====== Runbook: Issue Certificate ======
**Duration:** ~10 minutes \\
**Role:** PKI Operator \\
**Prerequisite:** Approved CSR
----
===== Workflow =====
flowchart TD
A[CSR received] --> B{Validate CSR}
B -->|Invalid| C[Reject + Ticket]
B -->|Valid| D{Approval?}
D -->|No| E[Request approval]
D -->|Yes| F[Sign certificate]
F --> G{Hybrid mode?}
G -->|Yes| H[Add PQ extension]
G -->|No| I[Sign classic]
H --> J[Deliver]
I --> J
J --> K[Audit Log]
style B fill:#fff3e0
style F fill:#e8f5e9
style H fill:#e3f2fd
----
===== Step 1: Receive and Validate CSR =====
**Checklist before signing:**
| # | Checkpoint | Command | Expected |
|---|------------|---------|----------|
| 1 | CSR format valid | ''openssl req -in request.csr -verify -noout'' | ''verify OK'' |
| 2 | Key length | ''openssl req -in request.csr -text \| grep "Public-Key"'' | >=2048 bit (RSA), >=256 bit (EC) |
| 3 | Subject correct | ''openssl req -in request.csr -subject -noout'' | According to request |
| 4 | SANs complete | ''openssl req -in request.csr -text \| grep -A1 "Subject Alternative"'' | All hostnames |
# Complete CSR verification
openssl req -in request.csr -text -noout -verify
----
===== Step 2: Verify Approval =====
| Certificate Type | Approval by | Documentation |
|------------------|-------------|---------------|
| Server (internal) | Automatic / Ticket | Ticket No. |
| Server (external) | IT Security | E-mail + Ticket |
| Client | Department head | Form |
| Code Signing | CISO | Written |
----
===== Step 3: Sign Certificate =====
==== Classic Mode ====
# Sign server certificate (1 year)
openssl ca -config openssl.cnf \
-extensions server_cert \
-in request.csr \
-out certificate.pem \
-days 365 \
-notext
# Note serial number
openssl x509 -in certificate.pem -serial -noout
==== Hybrid Mode (PQ) ====
// C# with WvdS.System.Security.Cryptography
using var intermediate = new X509Certificate2("intermediate.pfx", "password");
var csr = CertificateRequest.LoadSigningRequest(
File.ReadAllBytes("request.csr"),
HashAlgorithmName.SHA256);
var cert = csr.Create(
intermediate,
DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddDays(365),
Guid.NewGuid().ToByteArray(),
CryptoMode.Hybrid); // PQ extension
File.WriteAllText("certificate.pem", cert.ExportCertificatePem());
----
===== Step 4: Deliver =====
| Format | Usage | Command |
|--------|-------|---------|
| PEM | Linux, Apache | ''cp certificate.pem /output/'' |
| PFX | Windows, IIS | ''openssl pkcs12 -export -in certificate.pem -inkey private.key -out certificate.pfx'' |
| DER | Java | ''openssl x509 -in certificate.pem -outform DER -out certificate.der'' |
# Deliver with chain
cat certificate.pem intermediate.pem > fullchain.pem
----
===== Step 5: Documentation =====
**Required fields in ticket/log:**
| Field | Example |
|-------|---------|
| Serial number | ''01:23:45:67:89:AB:CD:EF'' |
| Subject | ''CN=server.example.com'' |
| Valid until | ''2025-12-15'' |
| Issued by | ''Operator-Name'' |
| Ticket No. | ''INC-2024-12345'' |
| Mode | ''Hybrid / Classic'' |
----
===== Troubleshooting =====
| Problem | Cause | Solution |
|---------|-------|----------|
| ''unable to load CSR'' | Wrong format | ''openssl req -inform DER -in request.der -out request.pem'' |
| ''signature verify failed'' | CSR manipulated | Request new CSR |
| ''wrong issuer'' | Wrong CA | Check CA certificate |
| ''certificate request failed'' | Configuration error | Check ''openssl.cnf'' |
----
===== Related Runbooks =====
* [[.:zertifikat-erneuern|Renew Certificate]] - For expiring certificates
* [[.:zertifikat-widerrufen|Revoke Certificate]] - On compromise
* [[en:int:pqcrypt:szenarien:kurzreferenz:csr|CSR Quick Reference]] - Code examples
----
<< [[.:start|<- Daily Operations]] | [[.:zertifikat-erneuern|-> Renew Certificate]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>runbook certificate issue operator}}