Operational tasks for the PQ cryptography infrastructure.
Perform these checks regularly:
# OpenSSL available? openssl version # Expected: OpenSSL 3.6.0 or higher # PQ algorithms active? openssl list -signature-algorithms | grep -i "ml-dsa" | head -1 # Expected: ML-DSA-44, ML-DSA-65, or ML-DSA-87
Linux/macOS:
#!/bin/bash echo "=== WvdS PQ Crypto Health Check ===" # 1. OpenSSL echo -n "OpenSSL: " openssl version | grep -q "3\.[6-9]\|[4-9]\." && echo "OK" || echo "FAIL (Version too old)" # 2. ML-DSA Support echo -n "ML-DSA: " openssl list -signature-algorithms 2>/dev/null | grep -qi "ml-dsa" && echo "OK" || echo "FAIL" # 3. ML-KEM Support echo -n "ML-KEM: " openssl list -kem-algorithms 2>/dev/null | grep -qi "ml-kem" && echo "OK" || echo "FAIL" # 4. Provider echo -n "Provider: " openssl list -providers | grep -q "default" && echo "OK" || echo "FAIL" # 5. FIPS (optional) echo -n "FIPS: " openssl list -providers | grep -qi "fips" && echo "OK" || echo "Not configured" # 6. .NET Runtime echo -n ".NET 8: " dotnet --list-runtimes 2>/dev/null | grep -q "NETCore.App 8" && echo "OK" || echo "FAIL" echo "=== Health Check Complete ==="
Windows (PowerShell):
Write-Host "=== WvdS PQ Crypto Health Check ===" -ForegroundColor Cyan # 1. OpenSSL $opensslVersion = & openssl version 2>$null if ($opensslVersion -match "3\.[6-9]") { Write-Host "OpenSSL: OK ($opensslVersion)" -ForegroundColor Green } else { Write-Host "OpenSSL: FAIL" -ForegroundColor Red } # 2. ML-DSA $mldsa = & openssl list -signature-algorithms 2>$null | Select-String "ML-DSA" if ($mldsa) { Write-Host "ML-DSA: OK" -ForegroundColor Green } else { Write-Host "ML-DSA: FAIL" -ForegroundColor Red } # 3. ML-KEM $mlkem = & openssl list -kem-algorithms 2>$null | Select-String "ML-KEM" if ($mlkem) { Write-Host "ML-KEM: OK" -ForegroundColor Green } else { Write-Host "ML-KEM: FAIL" -ForegroundColor Red } # 4. .NET $dotnet = & dotnet --list-runtimes 2>$null | Select-String "NETCore.App 8" if ($dotnet) { Write-Host ".NET 8: OK" -ForegroundColor Green } else { Write-Host ".NET 8: FAIL" -ForegroundColor Red } Write-Host "=== Health Check Complete ===" -ForegroundColor Cyan
Classic (RSA 4096):
# 1. Generate private key openssl genpkey -algorithm RSA -out root-ca.key -pkeyopt rsa_keygen_bits:4096 # 2. Create self-signed Root CA openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 \ -subj "/C=DE/O=Organization/CN=Root CA" # 3. Display certificate openssl x509 -in root-ca.crt -text -noout
Post-Quantum (ML-DSA-65):
# 1. Generate ML-DSA private key openssl genpkey -algorithm ML-DSA-65 -out root-ca-pq.key # 2. Create self-signed PQ Root CA openssl req -new -x509 -key root-ca-pq.key -out root-ca-pq.crt -days 3650 \ -subj "/C=DE/O=Organization/CN=PQ Root CA" # 3. Display certificate openssl x509 -in root-ca-pq.crt -text -noout
# 1. Private key for Intermediate openssl genpkey -algorithm RSA -out intermediate.key -pkeyopt rsa_keygen_bits:4096 # 2. Create CSR openssl req -new -key intermediate.key -out intermediate.csr \ -subj "/C=DE/O=Organization/CN=Intermediate CA" # 3. Sign with Root CA (with CA extensions) openssl x509 -req -in intermediate.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out intermediate.crt -days 1825 \ -extfile <(echo "basicConstraints=critical,CA:TRUE,pathlen:0 keyUsage=critical,keyCertSign,cRLSign") # 4. Verify chain openssl verify -CAfile root-ca.crt intermediate.crt
# 1. Private key openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048 # 2. CSR with SAN (Subject Alternative Name) openssl req -new -key server.key -out server.csr \ -subj "/C=DE/O=Organization/CN=server.example.com" \ -addext "subjectAltName=DNS:server.example.com,DNS:www.example.com" # 3. Sign with Intermediate openssl x509 -req -in server.csr -CA intermediate.crt -CAkey intermediate.key \ -CAcreateserial -out