====== 3.3 Operations ======

Operational tasks for the PQ cryptography infrastructure.

----

===== Health Checks =====

Perform these checks regularly:

==== Quick Check (daily) ====

<code bash>
# OpenSSL available?
openssl version
# Expected: OpenSSL 3.6.0 or higher

# PQ algorithms active?
openssl list -signature-algorithms | grep -i "ml-dsa" | head -1
# Expected: ML-DSA-44, ML-DSA-65, or ML-DSA-87
</code>

==== Full Health Check ====

**Linux/macOS:**
<code bash>
#!/bin/bash
echo "=== WvdS PQ Crypto Health Check ==="

# 1. OpenSSL
echo -n "OpenSSL: "
openssl version | grep -q "3\.[6-9]\|[4-9]\." && echo "OK" || echo "FAIL (Version too old)"

# 2. ML-DSA Support
echo -n "ML-DSA: "
openssl list -signature-algorithms 2>/dev/null | grep -qi "ml-dsa" && echo "OK" || echo "FAIL"

# 3. ML-KEM Support
echo -n "ML-KEM: "
openssl list -kem-algorithms 2>/dev/null | grep -qi "ml-kem" && echo "OK" || echo "FAIL"

# 4. Provider
echo -n "Provider: "
openssl list -providers | grep -q "default" && echo "OK" || echo "FAIL"

# 5. FIPS (optional)
echo -n "FIPS: "
openssl list -providers | grep -qi "fips" && echo "OK" || echo "Not configured"

# 6. .NET Runtime
echo -n ".NET 8: "
dotnet --list-runtimes 2>/dev/null | grep -q "NETCore.App 8" && echo "OK" || echo "FAIL"

echo "=== Health Check Complete ==="
</code>

**Windows (PowerShell):**
<code powershell>
Write-Host "=== WvdS PQ Crypto Health Check ===" -ForegroundColor Cyan

# 1. OpenSSL
$opensslVersion = & openssl version 2>$null
if ($opensslVersion -match "3\.[6-9]") {
    Write-Host "OpenSSL: OK ($opensslVersion)" -ForegroundColor Green
} else {
    Write-Host "OpenSSL: FAIL" -ForegroundColor Red
}

# 2. ML-DSA
$mldsa = & openssl list -signature-algorithms 2>$null | Select-String "ML-DSA"
if ($mldsa) {
    Write-Host "ML-DSA: OK" -ForegroundColor Green
} else {
    Write-Host "ML-DSA: FAIL" -ForegroundColor Red
}

# 3. ML-KEM
$mlkem = & openssl list -kem-algorithms 2>$null | Select-String "ML-KEM"
if ($mlkem) {
    Write-Host "ML-KEM: OK" -ForegroundColor Green
} else {
    Write-Host "ML-KEM: FAIL" -ForegroundColor Red
}

# 4. .NET
$dotnet = & dotnet --list-runtimes 2>$null | Select-String "NETCore.App 8"
if ($dotnet) {
    Write-Host ".NET 8: OK" -ForegroundColor Green
} else {
    Write-Host ".NET 8: FAIL" -ForegroundColor Red
}

Write-Host "=== Health Check Complete ===" -ForegroundColor Cyan
</code>

----

===== Certificates via OpenSSL CLI =====

==== Create Root CA ====

**Classic (RSA 4096):**
<code bash>
# 1. Generate private key
openssl genpkey -algorithm RSA -out root-ca.key -pkeyopt rsa_keygen_bits:4096

# 2. Create self-signed Root CA
openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 \
    -subj "/C=DE/O=Organization/CN=Root CA"

# 3. Display certificate
openssl x509 -in root-ca.crt -text -noout
</code>

**Post-Quantum (ML-DSA-65):**
<code bash>
# 1. Generate ML-DSA private key
openssl genpkey -algorithm ML-DSA-65 -out root-ca-pq.key

# 2. Create self-signed PQ Root CA
openssl req -new -x509 -key root-ca-pq.key -out root-ca-pq.crt -days 3650 \
    -subj "/C=DE/O=Organization/CN=PQ Root CA"

# 3. Display certificate
openssl x509 -in root-ca-pq.crt -text -noout
</code>

==== Create Intermediate CA ====

<code bash>
# 1. Private key for Intermediate
openssl genpkey -algorithm RSA -out intermediate.key -pkeyopt rsa_keygen_bits:4096

# 2. Create CSR
openssl req -new -key intermediate.key -out intermediate.csr \
    -subj "/C=DE/O=Organization/CN=Intermediate CA"

# 3. Sign with Root CA (with CA extensions)
openssl x509 -req -in intermediate.csr -CA root-ca.crt -CAkey root-ca.key \
    -CAcreateserial -out intermediate.crt -days 1825 \
    -extfile <(echo "basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,keyCertSign,cRLSign")

# 4. Verify chain
openssl verify -CAfile root-ca.crt intermediate.crt
</code>

==== Create End-Entity Certificate ====

<code bash>
# 1. Private key
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048

# 2. CSR with SAN (Subject Alternative Name)
openssl req -new -key server.key -out server.csr \
    -subj "/C=DE/O=Organization/CN=server.example.com" \
    -addext "subjectAltName=DNS:server.example.com,DNS:www.example.com"

# 3. Sign with Intermediate
openssl x509 -req -in server.csr -CA intermediate.crt -CAkey intermediate.key \
    -CAcreateserial -out server.crt -days 365 \
    -extfile <(echo "basicConstraints=CA:FALSE
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=DNS:server.example.com,DNS:www.example.com")

# 4. Verify full chain
openssl verify -CAfile root-ca.crt -untrusted intermediate.crt server.crt
</code>

==== Inspect Certificate ====

<code bash>
# Display certificate details
openssl x509 -in cert.crt -text -noout

# Only Subject and Issuer
openssl x509 -in cert.crt -subject -issuer -noout

# Validity period
openssl x509 -in cert.crt -dates -noout

# Fingerprint
openssl x509 -in cert.crt -fingerprint -sha256 -noout

# Extract public key
openssl x509 -in cert.crt -pubkey -noout

# Signature algorithm
openssl x509 -in cert.crt -text -noout | grep "Signature Algorithm"
</code>

==== Convert Certificate Formats ====

<code bash>
# PEM to DER
openssl x509 -in cert.pem -outform DER -out cert.der

# DER to PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem

# PEM to PKCS#12 (PFX)
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca-chain.crt

# PKCS#12 to PEM (certificate + key)
openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes
</code>

----

===== Trust Store Management =====

==== Windows Certificate Store ====

**Import CA certificate (PowerShell as Administrator):**
<code powershell>
# Root CA to Trusted Root Certification Authorities
Import-Certificate -FilePath "root-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root

# Intermediate CA to Intermediate Certification Authorities
Import-Certificate -FilePath "intermediate.crt" -CertStoreLocation Cert:\LocalMachine\CA

# Verify
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Root CA*"}
</code>

**List certificates:**
<code powershell>
# All Root CAs
Get-ChildItem Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter

# Expiring certificates (< 30 days)
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)} | Format-Table Subject, NotAfter
</code>

**Remove certificate:**
<code powershell>
# By thumbprint
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "ABC123..."} | Remove-Item
</code>

==== Linux Trust Store ====

**Debian/Ubuntu:**
<code bash>
# Add CA certificate
sudo cp root-ca.crt /usr/local/share/ca-certificates/wvds-root-ca.crt
sudo update-ca-certificates

# Verify
ls /etc/ssl/certs/ | grep wvds

# Remove certificate
sudo rm /usr/local/share/ca-certificates/wvds-root-ca.crt
sudo update-ca-certificates --fresh
</code>

**RHEL/CentOS:**
<code bash>
# Add CA certificate
sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/wvds-root-ca.crt
sudo update-ca-trust

# Verify
trust list | grep -A2 "WvdS"
</code>

==== macOS Keychain ====

<code bash>
# Add CA to System Keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.crt

# Verify
security find-certificate -a -c "Root CA" /Library/Keychains/System.keychain
</code>

----

===== Backup & Recovery =====

**Components to back up:**

^  Component  ^  Path  ^  Frequency  ^  Priority  ^
| Root CA Private Key | Offline storage | After creation | **Critical** |
| Intermediate CA Key | Server | Daily | High |
| PQ Key Store | ''%LOCALAPPDATA%\WvdS.Crypto\PqKeys\'' | Daily | High |
| Certificates (PFX) | Application directory | After creation | Medium |

**Backup script (Linux):**
<code bash>
#!/bin/bash
BACKUP_DIR="/backup/pq-crypto/$(date +%Y%m%d)"
mkdir -p "$BACKUP_DIR"

# PQ key store
cp -r ~/.local/share/wvds-crypto/pqkeys/ "$BACKUP_DIR/"

# Certificates
cp /etc/ssl/certs/wvds-*.crt "$BACKUP_DIR/"

# Secure permissions
chmod 700 "$BACKUP_DIR"
chmod 600 "$BACKUP_DIR"/*

echo "Backup created: $BACKUP_DIR"
</code>

<WRAP warning>
**Important:** The PQ key store is **not** included in Windows Certificate Store backups!
</WRAP>

----

===== Monitoring =====

**Monitor certificate expiration:**
<code bash>
# All certificates expiring in < 30 days
for cert in /etc/ssl/certs/*.crt; do
    expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2)
    if [ -n "$expiry" ]; then
        expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null)
        now_epoch=$(date +%s)
        days_left=$(( (expiry_epoch - now_epoch) / 86400 ))
        if [ "$days_left" -lt 30 ]; then
            echo "WARNING: $cert expires in $days_left days"
        fi
    fi
done
</code>

**Renewal deadlines:**
^  Certificate Type  ^  Renew before expiration  ^
| Root CA | 30 days |
| Intermediate CA | 14 days |
| End-Entity | 7 days |

----

===== Further Reading =====

  * [[.:troubleshooting|Troubleshooting]] – Resolve operational issues
  * [[en:int:pqcrypt:konzepte:sicherheit|Security]] – Best practices
  * [[.:konfiguration|Configuration]] – Enable FIPS mode

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>operations certificates backup trust-store health-check openssl}}