====== 3.3 Rad ======
Operativni zadaci za PQ-kriptografsku infrastrukturu.
----
===== Health provjere =====
Redovito provodite ove provjere:
==== Brza provjera (dnevno) ====
# Je li OpenSSL dostupan?
openssl version
# Očekivano: OpenSSL 3.6.0 ili noviji
# Jesu li PQ-algoritmi aktivni?
openssl list -signature-algorithms | grep -i "ml-dsa" | head -1
# Očekivano: ML-DSA-44, ML-DSA-65, ili ML-DSA-87
==== Potpuna Health provjera ====
**Linux/macOS:**
#!/bin/bash
echo "=== WvdS PQ Crypto Health Check ==="
# 1. OpenSSL
echo -n "OpenSSL: "
openssl version | grep -q "3\.[6-9]\|[4-9]\." && echo "OK" || echo "FAIL (Verzija prestara)"
# 2. ML-DSA podrška
echo -n "ML-DSA: "
openssl list -signature-algorithms 2>/dev/null | grep -qi "ml-dsa" && echo "OK" || echo "FAIL"
# 3. ML-KEM podrška
echo -n "ML-KEM: "
openssl list -kem-algorithms 2>/dev/null | grep -qi "ml-kem" && echo "OK" || echo "FAIL"
# 4. Provider
echo -n "Provider: "
openssl list -providers | grep -q "default" && echo "OK" || echo "FAIL"
# 5. FIPS (opcionalno)
echo -n "FIPS: "
openssl list -providers | grep -qi "fips" && echo "OK" || echo "Nije konfigurirano"
# 6. .NET Runtime
echo -n ".NET 8: "
dotnet --list-runtimes 2>/dev/null | grep -q "NETCore.App 8" && echo "OK" || echo "FAIL"
echo "=== Health provjera završena ==="
**Windows (PowerShell):**
Write-Host "=== WvdS PQ Crypto Health Check ===" -ForegroundColor Cyan
# 1. OpenSSL
$opensslVersion = & openssl version 2>$null
if ($opensslVersion -match "3\.[6-9]") {
Write-Host "OpenSSL: OK ($opensslVersion)" -ForegroundColor Green
} else {
Write-Host "OpenSSL: FAIL" -ForegroundColor Red
}
# 2. ML-DSA
$mldsa = & openssl list -signature-algorithms 2>$null | Select-String "ML-DSA"
if ($mldsa) {
Write-Host "ML-DSA: OK" -ForegroundColor Green
} else {
Write-Host "ML-DSA: FAIL" -ForegroundColor Red
}
# 3. ML-KEM
$mlkem = & openssl list -kem-algorithms 2>$null | Select-String "ML-KEM"
if ($mlkem) {
Write-Host "ML-KEM: OK" -ForegroundColor Green
} else {
Write-Host "ML-KEM: FAIL" -ForegroundColor Red
}
# 4. .NET
$dotnet = & dotnet --list-runtimes 2>$null | Select-String "NETCore.App 8"
if ($dotnet) {
Write-Host ".NET 8: OK" -ForegroundColor Green
} else {
Write-Host ".NET 8: FAIL" -ForegroundColor Red
}
Write-Host "=== Health provjera završena ===" -ForegroundColor Cyan
----
===== Certifikati putem OpenSSL CLI =====
==== Kreiranje Root CA ====
**Klasično (RSA 4096):**
# 1. Generiranje privatnog ključa
openssl genpkey -algorithm RSA -out root-ca.key -pkeyopt rsa_keygen_bits:4096
# 2. Kreiranje samopotpisane Root CA
openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 \
-subj "/C=DE/O=Organisation/CN=Root CA"
# 3. Prikaz certifikata
openssl x509 -in root-ca.crt -text -noout
**Post-kvantno (ML-DSA-65):**
# 1. Generiranje ML-DSA privatnog ključa
openssl genpkey -algorithm ML-DSA-65 -out root-ca-pq.key
# 2. Kreiranje samopotpisane PQ Root CA
openssl req -new -x509 -key root-ca-pq.key -out root-ca-pq.crt -days 3650 \
-subj "/C=DE/O=Organisation/CN=PQ Root CA"
# 3. Prikaz certifikata
openssl x509 -in root-ca-pq.crt -text -noout
==== Kreiranje Intermediate CA ====
# 1. Privatni ključ za Intermediate
openssl genpkey -algorithm RSA -out intermediate.key -pkeyopt rsa_keygen_bits:4096
# 2. Kreiranje CSR-a
openssl req -new -key intermediate.key -out intermediate.csr \
-subj "/C=DE/O=Organisation/CN=Intermediate CA"
# 3. Potpisivanje od strane Root CA (s CA proširenjima)
openssl x509 -req -in intermediate.csr -CA root-ca.crt -CAkey root-ca.key \
-CAcreateserial -out intermediate.crt -days 1825 \
-extfile <(echo "basicConstraints=critical,CA:TRUE,pathlen:0
keyUsage=critical,keyCertSign,cRLSign")
# 4. Provjera lanca
openssl verify -CAfile root-ca.crt intermediate.crt
==== Kreiranje End-Entity certifikata ====
# 1. Privatni ključ
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
# 2. CSR sa SAN (Subject Alternative Name)
openssl req -new -key server.key -out server.csr \
-subj "/C=DE/O=Organisation/CN=server.example.com" \
-addext "subjectAltName=DNS:server.example.com,DNS:www.example.com"
# 3. Potpisivanje od strane Intermediate
openssl x509 -req -in server.csr -CA intermediate.crt -CAkey intermediate.key \
-CAcreateserial -out server.crt -days 365 \
-extfile <(echo "basicConstraints=CA:FALSE
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=DNS:server.example.com,DNS:www.example.com")