server.crt -days 365 \ -extfile <(echo "basicConstraints=CA:FALSE keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName=DNS:server.example.com,DNS:www.example.com") # 4. Verify full chain openssl verify -CAfile root-ca.crt -untrusted intermediate.crt server.crt
# Display certificate details openssl x509 -in cert.crt -text -noout # Only Subject and Issuer openssl x509 -in cert.crt -subject -issuer -noout # Validity period openssl x509 -in cert.crt -dates -noout # Fingerprint openssl x509 -in cert.crt -fingerprint -sha256 -noout # Extract public key openssl x509 -in cert.crt -pubkey -noout # Signature algorithm openssl x509 -in cert.crt -text -noout | grep "Signature Algorithm"
# PEM to DER openssl x509 -in cert.pem -outform DER -out cert.der # DER to PEM openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem # PEM to PKCS#12 (PFX) openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca-chain.crt # PKCS#12 to PEM (certificate + key) openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes
Import CA certificate (PowerShell as Administrator):
# Root CA to Trusted Root Certification Authorities Import-Certificate -FilePath "root-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root # Intermediate CA to Intermediate Certification Authorities Import-Certificate -FilePath "intermediate.crt" -CertStoreLocation Cert:\LocalMachine\CA # Verify Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Root CA*"}
List certificates:
# All Root CAs Get-ChildItem Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter # Expiring certificates (< 30 days) Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)} | Format-Table Subject, NotAfter
Remove certificate:
# By thumbprint Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "ABC123..."} | Remove-Item
Debian/Ubuntu:
# Add CA certificate sudo cp root-ca.crt /usr/local/share/ca-certificates/wvds-root-ca.crt sudo update-ca-certificates # Verify ls /etc/ssl/certs/ | grep wvds # Remove certificate sudo rm /usr/local/share/ca-certificates/wvds-root-ca.crt sudo update-ca-certificates --fresh
RHEL/CentOS:
# Add CA certificate sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/wvds-root-ca.crt sudo update-ca-trust # Verify trust list | grep -A2 "WvdS"
# Add CA to System Keychain sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.crt # Verify security find-certificate -a -c "Root CA" /Library/Keychains/System.keychain
Components to back up:
| Component | Path | Frequency | Priority |
|---|---|---|---|
| Root CA Private Key | Offline storage | After creation | Critical |
| Intermediate CA Key | Server | Daily | High |
| PQ Key Store | %LOCALAPPDATA%\WvdS.Crypto\PqKeys\ | Daily | High |
| Certificates (PFX) | Application directory | After creation | Medium |
Backup script (Linux):
#!/bin/bash BACKUP_DIR="/backup/pq-crypto/$(date +%Y%m%d)" mkdir -p "$BACKUP_DIR" # PQ key store cp -r ~/.local/share/wvds-crypto/pqkeys/ "$BACKUP_DIR/" # Certificates cp /etc/ssl/certs/wvds-*.crt "$BACKUP_DIR/" # Secure permissions chmod 700 "$BACKUP_DIR" chmod 600 "$BACKUP_DIR"/* echo "Backup created: $BACKUP_DIR"
Important: The PQ key store is not included in Windows Certificate Store backups!
Monitor certificate expiration:
# All certificates expiring in < 30 days for cert in /etc/ssl/certs/*.crt; do expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2) if [ -n "$expiry" ]; then expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null) now_epoch=$(date +%s) days_left=$(( (expiry_epoch - now_epoch) / 86400 )) if [ "$days_left" -lt 30 ]; then echo "WARNING: $cert expires in $days_left days" fi fi done
Renewal deadlines:
| Certificate Type | Renew before expiration |
|---|---|
| Root CA | 30 days |
| Intermediate CA | 14 days |
| End-Entity | 7 days |
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional