Komplexität: Mittel
Dauer: Unbegrenzt (bis Classic abgeschaltet)
Risiko: Niedrig
Gleichzeitiger Betrieb von klassischer und Post-Quantum-PKI für maximale Kompatibilität.
| Szenario | Empfehlung |
| ———- | ———— |
| Legacy-Systeme nicht updatebar | ✓ Parallel |
| Schrittweise Migration über Jahre | ✓ Parallel |
| Regulatorische Anforderungen für Rückwärtskompatibilität | ✓ Parallel |
| Greenfield / Neues Projekt | ✗ Direkt Hybrid |
| Alle Clients updatebar | ✗ Hybrid-Migration |
/etc/pki/
├── classic/
│ ├── root-ca.pem
│ ├── intermediate-ca.pem
│ ├── intermediate-ca.key
│ ├── crl/
│ └── issued/
├── hybrid/
│ ├── root-ca.pem
│ ├── intermediate-ca.pem
│ ├── intermediate-ca.key
│ ├── crl/
│ └── issued/
└── scripts/
├── issue-classic.sh
├── issue-hybrid.sh
└── issue-both.sh
#!/bin/bash # /etc/pki/scripts/issue-both.sh # Gibt ein Zertifikat von BEIDEN PKIs aus CSR_FILE="$1" OUTPUT_PREFIX="$2" if [ -z "$CSR_FILE" ] || [ -z "$OUTPUT_PREFIX" ]; then echo "Usage: $0 <csr-file> <output-prefix>" exit 1 fi # Klassisches Zertifikat ausstellen echo "Stelle klassisches Zertifikat aus..." openssl ca -config /etc/pki/classic/openssl.cnf \ -in "$CSR_FILE" \ -out "${OUTPUT_PREFIX}-classic.pem" \ -days 365 \ -batch # Hybrid-Zertifikat ausstellen echo "Stelle Hybrid-Zertifikat aus..." /usr/local/bin/wvds-sign --mode hybrid \ --ca /etc/pki/hybrid/intermediate-ca.pfx \ --csr "$CSR_FILE" \ --out "${OUTPUT_PREFIX}-hybrid.pem" \ --days 365 echo "Fertig:" echo " Klassisch: ${OUTPUT_PREFIX}-classic.pem" echo " Hybrid: ${OUTPUT_PREFIX}-hybrid.pem"
server { listen 443 ssl; server_name api.example.com; # Primär: Hybrid-Zertifikat ssl_certificate /etc/ssl/certs/api-hybrid.pem; ssl_certificate_key /etc/ssl/private/api.key; # Fallback: Klassisches Zertifikat (für alte Clients) # Hinweis: Nginx unterstützt nur ein Zertifikat pro Server-Block # Für echten Dual-Mode: Separate Server-Blöcke oder SNI } # Alternative: Separate Server für Legacy server { listen 443 ssl; server_name api-legacy.example.com; ssl_certificate /etc/ssl/certs/api-classic.pem; ssl_certificate_key /etc/ssl/private/api.key; }
<VirtualHost *:443> ServerName api.example.com # Moderne Clients → Hybrid SSLCertificateFile /etc/ssl/certs/api-hybrid.pem SSLCertificateKeyFile /etc/ssl/private/api.key SSLCertificateChainFile /etc/ssl/certs/hybrid-chain.pem </VirtualHost> <VirtualHost *:443> ServerName api-legacy.example.com # Legacy Clients → Klassisch SSLCertificateFile /etc/ssl/certs/api-classic.pem SSLCertificateKeyFile /etc/ssl/private/api.key SSLCertificateChainFile /etc/ssl/certs/classic-chain.pem </VirtualHost>
# Trust Store mit beiden Root-CAs cat /etc/pki/classic/root-ca.pem /etc/pki/hybrid/root-ca.pem > /etc/ssl/certs/ca-bundle.pem # Oder einzeln hinzufügen update-ca-trust extract
# Beide Root-CAs importieren Import-Certificate -FilePath "classic-root.cer" -CertStoreLocation Cert:\LocalMachine\Root Import-Certificate -FilePath "hybrid-root.cer" -CertStoreLocation Cert:\LocalMachine\Root
# CRL Distribution Points # Klassisch: http://crl.example.com/classic/intermediate.crl # Hybrid: http://crl.example.com/hybrid/intermediate.crl # Nginx für CRL-Verteilung location /crl/classic/ { alias /etc/pki/classic/crl/; types { application/pkix-crl crl; } } location /crl/hybrid/ { alias /etc/pki/hybrid/crl/; types { application/pkix-crl crl; } }
# Prometheus: Beide PKIs überwachen scrape_configs: - job_name: 'pki-classic' static_configs: - targets: ['localhost:9793'] params: path: ['/etc/pki/classic/issued/*.pem'] relabel_configs: - target_label: pki replacement: 'classic' - job_name: 'pki-hybrid' static_configs: - targets: ['localhost:9793'] params: path: ['/etc/pki/hybrid/issued/*.pem'] relabel_configs: - target_label: pki replacement: 'hybrid'
Dashboard-Metriken:
| Metrik | Klassisch | Hybrid |
| ——– | ———– | ——– |
| Aktive Zertifikate | count(x509{pki=„classic“}) | count(x509{pki=„hybrid“}) |
| Ablaufend < 30d | count(…) | count(…) |
| CRL Next Update | crl_next_update{pki=„classic“} | crl_next_update{pki=„hybrid“} |
#!/bin/bash # migration-status.sh - Fortschritt der Migration echo "=== PKI Migration Status ===" classic_count=$(find /etc/pki/classic/issued -name "*.pem" | wc -l) hybrid_count=$(find /etc/pki/hybrid/issued -name "*.pem" | wc -l) total=$((classic_count + hybrid_count)) if [ "$total" -gt 0 ]; then hybrid_percent=$((hybrid_count * 100 / total)) else hybrid_percent=0 fi echo "Klassisch: $classic_count" echo "Hybrid: $hybrid_count" echo "Gesamt: $total" echo "Migration: $hybrid_percent%" # Grafische Darstellung echo "" echo -n "Progress: [" for i in $(seq 1 50); do if [ $i -le $((hybrid_percent / 2)) ]; then echo -n "█" else echo -n "░" fi done echo "] $hybrid_percent%"
Timeline:
| Phase | Aktion | Trigger |
| ——- | ——– | ——— |
| Aktiv | Beide PKIs ausstellen | Start |
| Übergang | Classic nur Renewal | 80% Hybrid |
| Sunset | Classic nur ablaufen lassen | 95% Hybrid |
| Ende | Classic-CA offline | Alle Classic abgelaufen |
| # | Prüfpunkt | ✓ |
| — | ———– | — |
| 1 | Beide PKIs aufgesetzt | ☐ |
| 2 | Dual-Issue-Scripts funktionieren | ☐ |
| 3 | Trust Stores enthalten beide CAs | ☐ |
| 4 | CRL/OCSP für beide verfügbar | ☐ |
| 5 | Monitoring für beide aktiv | ☐ |
| 6 | Migration-Tracking eingerichtet | ☐ |
| 7 | Phase-Out-Plan dokumentiert | ☐ |
« ← Classic → Hybrid | → Rollback-Strategie »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional