====== Classic → Hybrid migracija ======

<WRAP round info>
**Složenost:** Srednja \\
**Trajanje:** 6-12 mjeseci (potpuno) \\
**Rizik:** Nizak-Srednji
</WRAP>

Postupna migracija s klasičnog PKI-a (RSA/ECDSA) na hibridni način (Klasično + ML-DSA).

----

===== Pregled =====

<mermaid>
flowchart TB
    subgraph PHASE1["Faza 1: Priprema"]
        P1A[Inventura]
        P1B[Testno okruženje]
        P1C[Ažuriranje alata]
    end

    subgraph PHASE2["Faza 2: Infrastruktura"]
        P2A[Root-CA Hybrid]
        P2B[Intermediate-CA]
        P2C[CRL/OCSP ažuriranje]
    end

    subgraph PHASE3["Faza 3: Rollout"]
        P3A[Server certifikati]
        P3B[Klijent certifikati]
        P3C[Code-Signing]
    end

    subgraph PHASE4["Faza 4: Validacija"]
        P4A[Monitoring]
        P4B[Audit]
        P4C[Dokumentacija]
    end

    P1A --> P1B --> P1C --> P2A
    P2A --> P2B --> P2C --> P3A
    P3A --> P3B --> P3C --> P4A
    P4A --> P4B --> P4C

    style P2A fill:#fff3e0
    style P3A fill:#e8f5e9
</mermaid>

----

===== Faza 1: Priprema (1-2 mjeseca) =====

==== 1.1 Provođenje inventure ====

<code bash>
#!/bin/bash
# inventory-certs.sh - Inventura certifikata

echo "=== Inventura certifikata $(date) ===" > inventory.csv
echo "Put,Subject,Algoritam,Veličina ključa,Istek,Dani" >> inventory.csv

# Lokalni certifikati
for cert in /etc/ssl/certs/*.pem /etc/pki/tls/certs/*.pem; do
    [ -f "$cert" ] || continue

    subject=$(openssl x509 -in "$cert" -subject -noout 2>/dev/null | sed 's/subject=//')
    algo=$(openssl x509 -in "$cert" -text -noout 2>/dev/null | grep "Public Key Algorithm" | awk '{print $4}')
    keysize=$(openssl x509 -in "$cert" -text -noout 2>/dev/null | grep "Public-Key:" | grep -oP '\d+')
    expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2)
    days=$(( ($(date -d "$expiry" +%s) - $(date +%s)) / 86400 ))

    echo "\"$cert\",\"$subject\",\"$algo\",\"$keysize\",\"$expiry\",\"$days\"" >> inventory.csv
done

# Udaljeni endpointi
ENDPOINTS=(
    "api.example.com:443"
    "web.example.com:443"
    "mail.example.com:465"
)

for endpoint in "${ENDPOINTS[@]}"; do
    host=${endpoint%:*}
    port=${endpoint#*:}

    cert_info=$(echo | openssl s_client -connect "$endpoint" -servername "$host" 2>/dev/null | openssl x509 -text -noout 2>/dev/null)
    # ... analogno evaluirati
done

echo "Inventura završena: inventory.csv"
</code>

→ Detalji: [[.:inventur|Inventura certifikata]]

==== 1.2 Postavljanje testnog okruženja ====

<code bash>
# Docker-bazirani test-PKI
docker run -d --name test-ca \
    -v /test-pki:/pki \
    -e OPENSSL_CONF=/pki/openssl.cnf \
    alpine/openssl

# OpenSSL 3.6 za PQ
docker exec test-ca openssl version
# OpenSSL 3.6.0 ...

# Test: Kreiranje hibridnog certifikata
docker exec test-ca openssl genpkey -algorithm ML-DSA-65 -out /pki/test-mldsa.key
</code>

