====== Paralelni rad ======
**Složenost:** Srednja \\
**Trajanje:** Neograničeno (dok se Classic ne isključi) \\
**Rizik:** Nizak
Istovremeni rad klasičnog i Post-Quantum PKI-a za maksimalnu kompatibilnost.
----
===== Arhitektura =====
flowchart TB
subgraph CLASSIC["🔐 KLASIČNI PKI"]
CR[Classic Root-CA]
CI[Classic Intermediate]
CC[Classic certifikati]
end
subgraph HYBRID["🔄 HIBRIDNI PKI"]
HR[Hybrid Root-CA]
HI[Hybrid Intermediate]
HC[Hybrid certifikati]
end
subgraph CLIENTS["👥 KLIJENTI"]
OLD[Legacy klijenti]
NEW[Moderni klijenti]
end
CR --> CI --> CC
HR --> HI --> HC
CC --> OLD
HC --> NEW
CC -.->|Fallback| NEW
style CLASSIC fill:#ffebee
style HYBRID fill:#e8f5e9
----
===== Kada paralelni rad? =====
| Scenarij | Preporuka |
|----------|-----------|
| Legacy sustavi se ne mogu ažurirati | ✓ Paralelno |
| Postupna migracija tijekom godina | ✓ Paralelno |
| Regulatorni zahtjevi za povratnu kompatibilnost | ✓ Paralelno |
| Greenfield / Novi projekt | ✗ Direktno Hibridno |
| Svi klijenti se mogu ažurirati | ✗ Hibridna migracija |
----
===== Postavljanje =====
==== Struktura direktorija ====
/etc/pki/
├── classic/
│ ├── root-ca.pem
│ ├── intermediate-ca.pem
│ ├── intermediate-ca.key
│ ├── crl/
│ └── issued/
├── hybrid/
│ ├── root-ca.pem
│ ├── intermediate-ca.pem
│ ├── intermediate-ca.key
│ ├── crl/
│ └── issued/
└── scripts/
├── issue-classic.sh
├── issue-hybrid.sh
└── issue-both.sh
==== Skripta za dvostruko izdavanje ====
#!/bin/bash
# /etc/pki/scripts/issue-both.sh
# Izdaje certifikat od OBA PKI-a
CSR_FILE="$1"
OUTPUT_PREFIX="$2"
if [ -z "$CSR_FILE" ] || [ -z "$OUTPUT_PREFIX" ]; then
echo "Usage: $0 "
exit 1
fi
# Izdavanje klasičnog certifikata
echo "Izdavanje klasičnog certifikata..."
openssl ca -config /etc/pki/classic/openssl.cnf \
-in "$CSR_FILE" \
-out "${OUTPUT_PREFIX}-classic.pem" \
-days 365 \
-batch
# Izdavanje hibridnog certifikata
echo "Izdavanje hibridnog certifikata..."
/usr/local/bin/wvds-sign --mode hybrid \
--ca /etc/pki/hybrid/intermediate-ca.pfx \
--csr "$CSR_FILE" \
--out "${OUTPUT_PREFIX}-hybrid.pem" \
--days 365
echo "Gotovo:"
echo " Klasično: ${OUTPUT_PREFIX}-classic.pem"
echo " Hibridno: ${OUTPUT_PREFIX}-hybrid.pem"
----
===== Konfiguracija servera =====
==== Nginx: Dvostruki certifikat ====
server {
listen 443 ssl;
server_name api.example.com;
# Primarno: Hibridni certifikat
ssl_certificate /etc/ssl/certs/api-hybrid.pem;
ssl_certificate_key /etc/ssl/private/api.key;
# Fallback: Klasični certifikat (za stare klijente)
# Napomena: Nginx podržava samo jedan certifikat po server bloku
# Za pravi dual-mode: Zasebni server blokovi ili SNI
}
# Alternativa: Zasebni server za Legacy
server {
listen 443 ssl;
server_name api-legacy.example.com;
ssl_certificate /etc/ssl/certs/api-classic.pem;
ssl_certificate_key /etc/ssl/private/api.key;
}
==== Apache: Dvostruki certifikat ====
ServerName api.example.com
# Moderni klijenti → Hibridno
SSLCertificateFile /etc/ssl/certs/api-hybrid.pem
SSLCertificateKeyFile /etc/ssl/private/api.key
SSLCertificateChainFile /etc/ssl/certs/hybrid-chain.pem
ServerName api-legacy.example.com
# Legacy klijenti → Klasično
SSLCertificateFile /etc/ssl/certs/api-classic.pem
SSLCertificateKeyFile /etc/ssl/private/api.key
SSLCertificateChainFile /etc/ssl/certs/classic-chain.pem
----
===== Upravljanje Trust Storeom =====
==== Klijenti s oba CA ====
# Trust Store s oba Root-CA
cat /etc/pki/classic/root-ca.pem /etc/pki/hybrid/root-ca.pem > /etc/ssl/certs/ca-bundle.pem
# Ili pojedinačno dodati
update-ca-trust extract
==== Windows Trust Store ====
