====== Building PKI Infrastructure ======

Compact guide for building a PQ-capable PKI. -> **Details:** [[en:int:pqcrypt:szenarien:pki:start|PKI Scenarios]]

----

===== Hierarchy =====

<code>
Root CA (Offline, ML-DSA-87)
    +-- Intermediate CA (Online, ML-DSA-65)
            +-- Server Certificates (Hybrid: ECDSA + ML-DSA)
            +-- Client Certificates (ML-DSA-65)
            +-- User Certificates (ML-DSA-65)
</code>

----

===== 1. Root CA =====

<code csharp>
using var mlDsa = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);

var rootDn = new X500DistinguishedNameBuilder();
rootDn.AddCommonName("WvdS Root CA");
rootDn.AddOrganizationName("EMSR DATA d.o.o.");

var request = new CertificateRequest(rootDn.Build(), mlDsa, HashAlgorithmName.SHA512);

request.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(true, true, 2, true));
request.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));

var rootCert = request.CreateSelfSigned(
    DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(20));

File.WriteAllBytes("root-ca.pfx", rootCert.Export(X509ContentType.Pfx, "password"));
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:pki:root_ca_erstellen|Create Root CA]]

----

===== 2. Intermediate CA =====

<code csharp>
var rootCert = new X509Certificate2("root-ca.pfx", "password");
using var mlDsa = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);

var dn = new X500DistinguishedNameBuilder();
dn.AddCommonName("WvdS Intermediate CA");

var csr = new CertificateRequest(dn.Build(), mlDsa, HashAlgorithmName.SHA384);
csr.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 0, true));
csr.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));

var serial = new byte[20];
RandomNumberGenerator.Fill(serial);
serial[0] &= 0x7F;

var intCert = csr.Create(rootCert, DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddYears(10), serial);
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:pki:intermediate_ca_erstellen|Create Intermediate CA]]

----

===== 3. Trust Store =====

<code csharp>
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(new X509Certificate2("root-ca.crt"));
store.Close();
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:pki:trust_store_konfigurieren|Configure Trust Store]]

----

===== Recommendations =====

^  Component  ^  Algorithm  ^  Validity  ^
| Root CA | ML-DSA-87 | 20-30 years |
| Intermediate CA | ML-DSA-65 | 5-10 years |
| End-Entity | Hybrid or ML-DSA-65 | 1-2 years |

----

<< [[.:start|<- Quick Reference]] | [[en:int:pqcrypt:szenarien:pki:start|-> PKI Scenarios (Details)]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>quickreference pki root-ca intermediate-ca}}