====== Operator Scenarios ======
**Target Audience:** System administrators, PKI operators, DevOps \\
**Focus:** Daily operations, runbooks, checklists, automation
Practice-oriented guides for the operational management of a PQ-capable PKI.
----
===== Overview =====
flowchart TB
subgraph DAILY["📋 DAILY OPERATIONS"]
D1[Issue certificate]
D2[Renew certificate]
D3[Revoke certificate]
D4[Health Check]
end
subgraph AUTO["⚙️ AUTOMATION"]
A1[ACME/Let's Encrypt]
A2[CI/CD Signing]
A3[Kubernetes Cert-Manager]
A4[Scheduled Renewal]
end
subgraph MON["📊 MONITORING"]
M1[Expiration monitoring]
M2[Revocation check]
M3[Audit logging]
M4[Alerting]
end
subgraph MIG["🔄 MIGRATION"]
G1[Classic → Hybrid]
G2[Parallel operation]
G3[Rollback]
G4[Inventory]
end
subgraph DR["🛡️ DISASTER RECOVERY"]
R1[CA Backup/Restore]
R2[Key Ceremony]
R3[Emergency revocation]
end
subgraph CLOUD["☁️ CLOUD"]
C1[Azure Key Vault]
C2[AWS KMS]
C3[HashiCorp Vault]
end
DAILY --> AUTO
AUTO --> MON
MON --> MIG
MIG --> DR
style D1 fill:#e8f5e9
style A1 fill:#fff3e0
style M1 fill:#e3f2fd
style G1 fill:#fce4ec
----
===== Categories =====
==== Daily Operations ====
Runbooks for daily operational tasks.
^ Runbook ^ Description ^ Duration ^
| [[.:tagesgeschaeft:zertifikat-ausstellen|Issue certificate]] | Review CSR, sign, deliver | ~10 min |
| [[.:tagesgeschaeft:zertifikat-erneuern|Renew certificate]] | Renew expiring certificates | ~15 min |
| [[.:tagesgeschaeft:zertifikat-widerrufen|Revoke certificate]] | Revoke compromised certificates | ~5 min |
| [[.:tagesgeschaeft:health-check|Health Check]] | Daily system check | ~5 min |
----
==== Automation ====
**Priority 1** – Reduces manual work and errors
^ Scenario ^ Description ^ Complexity ^
| [[.:automatisierung:acme-integration|ACME Integration]] | Let's Encrypt / ACME protocol | Medium |
| [[.:automatisierung:cicd-code-signing|CI/CD Code Signing]] | Automatic signing in pipelines | High |
| [[.:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] | Certificates in K8s | High |
| [[.:automatisierung:scheduled-renewal|Scheduled Renewal]] | Automatic renewal | Low |
----
==== Monitoring & Alerting ====
**Priority 2** – Critical for production operations
^ Scenario ^ Description ^ Tools ^
| [[.:monitoring:ablauf-monitoring|Expiration Monitoring]] | Monitor certificate expiration | Prometheus, Grafana |
| [[.:monitoring:revocation-check|Revocation Check]] | CRL/OCSP availability | curl, PowerShell |
| [[.:monitoring:audit-logging|Audit Logging]] | Compliance-compliant logging | Syslog, ELK |
| [[.:monitoring:alerting-setup|Alerting Setup]] | Configure notifications | PagerDuty, Teams |
----
==== Migration ====
**Priority 3** – For existing PKI infrastructures
^ Scenario ^ Description ^ Risk ^
| [[.:migration:classic-to-hybrid|Classic → Hybrid]] | Migrate RSA/ECDSA to Hybrid | Medium |
| [[.:migration:parallel-betrieb|Parallel Operation]] | Classic + PQ simultaneously | Low |
| [[.:migration:rollback-strategie|Rollback Strategy]] | Plan emergency fallback | - |
| [[.:migration:inventur|Certificate Inventory]] | Stock taking | Low |
----
==== Disaster Recovery ====
^ Scenario ^ Description ^ Critical ^
| [[.:disaster-recovery:ca-backup-restore|CA Backup/Restore]] | Backup and restore CA keys | Yes |
| [[.:disaster-recovery:key-ceremony|Key Ceremony]] | Secure key generation | Yes |
| [[.:disaster-recovery:notfall-revocation|Emergency Revocation]] | Mass revocation | Yes |
----
==== Cloud Integration ====
^ Scenario ^ Cloud ^ HSM ^
| [[.:cloud:azure-keyvault|Azure Key Vault]] | Azure | Managed HSM |
| [[.:cloud:aws-kms|AWS KMS]] | AWS | CloudHSM |
| [[.:cloud:hashicorp-vault|HashiCorp Vault]] | Multi-Cloud | Transit |
----
===== Quick Start for Operators =====
**Day 1: Basics**
- Perform [[.:tagesgeschaeft:health-check|Health Check]]
- Issue [[.:tagesgeschaeft:zertifikat-ausstellen|first certificate]]
**Week 1: Automation**
- Set up [[.:automatisierung:scheduled-renewal|automatic renewal]]
- Configure [[.:monitoring:ablauf-monitoring|expiration monitoring]]
**Month 1: Production**
- Set up [[.:monitoring:alerting-setup|alerting]]
- Implement [[.:disaster-recovery:ca-backup-restore|backup strategy]]
----
===== Related Documentation =====
* [[en:int:pqcrypt:szenarien:kurzreferenz:start|Quick Reference]] – Compact code examples
* [[en:int:pqcrypt:administrator:start|Administrator Manual]] – Installation, configuration
* [[en:int:pqcrypt:szenarien:start|All Scenarios]] – Technical reference
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>operator sysadmin runbook daily-operations}}