~~NOTOC~~
====== 1. Building PKI Infrastructure ======

<WRAP round info>
**Scenarios:** 6 \\
**FFI Functions:** ~45 \\
**Status:** ⏳ Planned
</WRAP>

This category encompasses all scenarios for building and managing a Post-Quantum-capable Public Key Infrastructure (PKI). From creating a Root CA through multi-tier CA hierarchies to configuring revocation services (CRL/OCSP).

----

===== Scenarios =====

^  ID  ^  Scenario  ^  Description  ^  Complexity  ^  Status  ^
| [[.:root_ca_erstellen|1.1]] | Create Root CA | Self-signed Root CA with ML-DSA-65 | ⭐⭐⭐⭐ | ⏳ |
| [[.:intermediate_ca_erstellen|1.2]] | Create Intermediate CA | Subordinate CA signed by Root | ⭐⭐⭐ | ⏳ |
| [[.:ca_hierarchie_aufbauen|1.3]] | Build CA Hierarchy | Multi-tier PKI structure | ⭐⭐⭐⭐ | ⏳ |
| [[.:trust_store_konfigurieren|1.4]] | Configure Trust Store | Manage trusted CAs | ⭐⭐ | ⏳ |
| [[.:certificate_policy_definieren|1.5]] | Define Certificate Policy | Establish issuance policies | ⭐⭐⭐ | ⏳ |
| [[.:crl_ocsp_infrastruktur|1.6]] | CRL/OCSP Infrastructure | Set up revocation services | ⭐⭐⭐⭐ | ⏳ |

----

===== Architecture Overview =====

<mermaid>
flowchart TB
    subgraph ROOT["🔐 Root CA (Scenario 1.1)"]
        R[("Root CA<br/>ML-DSA-65/87<br/>20 Years")]
    end

    subgraph INTERMEDIATE["📜 Intermediate CAs (Scenario 1.2)"]
        I1["Intermediate CA<br/>Server<br/>10 Years"]
        I2["Intermediate CA<br/>Client<br/>10 Years"]
        I3["Intermediate CA<br/>CodeSign<br/>10 Years"]
    end

    subgraph ENDENTITY["🎫 End-Entity Certificates"]
        E1["Server Certs<br/>TLS/HTTPS"]
        E2["Client Certs<br/>mTLS/Auth"]
        E3["CodeSign Certs<br/>Signing"]
    end

    R -->|signs| I1
    R -->|signs| I2
    R -->|signs| I3

    I1 -->|issues| E1
    I2 -->|issues| E2
    I3 -->|issues| E3

    subgraph TRUST["🛡️ Trust Store (Scenario 1.4)"]
        T1["Root CA Certificates"]
        T2["Cross-Certificates"]
    end

    subgraph REVOCATION["🚫 Revocation (Scenario 1.6)"]
        CRL["CRL Distribution Points"]
        OCSP["OCSP Responder"]
    end

    R -.->|publishes| TRUST
    I1 & I2 & I3 -.->|publishes| CRL
    I1 & I2 & I3 -.->|responds| OCSP
</mermaid>

----

===== Industry-Specific Requirements =====

<WRAP round tip>
Different requirements for PKI lifetimes and compliance apply depending on the industry:
</WRAP>

^  Industry  ^  Root CA Validity  ^  Specifics  ^  Regulation  ^
| **Energy/SCADA** | 25 Years | Wind turbine lifetime, offline CRL | NIS2((NIS2 Directive (EU) 2022/2555: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555)), KRITIS-VO |
| **Healthcare** | 20 Years | gematik OIDs, ePA compatible | GDPR Art. 32, DiGAV |
| **Automotive** | 30 Years | V2X PKI, pseudonym certificates | UN R155((UNECE R155: https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security)), ISO 21434 |
| **Industry 4.0** | 20 Years | OT/IT separation, IEC 62443 | NIS2, Machine Regulation |
| **Standard IT** | 15 Years | Standard enterprise PKI | BSI IT-Grundschutz |

----

===== Key Types for CAs =====

^  CA Type  ^  Recommended Algorithm  ^  Validity  ^  Rationale  ^
| Root CA | ML-DSA-65 or ML-DSA-87 | 15-25 Years | Highest security, rarely used |
| Intermediate CA | ML-DSA-65 | 8-12 Years | Balance security/performance |
| OCSP Responder | ML-DSA-44 | 1-3 Years | Frequent signing, performance critical |

<WRAP round tip>
**Hybrid Recommendation:** For the transition phase, hybrid keys (ECDSA P-384 + ML-DSA-65) can be used to ensure compatibility with classical systems.
</WRAP>

----

===== Important Extensions for CA Certificates =====

==== Root CA ====

^  Extension  ^  Value  ^  Critical  ^
| Basic Constraints | CA=true, pathLen=1 or 2 | ✅ Yes |
| Key Usage | keyCertSign, cRLSign | ✅ Yes |
| Subject Key Identifier | SHA-256(publicKey) | ❌ No |

==== Intermediate CA ====

^  Extension  ^  Value  ^  Critical  ^
| Basic Constraints | CA=true, pathLen=0 | ✅ Yes |
| Key Usage | keyCertSign, cRLSign | ✅ Yes |
| Subject Key Identifier | SHA-256(publicKey) | ❌ No |
| Authority Key Identifier | SKI of Root CA | ❌ No |
| CRL Distribution Points | URL to CRL | ❌ No |
| Authority Info Access | OCSP URL, CA Issuers URL | ❌ No |
| Certificate Policies | Policy OID | ❌ No |

----

===== Security Notes =====

<WRAP round important>
**Critical Requirements for CA Operation:**

  * **Root CA Private Key:** Store offline (air-gapped HSM or encrypted USB stick in safe)
  * **Intermediate CA Private Key:** HSM or strongly encrypted with hardware token
  * **Passwords:** Minimum 20 characters, high entropy, securely stored
  * **Audit Logging:** Log all CA operations
  * **Backup:** Encrypted backups at separate locations
  * **Key Ceremony:** Documented process for Root CA operations
</WRAP>

<WRAP round alert>
**Never:**
  * Store Root CA private key on networked systems
  * CA passwords in plain text in scripts/configs
  * Issue CA certificates without pathLength restriction
  * Use self-signed end-entity certificates in production
</WRAP>

----

===== Typical Workflow =====

<mermaid>
flowchart TB
    subgraph P1["1️⃣ PREPARATION"]
        V1["Prepare air-gapped system"]
        V2["Document certificate policy"]
        V3["Define DN structure"]
        V4["Plan validity periods"]
    end

    subgraph P2["2️⃣ CREATE ROOT CA"]
        R1["ML-DSA-65/87 key pair"]
        R2["Self-signed certificate"]
        R3["Encrypt private key"]
        R4["Export root certificate"]
    end

    subgraph P3["3️⃣ INTERMEDIATE CA"]
        I1["ML-DSA-65 key pair"]
        I2["Create CSR"]
        I3["Root signs certificate"]
        I4["Deploy online"]
    end

    subgraph P4["4️⃣ TRUST & REVOCATION"]
        T1["Configure trust stores"]
        T2["CRL distribution points"]
        T3["OCSP responder"]
        T4["Publish first CRL"]
    end

    subgraph P5["5️⃣ OPERATION"]
        B1["Issue certificates"]
        B2["Update CRLs"]
        B3["OCSP responses"]
        B4["Monitor audit logs"]
    end

    P1 ==> P2 ==> P3 ==> P4 ==> P5

    style P1 fill:#e3f2fd
    style P2 fill:#e8f5e9
    style P3 fill:#fff8e1
    style P4 fill:#fce4ec
    style P5 fill:#f3e5f5
</mermaid>

----

===== Quick Start Code =====

==== Minimal Example: Create Root CA (C#) ====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

// Root CA with ML-DSA-65
using var rootKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
var rootDn = new DnBuilder().AddCN("My Root CA").AddO("My Org").AddC("DE").Build();

using var rootCert = ctx.CreateRootCertificate(rootKey, rootDn,
    validYears: 20,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: true, pathLen: 1)
        .KeyUsage(KeyUsageFlags.KeyCertSign | KeyUsageFlags.CrlSign)
        .SubjectKeyIdentifier(rootKey)
        .Build()
);

// Save
File.WriteAllText("root-ca.crt.pem", rootCert.ToPem());
File.WriteAllText("root-ca.key.pem", rootKey.ToEncryptedPem("SecurePassword123!"));
</code>

→ //Complete example:// [[.:root_ca_erstellen|Scenario 1.1]]

----

===== Related Categories =====

^  Category  ^  Relationship  ^
| [[en:int:pqcrypt:szenarien:csr:start|2. CSR]] | CSR creation for Intermediate CAs |
| [[en:int:pqcrypt:szenarien:zertifikate:start|3. Issue Certificates]] | Sign end-entity certificates from CA |
| [[en:int:pqcrypt:szenarien:validierung:start|5. Validation]] | Validate certificates against trust store |
| [[en:int:pqcrypt:szenarien:widerruf:start|6. Revocation]] | CRL/OCSP operations |
| [[en:int:pqcrypt:szenarien:schluessel:start|11. Key Management]] | Manage, rotate, destroy CA keys |

----

<< [[en:int:pqcrypt:szenarien:start|← Scenarios Overview]] | [[.:root_ca_erstellen|1.1 Create Root CA →]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>category pki root-ca intermediate-ca trust-store crl ocsp}}