# 4. Verifikacija potpunog lanca
openssl verify -CAfile root-ca.crt -untrusted intermediate.crt server.crt
==== Pregledavanje certifikata ====
# Prikaz detalja certifikata
openssl x509 -in cert.crt -text -noout
# Samo Subject i Issuer
openssl x509 -in cert.crt -subject -issuer -noout
# Razdoblje valjanosti
openssl x509 -in cert.crt -dates -noout
# Otisak prsta
openssl x509 -in cert.crt -fingerprint -sha256 -noout
# Izdvajanje javnog ključa
openssl x509 -in cert.crt -pubkey -noout
# Algoritam potpisa
openssl x509 -in cert.crt -text -noout | grep "Signature Algorithm"
==== Konverzija formata certifikata ====
# PEM u DER
openssl x509 -in cert.pem -outform DER -out cert.der
# DER u PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem
# PEM u PKCS#12 (PFX)
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca-chain.crt
# PKCS#12 u PEM (certifikat + ključ)
openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes
----
===== Upravljanje Trust Store =====
==== Windows Certificate Store ====
**Uvoz CA certifikata (PowerShell kao administrator):**
# Root CA u Trusted Root Certification Authorities
Import-Certificate -FilePath "root-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root
# Intermediate CA u Intermediate Certification Authorities
Import-Certificate -FilePath "intermediate.crt" -CertStoreLocation Cert:\LocalMachine\CA
# Verifikacija
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Root CA*"}
**Popis certifikata:**
# Sve Root CA
Get-ChildItem Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter
# Certifikati koji ističu (< 30 dana)
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)} | Format-Table Subject, NotAfter
**Uklanjanje certifikata:**
# Po otisku prsta
Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "ABC123..."} | Remove-Item
==== Linux Trust Store ====
**Debian/Ubuntu:**
# Dodavanje CA certifikata
sudo cp root-ca.crt /usr/local/share/ca-certificates/wvds-root-ca.crt
sudo update-ca-certificates
# Verifikacija
ls /etc/ssl/certs/ | grep wvds
# Uklanjanje certifikata
sudo rm /usr/local/share/ca-certificates/wvds-root-ca.crt
sudo update-ca-certificates --fresh
**RHEL/CentOS:**
# Dodavanje CA certifikata
sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/wvds-root-ca.crt
sudo update-ca-trust
# Verifikacija
trust list | grep -A2 "WvdS"
==== macOS Keychain ====
# Dodavanje CA u System Keychain
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.crt
# Verifikacija
security find-certificate -a -c "Root CA" /Library/Keychains/System.keychain
----
===== Sigurnosne kopije i oporavak =====
**Komponente za sigurnosno kopiranje:**
^ Komponenta ^ Putanja ^ Učestalost ^ Prioritet ^
| Root CA privatni ključ | Offline pohrana | Nakon kreiranja | **Kritično** |
| Intermediate CA ključ | Server | Dnevno | Visok |
| PQ-pohrana ključeva | ''%LOCALAPPDATA%\WvdS.Crypto\PqKeys\'' | Dnevno | Visok |
| Certifikati (PFX) | Direktorij aplikacije | Nakon kreiranja | Srednji |
**Skripta za sigurnosno kopiranje (Linux):**
#!/bin/bash
BACKUP_DIR="/backup/pq-crypto/$(date +%Y%m%d)"
mkdir -p "$BACKUP_DIR"
# PQ-pohrana ključeva
cp -r ~/.local/share/wvds-crypto/pqkeys/ "$BACKUP_DIR/"
# Certifikati
cp /etc/ssl/certs/wvds-*.crt "$BACKUP_DIR/"
# Osiguravanje dozvola
chmod 700 "$BACKUP_DIR"
chmod 600 "$BACKUP_DIR"/*
echo "Sigurnosna kopija kreirana: $BACKUP_DIR"
**Važno:** PQ-pohrana ključeva **nije** uključena u sigurnosnu kopiju Windows Certificate Store!
----
===== Praćenje =====
**Praćenje isteka certifikata:**
# Svi certifikati s datumom isteka < 30 dana
for cert in /etc/ssl/certs/*.crt; do
expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2)
if [ -n "$expiry" ]; then
expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null)
now_epoch=$(date +%s)
days_left=$(( (expiry_epoch - now_epoch) / 86400 ))
if [ "$days_left" -lt 30 ]; then
echo "UPOZORENJE: $cert ističe za $days_left dana"
fi
fi
done
**Rokovi za obnovu:**
^ Tip certifikata ^ Obnova prije isteka ^
| Root CA | 30 dana |
| Intermediate CA | 14 dana |
| End-Entity | 7 dana |
----
===== Daljnje informacije =====
* [[.:troubleshooting|Rješavanje problema]] – Rješavanje operativnih problema
* [[..:konzepte:sicherheit|Sigurnost]] – Najbolje prakse
* [[.:konfiguration|Konfiguracija]] – Aktiviranje FIPS-načina rada
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>betrieb zertifikate backup trust-store health-check openssl}}