==== 1.3 Ažuriranje alata ====

| Alat | Min. verzija | PQ podrška |
|------|--------------|------------|
| OpenSSL | 3.6.0 | ML-DSA, ML-KEM |
| .NET | 9.0+ | Putem WvdS.System.Security.Cryptography |
| Java | 21+ | Putem BouncyCastle 1.78 |
| curl | 8.5+ | Hibridni TLS |

----

===== Faza 2: Infrastruktura (2-3 mjeseca) =====

==== 2.1 Migracija Root-CA na hibridni način ====

<WRAP round important>
**Migracija Root-CA je najkritičniji korak.** Pažljivo planirajte i temeljito testirajte.
</WRAP>

**Opcija A: Novi hibridni Root-CA (preporučeno)**

<code csharp>
// Kreiranje novog hibridnog Root-CA
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
var request = new CertificateRequest(
    "CN=My Organization Root CA - Hybrid, O=My Organization",
    ecdsa,
    HashAlgorithmName.SHA384);

// CA ekstenzije
request.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(true, true, 2, true));
request.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign,
        true));

// Hibridni Self-Signed (ECDSA + ML-DSA)
var hybridRoot = request.CreateSelfSigned(
    DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddYears(25),
    CryptoMode.Hybrid);

// Eksport
File.WriteAllBytes("hybrid-root-ca.pfx",
    hybridRoot.Export(X509ContentType.Pfx, "secure-password"));
</code>

**Opcija B: Cross-certifikacija (prijelaz)**

<code csharp>
// Stari Root-CA cross-certificira novi hibridni CA
using var oldRoot = new X509Certificate2("old-root.pfx", "password");
using var newHybridRoot = new X509Certificate2("hybrid-root.pfx", "password");

// Kreiranje cross-certifikata
var crossCertRequest = new CertificateRequest(
    newHybridRoot.SubjectName,
    newHybridRoot.GetECDsaPublicKey()!,
    HashAlgorithmName.SHA384);

// Potpisano od starog Roota
var crossCert = crossCertRequest.Create(
    oldRoot,
    newHybridRoot.NotBefore,
    newHybridRoot.NotAfter,
    newHybridRoot.SerialNumberBytes.ToArray());
</code>

==== 2.2 Migracija Intermediate-CA ====

<code bash>
# Novi hibridni Intermediate-CA
# 1. Generiranje ključa
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -out intermediate.key

# 2. Kreiranje CSR-a
openssl req -new -key intermediate.key \
    -out intermediate.csr \
    -subj "/CN=My Organization Intermediate CA - Hybrid/O=My Organization"

# 3. Potpisivanje s Hybrid-Root (s WvdS-om)
</code>

<code csharp>
// Potpisivanje Intermediate s Hybrid-Root
using var hybridRoot = new X509Certificate2("hybrid-root.pfx", "password");

var intermediateCsr = CertificateRequest.LoadSigningRequest(
    File.ReadAllBytes("intermediate.csr"),
    HashAlgorithmName.SHA384);

// Dodavanje CA ekstenzija
intermediateCsr.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(true, true, 1, true));

var intermediate = intermediateCsr.Create(
    hybridRoot,
    DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddYears(10),
    Guid.NewGuid().ToByteArray(),
    CryptoMode.Hybrid);
</code>

==== 2.3 CRL/OCSP ažuriranje ====

<code csharp>
// Kreiranje hibridno potpisane CRL
var crlBuilder = new CertificateRevocationListBuilder();

// Preuzimanje starih CRL unosa
foreach (var entry in existingCrlEntries)
{
    crlBuilder.AddEntry(entry.SerialNumber, entry.RevocationDate, entry.Reason);
}

// Potpisivanje s hibridnim CA
byte[] newCrl = crlBuilder.Build(
    hybridIntermediate,
    newCrlNumber,
    DateTimeOffset.UtcNow.AddDays(7),
    HashAlgorithmName.SHA384,
    CryptoMode.Hybrid);
</code>

----

===== Faza 3: Rollout (3-6 mjeseci) =====

==== 3.1 Server certifikati ====

**Matrica prioriteta:**

| Tip servera | Prioritet | Razlog |
|-------------|-----------|--------|
| Extern-facing API | Visok | Najveći rizik |
| Interni mikroservisi | Srednji | Lateralno kretanje |
| Development | Nizak | Testno okruženje |

<code bash>
# Batch obnova s hibridnim
for server in $(cat servers.txt); do
    # Kreiranje CSR-a
    ssh "$server" "openssl req -new -key /etc/ssl/private/server.key \
        -out /tmp/renew.csr -subj \"/CN=$server\""

    # Preuzimanje CSR-a
    scp "$server:/tmp/renew.csr" "./csrs/$server.csr"

    # Izdavanje hibridnog certifikata (putem API-ja ili skripte)
    ./sign-hybrid.sh "./csrs/$server.csr" "./certs/$server.pem"

    # Deployment certifikata
    scp "./certs/$server.pem" "$server:/etc/ssl/certs/server.pem"
    ssh "$server" "systemctl reload nginx"
done
</code>

==== 3.2 Klijent certifikati ====

<code csharp>
// Izdavanje klijent certifikata s hibridnim
var clientCsr = CertificateRequest.LoadSigningRequest(csrBytes, HashAlgorithmName.SHA384);

clientCsr.CertificateExtensions.Add(
    new X509EnhancedKeyUsageExtension(
        new OidCollection { new Oid("1.3.6.1.5.5.7.3.2") }, // Client Auth
        false));

var clientCert = clientCsr.Create(
    intermediate,
    DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddYears(1),
    Guid.NewGuid().ToByteArray(),
    CryptoMode.Hybrid);
</code>

==== 3.3 Code-Signing certifikati ====

→ Pogledajte [[..:automatisierung:cicd-code-signing|CI/CD Code-Signing]] za integraciju u pipeline

----

===== Faza 4: Validacija (1-2 mjeseca) =====

==== 4.1 Aktivacija monitoringa ====

<code yaml>
# Prometheus Alert za hibridni status
- alert: NonHybridCertificateInProduction
  expr: x509_cert_algorithm{env="production"} !~ ".*ML-DSA.*|.*Hybrid.*"
  for: 24h
  labels:
    severity: warning
  annotations:
    summary: "Ne-hibridni certifikat u produkciji: {{ $labels.filepath }}"
</code>

==== 4.2 Kontrolna lista ====

| # | Točka provjere | Status |
|---|----------------|--------|
| 1 | Svi CA certifikati na hibridnom | ☐ |
| 2 | Svi server certifikati obnovljeni | ☐ |
| 3 | CRL/OCSP s hibridnim potpisan | ☐ |
| 4 | Trust Storeovi ažurirani | ☐ |
| 5 | Monitoring ne pokazuje samo klasične | ☐ |
| 6 | Rollback testiran | ☐ |
| 7 | Dokumentacija ažurirana | ☐ |

----

===== Rollback plan =====

<WRAP round alert>
**Kod problema:**
</WRAP>

<code bash>
# 1. Povratak na klasični CA
export CA_CERT=/etc/pki/CA/classic-intermediate.pem
export CA_KEY=/etc/pki/CA/classic-intermediate.key

# 2. Ponovno izdavanje certifikata s klasičnim CA
./issue-classic.sh

# 3. Opoziv hibridnih CA certifikata (ako je potrebno)
./revoke-hybrid-certs.sh
</code>

→ Detalji: [[.:rollback-strategie|Rollback strategija]]

----

===== Povezana dokumentacija =====

  * [[.:parallel-betrieb|Paralelni rad]] – Alternativna strategija
  * [[.:inventur|Inventura]] – Detaljan popis
  * [[hr:int:pqcrypt:konzepte:start|Kripto načini]] – Objašnjenje hibridnog

----

<< [[.:start|← Migracija]] | [[.:parallel-betrieb|→ Paralelni rad]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>migracija hibridno klasično nadogradnja operator}}