Operativni zadaci za PQ-kriptografsku infrastrukturu.
Redovito provodite ove provjere:
# Je li OpenSSL dostupan? openssl version # Očekivano: OpenSSL 3.6.0 ili noviji # Jesu li PQ-algoritmi aktivni? openssl list -signature-algorithms | grep -i "ml-dsa" | head -1 # Očekivano: ML-DSA-44, ML-DSA-65, ili ML-DSA-87
Linux/macOS:
#!/bin/bash echo "=== WvdS PQ Crypto Health Check ===" # 1. OpenSSL echo -n "OpenSSL: " openssl version | grep -q "3\.[6-9]\|[4-9]\." && echo "OK" || echo "FAIL (Verzija prestara)" # 2. ML-DSA podrška echo -n "ML-DSA: " openssl list -signature-algorithms 2>/dev/null | grep -qi "ml-dsa" && echo "OK" || echo "FAIL" # 3. ML-KEM podrška echo -n "ML-KEM: " openssl list -kem-algorithms 2>/dev/null | grep -qi "ml-kem" && echo "OK" || echo "FAIL" # 4. Provider echo -n "Provider: " openssl list -providers | grep -q "default" && echo "OK" || echo "FAIL" # 5. FIPS (opcionalno) echo -n "FIPS: " openssl list -providers | grep -qi "fips" && echo "OK" || echo "Nije konfigurirano" # 6. .NET Runtime echo -n ".NET 8: " dotnet --list-runtimes 2>/dev/null | grep -q "NETCore.App 8" && echo "OK" || echo "FAIL" echo "=== Health provjera završena ==="
Windows (PowerShell):
Write-Host "=== WvdS PQ Crypto Health Check ===" -ForegroundColor Cyan # 1. OpenSSL $opensslVersion = & openssl version 2>$null if ($opensslVersion -match "3\.[6-9]") { Write-Host "OpenSSL: OK ($opensslVersion)" -ForegroundColor Green } else { Write-Host "OpenSSL: FAIL" -ForegroundColor Red } # 2. ML-DSA $mldsa = & openssl list -signature-algorithms 2>$null | Select-String "ML-DSA" if ($mldsa) { Write-Host "ML-DSA: OK" -ForegroundColor Green } else { Write-Host "ML-DSA: FAIL" -ForegroundColor Red } # 3. ML-KEM $mlkem = & openssl list -kem-algorithms 2>$null | Select-String "ML-KEM" if ($mlkem) { Write-Host "ML-KEM: OK" -ForegroundColor Green } else { Write-Host "ML-KEM: FAIL" -ForegroundColor Red } # 4. .NET $dotnet = & dotnet --list-runtimes 2>$null | Select-String "NETCore.App 8" if ($dotnet) { Write-Host ".NET 8: OK" -ForegroundColor Green } else { Write-Host ".NET 8: FAIL" -ForegroundColor Red } Write-Host "=== Health provjera završena ===" -ForegroundColor Cyan
Klasično (RSA 4096):
# 1. Generiranje privatnog ključa openssl genpkey -algorithm RSA -out root-ca.key -pkeyopt rsa_keygen_bits:4096 # 2. Kreiranje samopotpisane Root CA openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 \ -subj "/C=DE/O=Organisation/CN=Root CA" # 3. Prikaz certifikata openssl x509 -in root-ca.crt -text -noout
Post-kvantno (ML-DSA-65):
# 1. Generiranje ML-DSA privatnog ključa openssl genpkey -algorithm ML-DSA-65 -out root-ca-pq.key # 2. Kreiranje samopotpisane PQ Root CA openssl req -new -x509 -key root-ca-pq.key -out root-ca-pq.crt -days 3650 \ -subj "/C=DE/O=Organisation/CN=PQ Root CA" # 3. Prikaz certifikata openssl x509 -in root-ca-pq.crt -text -noout
# 1. Privatni ključ za Intermediate openssl genpkey -algorithm RSA -out intermediate.key -pkeyopt rsa_keygen_bits:4096 # 2. Kreiranje CSR-a openssl req -new -key intermediate.key -out intermediate.csr \ -subj "/C=DE/O=Organisation/CN=Intermediate CA" # 3. Potpisivanje od strane Root CA (s CA proširenjima) openssl x509 -req -in intermediate.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out intermediate.crt -days 1825 \ -extfile <(echo "basicConstraints=critical,CA:TRUE,pathlen:0 keyUsage=critical,keyCertSign,cRLSign") # 4. Provjera lanca openssl verify -CAfile root-ca.crt intermediate.crt
# 1. Privatni ključ openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048 # 2. CSR sa SAN (Subject Alternative Name) openssl req -new -key server.key -out server.csr \ -subj "/C=DE/O=Organisation/CN=server.example.com" \ -addext "subjectAltName=DNS:server.example.com,DNS:www.example.com" # 3. Potpisivanje od strane Intermediate openssl x509 -req -in server.csr -CA intermediate.crt -CAkey intermediate.key \ -CAcreateserial -out server.crt -days 365 \ -extfile <(echo "basicConstraints=CA:FALSE keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName=DNS:server.example.com,DNS:www.example.com") # 4. Verifikacija potpunog lanca openssl verify -CAfile root-ca.crt -untrusted intermediate.crt server.crt
# Prikaz detalja certifikata openssl x509 -in cert.crt -text -noout # Samo Subject i Issuer openssl x509 -in cert.crt -subject -issuer -noout # Razdoblje valjanosti openssl x509 -in cert.crt -dates -noout # Otisak prsta openssl x509 -in cert.crt -fingerprint -sha256 -noout # Izdvajanje javnog ključa openssl x509 -in cert.crt -pubkey -noout # Algoritam potpisa openssl x509 -in cert.crt -text -noout | grep "Signature Algorithm"
# PEM u DER openssl x509 -in cert.pem -outform DER -out cert.der # DER u PEM openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem # PEM u PKCS#12 (PFX) openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca-chain.crt # PKCS#12 u PEM (certifikat + ključ) openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes
Uvoz CA certifikata (PowerShell kao administrator):
# Root CA u Trusted Root Certification Authorities Import-Certificate -FilePath "root-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root # Intermediate CA u Intermediate Certification Authorities Import-Certificate -FilePath "intermediate.crt" -CertStoreLocation Cert:\LocalMachine\CA # Verifikacija Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Root CA*"}
Popis certifikata:
# Sve Root CA Get-ChildItem Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter # Certifikati koji ističu (< 30 dana) Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)} | Format-Table Subject, NotAfter
Uklanjanje certifikata:
# Po otisku prsta Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "ABC123..."} | Remove-Item
Debian/Ubuntu:
# Dodavanje CA certifikata sudo cp root-ca.crt /usr/local/share/ca-certificates/wvds-root-ca.crt sudo update-ca-certificates # Verifikacija ls /etc/ssl/certs/ | grep wvds # Uklanjanje certifikata sudo rm /usr/local/share/ca-certificates/wvds-root-ca.crt sudo update-ca-certificates --fresh
RHEL/CentOS:
# Dodavanje CA certifikata sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/wvds-root-ca.crt sudo update-ca-trust # Verifikacija trust list | grep -A2 "WvdS"
# Dodavanje CA u System Keychain sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.crt # Verifikacija security find-certificate -a -c "Root CA" /Library/Keychains/System.keychain
Komponente za sigurnosno kopiranje:
| Komponenta | Putanja | Učestalost | Prioritet |
|---|---|---|---|
| Root CA privatni ključ | Offline pohrana | Nakon kreiranja | Kritično |
| Intermediate CA ključ | Server | Dnevno | Visok |
| PQ-pohrana ključeva | %LOCALAPPDATA%\WvdS.Crypto\PqKeys\ | Dnevno | Visok |
| Certifikati (PFX) | Direktorij aplikacije | Nakon kreiranja | Srednji |
Skripta za sigurnosno kopiranje (Linux):
#!/bin/bash BACKUP_DIR="/backup/pq-crypto/$(date +%Y%m%d)" mkdir -p "$BACKUP_DIR" # PQ-pohrana ključeva cp -r ~/.local/share/wvds-crypto/pqkeys/ "$BACKUP_DIR/" # Certifikati cp /etc/ssl/certs/wvds-*.crt "$BACKUP_DIR/" # Osiguravanje dozvola chmod 700 "$BACKUP_DIR" chmod 600 "$BACKUP_DIR"/* echo "Sigurnosna kopija kreirana: $BACKUP_DIR"
Važno: PQ-pohrana ključeva nije uključena u sigurnosnu kopiju Windows Certificate Store!
Praćenje isteka certifikata:
# Svi certifikati s datumom isteka < 30 dana for cert in /etc/ssl/certs/*.crt; do expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2) if [ -n "$expiry" ]; then expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null) now_epoch=$(date +%s) days_left=$(( (expiry_epoch - now_epoch) / 86400 )) if [ "$days_left" -lt 30 ]; then echo "UPOZORENJE: $cert ističe za $days_left dana" fi fi done
Rokovi za obnovu:
| Tip certifikata | Obnova prije isteka |
|---|---|
| Root CA | 30 dana |
| Intermediate CA | 14 dana |
| End-Entity | 7 dana |
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional