====== Upravljanje certifikatima ======
Kompaktni primjeri za upravljanje certifikatima. → **Detalji:** [[..:verwaltung:start|Scenariji upravljanja]]
----
===== Obnova certifikata (isti ključ) =====
var caCert = new X509Certificate2("intermediate-ca.pfx", "lozinka");
var oldCert = new X509Certificate2("server.pfx", "lozinka");
var privateKey = oldCert.GetECDsaPrivateKey();
var request = new CertificateRequest(
oldCert.SubjectName, (ECDsa)privateKey, HashAlgorithmName.SHA384);
// Preuzimanje proširenja (osim SKI)
foreach (var ext in oldCert.Extensions)
if (ext.Oid?.Value != "2.5.29.14")
request.CertificateExtensions.Add(ext);
// Nova serijska oznaka
var serial = new byte[20];
RandomNumberGenerator.Fill(serial);
serial[0] &= 0x7F;
var renewedCert = request.Create(caCert,
DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1), serial);
→ **Detalji:** [[..:verwaltung:renewal|Renewal]]
----
===== Re-Key (novi ključ) =====
var oldCert = new X509Certificate2("server.crt");
using var newKey = ECDsa.Create(ECCurve.NamedCurves.nistP384);
var request = new CertificateRequest(
oldCert.SubjectName, newKey, HashAlgorithmName.SHA384);
// Preuzimanje SAN-ova i EKU
if (oldCert.Extensions["2.5.29.17"] is { } san)
request.CertificateExtensions.Add(san);
if (oldCert.Extensions["2.5.29.37"] is { } eku)
request.CertificateExtensions.Add(eku);
// Kreiranje novog certifikata, opoziv starog!
→ **Detalji:** [[..:verwaltung:rekey|Re-Key]]
----
===== Kreiranje CRL =====
var caCert = new X509Certificate2("intermediate-ca.pfx", "lozinka");
var crlBuilder = new CertificateRevocationListBuilder();
crlBuilder.AddEntry(
serialNumber: new byte[] { 0x01, 0x23, 0x45 },
revocationTime: DateTimeOffset.UtcNow,
reason: X509RevocationReason.KeyCompromise);
var crl = crlBuilder.Build(caCert,
crlNumber: BitConverter.GetBytes(1L),
nextUpdate: DateTimeOffset.UtcNow.AddDays(7),
HashAlgorithmName.SHA384);
File.WriteAllBytes("intermediate.crl", crl);
→ **Detalji:** [[..:widerruf:crl_erstellen|Kreiranje CRL]]
----
===== Kontrolna lista =====
**Prije isteka (30 dana):**
* Planirati obnovu
* Odlučiti Renewal ili Re-Key
**Pri kompromitaciji:**
* Odmah Re-Key (novi ključ!)
* Opozvati stari certifikat
* Ažurirati CRL
----
<< [[.:start|← Kratka referenca]] | [[..:verwaltung:start|→ Scenariji upravljanja (Detalji)]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>kurzreferenz verwaltung renewal rekey crl}}