# Uvoz oba Root-CA
Import-Certificate -FilePath "classic-root.cer" -CertStoreLocation Cert:\LocalMachine\Root
Import-Certificate -FilePath "hybrid-root.cer" -CertStoreLocation Cert:\LocalMachine\Root
----
===== CRL/OCSP za oba PKI-a =====
# CRL Distribution Points
# Klasično: http://crl.example.com/classic/intermediate.crl
# Hibridno: http://crl.example.com/hybrid/intermediate.crl
# Nginx za distribuciju CRL-a
location /crl/classic/ {
alias /etc/pki/classic/crl/;
types { application/pkix-crl crl; }
}
location /crl/hybrid/ {
alias /etc/pki/hybrid/crl/;
types { application/pkix-crl crl; }
}
----
===== Monitoring =====
# Prometheus: Nadzor oba PKI-a
scrape_configs:
- job_name: 'pki-classic'
static_configs:
- targets: ['localhost:9793']
params:
path: ['/etc/pki/classic/issued/*.pem']
relabel_configs:
- target_label: pki
replacement: 'classic'
- job_name: 'pki-hybrid'
static_configs:
- targets: ['localhost:9793']
params:
path: ['/etc/pki/hybrid/issued/*.pem']
relabel_configs:
- target_label: pki
replacement: 'hybrid'
**Metrike nadzorne ploče:**
| Metrika | Klasično | Hibridno |
|---------|----------|----------|
| Aktivni certifikati | ''count(x509{pki="classic"})'' | ''count(x509{pki="hybrid"})'' |
| Istek < 30d | ''count(...)'' | ''count(...)'' |
| CRL Next Update | ''crl_next_update{pki="classic"}'' | ''crl_next_update{pki="hybrid"}'' |
----
===== Praćenje migracije =====
#!/bin/bash
# migration-status.sh - Napredak migracije
echo "=== PKI Migration Status ==="
classic_count=$(find /etc/pki/classic/issued -name "*.pem" | wc -l)
hybrid_count=$(find /etc/pki/hybrid/issued -name "*.pem" | wc -l)
total=$((classic_count + hybrid_count))
if [ "$total" -gt 0 ]; then
hybrid_percent=$((hybrid_count * 100 / total))
else
hybrid_percent=0
fi
echo "Klasično: $classic_count"
echo "Hibridno: $hybrid_count"
echo "Ukupno: $total"
echo "Migracija: $hybrid_percent%"
# Grafički prikaz
echo ""
echo -n "Napredak: ["
for i in $(seq 1 50); do
if [ $i -le $((hybrid_percent / 2)) ]; then
echo -n "█"
else
echo -n "░"
fi
done
echo "] $hybrid_percent%"
----
===== Postupno ukidanje klasičnog =====
flowchart LR
subgraph ACTIVE["✅ AKTIVNO"]
A1[Oba PKI-a aktivna]
end
subgraph TRANSITION["🔄 PRIJELAZ"]
T1[Klasično: samo obnova]
T2[Hibridno: novi certifikati]
end
subgraph SUNSET["🌅 SUNSET"]
S1[Klasično: samo aktivni]
S2[Nema novih Classic certifikata]
end
subgraph END["🛑 KRAJ"]
E1[Klasično deaktivirano]
end
ACTIVE --> TRANSITION --> SUNSET --> END
style ACTIVE fill:#e8f5e9
style END fill:#ffebee
**Vremenski okvir:**
| Faza | Akcija | Okidač |
|------|--------|--------|
| Aktivno | Oba PKI-a izdaju | Početak |
| Prijelaz | Classic samo obnova | 80% Hibridno |
| Sunset | Classic samo ističe | 95% Hibridno |
| Kraj | Classic-CA offline | Svi Classic istekli |
----
===== Kontrolna lista =====
| # | Točka provjere | ✓ |
|---|----------------|---|
| 1 | Oba PKI-a postavljena | ☐ |
| 2 | Dual-Issue skripte funkcioniraju | ☐ |
| 3 | Trust Storeovi sadrže oba CA | ☐ |
| 4 | CRL/OCSP dostupan za oba | ☐ |
| 5 | Monitoring aktivan za oba | ☐ |
| 6 | Praćenje migracije postavljeno | ☐ |
| 7 | Plan postupnog ukidanja dokumentiran | ☐ |
----
===== Povezana dokumentacija =====
* [[.:classic-to-hybrid|Classic → Hybrid]] – Direktna migracija
* [[.:rollback-strategie|Rollback strategija]] – Plan za nuždu
* [[..:monitoring:start|Monitoring]] – Nadzor oba PKI-a
----
<< [[.:classic-to-hybrid|← Classic → Hybrid]] | [[.:rollback-strategie|→ Rollback strategija]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>migracija paralelno dual-pki kompatibilnost operator}}