses everything claimed as applied above (see claim 1), in addition Martinez teaches the certificate is a web application certificate {see Martinez, paragraph [0045] (generating a certificate at a web server of the packaged application at stage 204)}. Regarding claim 3, Martinez as modified discloses everything claimed as applied above (see claim 1), in addition Kilbourn discloses stitching together the connection between the user and the application includes stitching together a connection between a user device associated with the user and a cloud-based system and a connection between an application connector associated with the application and the cloud-based system (see column 2, lines 26-46). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kilbourn's broker service with Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the two in order to reduce the need for long-lived certificates by a central authority for every application on the network system (see Kilbourn; Column 1, lines 49-53.). Regarding claim 6, Martinez as modified discloses everything claimed as applied above (see claim 1), in addition Narayanaswamy teaches the one or more CA certificates are received and utilized on a per-tenant basis {see column 13, lines 34-37 (. . . HSM 532 processes a single operation per tenant from provisioning service 366. . . Continuing the description of FIG. 5, when a new tenant is created, provisioning service 366 generates an intermediate CA key pair . . .) and Figure 5}. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Narayanaswamy’s method for securely connecting users and cloud apps with Kilbourn's broker service and Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the references in order to reduce the risk of a customer’s data from being leaked to an unauthorized entity (see Narayanaswamy; column 3, lines 50-64). Regarding claim 7, Martinez as modified discloses everything claimed as applied above (see claim 1), in addition Narayanaswamy wherein the steps are only performed responsive to identifying secure traffic via the monitoring {see column 20, lines 44-50 (. . . The relaying of traffic may include at least one of decrypting session traffic received from the organization browser and encrypting session traffic sent to the organization browser. At least some of the session traffic that is relayed during the session is inspected by the respective inspection proxy, applying rules supplied by the organization to the distinct entity. . .}. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Narayanaswamy’s method for securely connecting users and cloud apps with Kilbourn's broker service and Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the references in order to reduce the risk of a customer’s data from being leaked to an unauthorized entity (see Narayanaswamy; column 3, lines 50-64). Regarding claim 8, Martinez as modified discloses everything claimed as applied above (see claim 7), in addition Narayanaswamy wherein the secure traffic includes Hypertext Transfer Protocol Secure (HTTPS) traffic {see column 20, lines 44-50}. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Narayanaswamy’s method for securely connecting users and cloud apps with Kilbourn's broker service and Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the references in order to reduce the risk of a customer’s data from being leaked to an unauthorized entity (see Narayanaswamy; column 3, lines 50-64). Regarding claim 9, Martinez as modified discloses everything claimed as applied above (see claim 1), in addition Kilbourn discloses the steps are performed by one or more application connectors associated with the one or more private applications (see column 2, lines 26-46). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kilbourn's broker service with Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the two in order to reduce the need for long-lived certificates by a central authority for every application on the network system (see Kilbourn; Column 1, lines 49-53.) Regarding claim 10, Martinez as modified discloses everything claimed as applied above (see claim 1), in addition Kilbourn discloses the steps are performed by an automated certificate generation service associated with a cloud-based system, and wherein on request from an application connector, the automated certificate generation service generates and digitally signs certificates (see column 2, lines 26-46). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kilbourn's broker service with Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the two in order to reduce the need for long-lived certificates by a central authority for every application on the network system (see Kilbourn; Column 1, lines 49-53.) Claims 11-13 and 16-20 are non-transitory computer-readable medium claims that are substantially equivalent to method claims 1-3 and 6-10. Therefore claims 11-13 and 16-20 are rejected by a similar rationale. Regarding claim 21, Martinez discloses a method and system for monitoring access to one or more private applications; responsive to identifying a request to access an application of the one or more private applications, generating a certificate {see Abstract, paragraph [0030] (automatically generating app-specific certificates in response to access permission or launch of the packaged application)}. Martinez further teaches utilizing the generated certificate to provide access to the application by stitching together a connection between a user and the application {see paragraph [0037] (establish a connection between the server and the client in the packaged application using the automatically generated certificates)}. Martinez further teaches utilizing one or more Certificate Authority (CA) certificates to sign the generated certificate, thereby confirming an authenticity of the generated certificate {see Martinez, paragraph [0040] (the connection component 134 can identify the web server 106 as a trusted certificate authority and use the public key of the web server 106 to authenticate a digital signature included in the received certificate)}. Martinez fails to specifically teach providing the generated certificate to a broker. In an analogous art, Kilbourn discloses a method and system where a brokering service is used for coordinating the generation and maintenance of application-level certificates (see column 2, lines 47-64). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kilbourn's broker service with Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the two in order to reduce the need for long-lived certificates by a central authority for every application on the network system (see Kilbourn; Column 1, lines 49-53.). Martinez and Kilbourn as combined fail to specifically teach receiving one or more CA certificates. In an analogous art, Narayanaswamy teaches a method for securely connecting users and cloud apps where a chain of certificates are received and used to sign a certificate generated for an end-entity {see Abstract; column 15, lines 1-33 (Certificate 900A, respective to intermediate certificate authority 844 and signed by root certificate authority 864 . . .); column 17, lines 30-55 (. . . intermediate domain-specific certificate authority that holds a certificate authority (CA) certificate that operation browsers, operated by users in the organization, recognize to be authorized to sign end-entity certificates by virtue of being chained to a root certificate . . . Many implementations of the disclosed method comprise the inspection proxy receiving . . . organization certificate from the organization CA . . .) and Figure 9}. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Narayanaswamy’s method for securely connecting users and cloud apps with Kilbourn's broker service and Martinez's method of accessing enterprise applications. One of ordinary skill in the art would have been motivated to combine the references in order to reduce the risk of a customer’s data from being leaked to an unauthorized entity (see Narayanaswamy; column 3, lines 50-64). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW B SMITHERS whose telephone number is (571)272-3876. The examiner can normally be reached 8:00-4:00 (Teleworking). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 571-270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MATTHEW SMITHERS/ Primary Examiner Art Unit 2437
Read full office action

Prosecution Timeline

Jan 19, 2024
Application Filed
Jun 25, 2025
Non-Final Rejection — §103
Sep 24, 2025
Response Filed
Dec 23, 2025
Non-Final Rejection — §103
Mar 27, 2026
Response Filed

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12381794
METHOD AND SYSTEM FOR PERFORMING AD HOC DIAGNOSTICS, MAINTENANCE, PROGRAMMING, AND TESTS OF INTERNET OF THINGS DEVICES
2y 5m to grant Granted Aug 05, 2025
Patent 12381816
POLICY PLANE INTEGRATION ACROSS MULTIPLE DOMAINS
2y 5m to grant Granted Aug 05, 2025
Patent 12363582
METHOD FOR MANAGING QOS, RELAY TERMINAL, PCF NETWORK ELEMENT, SMF NETWORK ELEMENT, AND REMOTE TERMINAL
2y 5m to grant Granted Jul 15, 2025
Patent 12363588
DATA TRANSMISSION METHOD AND APPARATUS, COMPUTER READABLE MEDIUM, AND ELECTRONIC DEVICE
2y 5m to grant Granted Jul 15, 2025
Patent 12363337
CODING AND DECODING OF VIDEO CODING MODES
2y 5m to grant Granted Jul 15, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

2-3
Expected OA Rounds
57%
Grant Probability
59%
With Interview (+2.5%)
2y 6m
Median Time to Grant
Moderate
PTA Risk
Based on 497 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month