====== Scenario 3.1: Issue Server Certificate ======

<WRAP round info>
**Category:** [[.:start|Issue Certificates]] \\
**Complexity:** *** (Medium-High) \\
**Prerequisites:** CSR available, Intermediate CA \\
**Estimated Time:** 10-15 minutes
</WRAP>

----

===== Description =====

This scenario describes issuing a **TLS server certificate** by an Intermediate CA. The certificate enables HTTPS encryption for web servers, APIs, and other TLS-protected services.

**What is created:**
  * X.509 v3 server certificate
  * Signed with ML-DSA-65 (Post-Quantum)
  * Extensions for TLS server

----

===== Workflow =====

<mermaid>
flowchart LR
    CSR[Load CSR] --> VERIFY[Verify CSR]
    VERIFY --> EXT[Set extensions]
    EXT --> SERIAL[Generate serial]
    SERIAL --> SIGN[Sign with CA]
    SIGN --> EXPORT[Export as PEM]

    style SIGN fill:#e8f5e9
</mermaid>

----

===== Code Example (C#) =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

// Load Intermediate CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");

// Load and verify CSR
var csr = ctx.LoadCertificateRequest(File.ReadAllText("server.csr.pem"));
if (!csr.VerifySignature())
    throw new CryptographicException("Invalid CSR signature");

// Issue server certificate
var serverCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,  // 1 year
    extensions: new ExtBuilder()
        // Basic Constraints: Not a CA
        .BasicConstraints(ca: false, critical: true)
        // Key Usage for TLS
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment, critical: true)
        // Extended Key Usage: Server Auth
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        // Subject Key Identifier
        .SubjectKeyIdentifier(csr.PublicKey)
        // Authority Key Identifier
        .AuthorityKeyIdentifier(caCert)
        // CRL Distribution Point
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        // OCSP Responder
        .AuthorityInfoAccess(
            ocspUrl: "http://ocsp.example.com",
            caIssuersUrl: "http://ca.example.com/intermediate.crt"
        )
        .Build()
);

// Save
serverCert.ToPemFile("server.crt.pem");

// Create certificate chain
var chain = $"{serverCert.ToPem()}\n{caCert.ToPem()}";
File.WriteAllText("server-chain.pem", chain);

Console.WriteLine("Server certificate issued:");
Console.WriteLine($"  Subject: {serverCert.Subject}");
Console.WriteLine($"  Issuer: {serverCert.Issuer}");
Console.WriteLine($"  Serial: {serverCert.SerialNumber}");
Console.WriteLine($"  Valid until: {serverCert.NotAfter:yyyy-MM-dd}");
</code>

----

===== Extensions for Server Certificates =====

^  Extension  ^  Value  ^  Critical  ^  Description  ^
| Basic Constraints | CA=false | Yes | Not a CA certificate |
| Key Usage | digitalSignature, keyEncipherment | Yes | TLS handshake |
| Extended Key Usage | serverAuth | No | Server authentication |
| Subject Key Identifier | Hash(PublicKey) | No | Key ID |
| Authority Key Identifier | CA-SKI | No | Issuer reference |
| Subject Alt Name | DNS names | No | Taken from CSR |
| CRL Distribution Points | URL | No | Revocation checking |
| Authority Info Access | OCSP, CA Issuers | No | Validation helpers |

----

===== Industry-Specific Validity Periods =====

^  Industry  ^  Validity  ^  Rationale  ^
| **Standard IT** | 1 year (365 days) | CA/Browser Forum Maximum |
| **Energy/SCADA** | 3-5 years | Long maintenance cycles |
| **Healthcare** | 1-2 years | Compliance requirements |
| **Automotive** | 2-3 years | Vehicle lifecycle |

<WRAP round tip>
**Recommendation:** For public websites max. 398 days (CA/B Forum). For internal services, longer validity periods may be appropriate.
</WRAP>

----

===== Output Files =====

==== server.crt.pem ====

<code>
-----BEGIN CERTIFICATE-----
MIIHxjCCBiagAwIBAgIUP7J2kM9x...
-----END CERTIFICATE-----
</code>

==== server-chain.pem ====

<code>
-----BEGIN CERTIFICATE-----
(Server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA)
-----END CERTIFICATE-----
</code>

----

===== Nginx Configuration =====

<code nginx>
server {
    listen 443 ssl;
    server_name www.example.com;

    ssl_certificate     /etc/nginx/ssl/server-chain.pem;
    ssl_certificate_key /etc/nginx/ssl/server.key.pem;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers on;
}
</code>

----

===== Related Scenarios =====

^  Relationship  ^  Scenario  ^  Description  ^
| **Prerequisite** | [[en:int:pqcrypt:szenarien:csr:csr_server|2.1 Server CSR]] | Create CSR |
| **Prerequisite** | [[en:int:pqcrypt:szenarien:pki:intermediate_ca_erstellen|1.2 Intermediate CA]] | Signing CA |
| **Next Step** | [[en:int:pqcrypt:szenarien:tls:server_setup|10.1 TLS Server Setup]] | Deploy certificate |
| **Related** | [[.:client_cert|3.2 Client Certificate]] | For mTLS |

----

<< [[.:start|<- Certificates Overview]] | [[en:int:pqcrypt:szenarien:start|^ Scenarios]] | [[.:client_cert|3.2 Client Certificate ->]] >>

{{tag>scenario certificate server tls https x509}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//