~~NOTOC~~
====== 3. Issue Certificates ======

<WRAP round info>
**Scenarios:** 5 \\
**FFI Functions:** ~35 \\
**Status:** Planned
</WRAP>

This category covers all scenarios for issuing end-entity certificates. Server, client, code-signing, and S/MIME certificates with Post-Quantum algorithms.

----

===== Scenarios =====

^  ID  ^  Scenario  ^  Description  ^  Complexity  ^  Status  ^
| [[.:server_cert|3.1]] | Server Certificate | Issue TLS/HTTPS server certificate | *** | Planned |
| [[.:client_cert|3.2]] | Client Certificate | mTLS client authentication | *** | Planned |
| [[.:codesign_cert|3.3]] | Code-Signing Certificate | Software signing | *** | Planned |
| [[.:smime_cert|3.4]] | S/MIME Certificate | Email encryption and signing | *** | Planned |
| [[.:wildcard_cert|3.5]] | Wildcard Certificate | *.domain.com certificates | **** | Planned |

----

===== Certificate Types =====

<mermaid>
flowchart TB
    CA[Intermediate CA] --> |issues| SRV[Server Certificate]
    CA --> |issues| CLI[Client Certificate]
    CA --> |issues| CS[Code-Signing]
    CA --> |issues| SM[S/MIME]

    SRV --> |used for| TLS[TLS/HTTPS]
    CLI --> |used for| MTLS[mTLS Auth]
    CS --> |used for| SIGN[Software Signature]
    SM --> |used for| MAIL[Email Security]

    style CA fill:#e8f5e9
    style SRV fill:#e3f2fd
    style CLI fill:#fff3e0
    style CS fill:#fce4ec
    style SM fill:#f3e5f5
</mermaid>

----

===== Key Usage per Certificate Type =====

^  Type  ^  Key Usage  ^  Extended Key Usage  ^  Validity  ^
| Server | digitalSignature, keyEncipherment | serverAuth | 1-2 years |
| Client | digitalSignature | clientAuth | 1-2 years |
| Code-Signing | digitalSignature | codeSigning | 2-3 years |
| S/MIME | digitalSignature, keyEncipherment | emailProtection | 1-2 years |

----

===== Industry-Specific Requirements =====

^  Industry  ^  Certificate Type  ^  Specifics  ^
| **Energy/SCADA** | Server | Long validity (5+ years), offline validation |
| **Healthcare** | Client | gematik OIDs, eGK compatibility |
| **Automotive** | Server + Client | V2X-specific extensions |
| **Industry 4.0** | Server | OPC UA compatible, IEC 62443 |

----

===== Quick Start Code =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

// Load CSR
var csr = ctx.LoadCertificateRequest("server.csr.pem");

// Sign with Intermediate CA
using var serverCert = ctx.IssueCertificate(
    csr,
    issuerCert: intermediateCaCert,
    issuerKey: intermediateCaKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(csr.PublicKey)
        .AuthorityKeyIdentifier(intermediateCaCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);

serverCert.ToPemFile("server.crt.pem");
</code>

-> //Complete example:// [[.:server_cert|Scenario 3.1]]

----

===== Related Categories =====

^  Category  ^  Relationship  ^
| [[.:csr:start|2. CSR]] | CSR as input |
| [[.:verwaltung:start|4. Manage Certificates]] | Manage issued certificates |
| [[.:tls:start|10. TLS/mTLS]] | Deploy server certificates |

----

<< [[en:int:pqcrypt:szenarien:csr:start|<- 2. CSR]] | [[en:int:pqcrypt:szenarien:start|^ Scenarios]] | [[.:verwaltung:start|4. Manage Certificates ->]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>category certificates issue server client codesigning}}