Složenost: Niska
Trajanje: 1-4 sata (ovisno o veličini)
Preduvjet: Pristup svim sustavima
Potpuni popis svih certifikata kao osnova za migraciju.
| Razlog | Opis |
| ——– | —— |
| Opseg | Koliko certifikata treba migrirati? |
| Algoritmi | Koji algoritmi su u upotrebi? |
| Datumi isteka | Kada se certifikati mogu migrirati pri obnovi? |
| Ovisnosti | Koji sustavi su međusobno povezani? |
| Rizici | Gdje su kritični certifikati? |
#!/bin/bash # cert-inventory-linux.sh OUTPUT="inventory-linux-$(hostname)-$(date +%Y%m%d).csv" echo "Put,Subject,Issuer,Algoritam,Duljina_ključa,Vrijedi_od,Vrijedi_do,Preostali_dani,Serial,SANs" > "$OUTPUT" # Standardni direktoriji CERT_DIRS=( "/etc/ssl/certs" "/etc/pki/tls/certs" "/etc/nginx/ssl" "/etc/apache2/ssl" "/opt/*/ssl" "/var/lib/docker/volumes/*/ssl" ) for dir in "${CERT_DIRS[@]}"; do for cert in $(find $dir -name "*.pem" -o -name "*.crt" -o -name "*.cer" 2>/dev/null); do # Samo certifikati (bez ključeva/CSR-ova) openssl x509 -in "$cert" -noout 2>/dev/null || continue subject=$(openssl x509 -in "$cert" -subject -noout | sed 's/subject=//' | tr ',' ';') issuer=$(openssl x509 -in "$cert" -issuer -noout | sed 's/issuer=//' | tr ',' ';') algo=$(openssl x509 -in "$cert" -text -noout | grep "Signature Algorithm" | head -1 | awk '{print $3}') keysize=$(openssl x509 -in "$cert" -text -noout | grep "Public-Key:" | grep -oP '\d+') not_before=$(openssl x509 -in "$cert" -startdate -noout | cut -d= -f2) not_after=$(openssl x509 -in "$cert" -enddate -noout | cut -d= -f2) days_left=$(( ($(date -d "$not_after" +%s) - $(date +%s)) / 86400 )) serial=$(openssl x509 -in "$cert" -serial -noout | cut -d= -f2) sans=$(openssl x509 -in "$cert" -text -noout | grep -A1 "Subject Alternative Name" | tail -1 | tr ',' ';') echo "\"$cert\",\"$subject\",\"$issuer\",\"$algo\",\"$keysize\",\"$not_before\",\"$not_after\",\"$days_left\",\"$serial\",\"$sans\"" >> "$OUTPUT" done done echo "Inventura završena: $OUTPUT" echo "Pronađeni certifikati: $(tail -n +2 "$OUTPUT" | wc -l)"
# Cert-Inventory-Windows.ps1 param( [string]$OutputPath = "inventory-windows-$env:COMPUTERNAME-$(Get-Date -Format 'yyyyMMdd').csv" ) $results = @() # Pretraživanje svih spremišta certifikata $stores = @( @{ Location = "LocalMachine"; Name = "My" }, @{ Location = "LocalMachine"; Name = "Root" }, @{ Location = "LocalMachine"; Name = "CA" }, @{ Location = "LocalMachine"; Name = "WebHosting" }, @{ Location = "CurrentUser"; Name = "My" } ) foreach ($store in $stores) { $storePath = "Cert:\$($store.Location)\$($store.Name)" Get-ChildItem $storePath -ErrorAction SilentlyContinue | ForEach-Object { $cert = $_ $daysLeft = ($cert.NotAfter - (Get-Date)).Days # Ekstrakcija SAN-ova $sanExt = $cert.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" } $sans = if ($sanExt) { $sanExt.Format($false) } else { "" } $results += [PSCustomObject]@{ Store = "$($store.Location)\$($store.Name)" Subject = $cert.Subject Issuer = $cert.Issuer Algorithm = $cert.SignatureAlgorithm.FriendlyName KeySize = $cert.PublicKey.Key.KeySize NotBefore = $cert.NotBefore NotAfter = $cert.NotAfter DaysLeft = $daysLeft Serial = $cert.SerialNumber Thumbprint = $cert.Thumbprint SANs = $sans HasPrivateKey = $cert.HasPrivateKey } } } $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 Write-Host "Inventura završena: $OutputPath" Write-Host "Pronađeni certifikati: $($results.Count)"
#!/bin/bash # cert-inventory-network.sh OUTPUT="inventory-network-$(date +%Y%m%d).csv" ENDPOINTS_FILE="endpoints.txt" echo "Endpoint,Subject,Issuer,Algoritam,Duljina_ključa,Vrijedi_do,Dani,Serial" > "$OUTPUT" # Endpointi iz datoteke ili CMDB/DNS # Format: hostname:port cat "$ENDPOINTS_FILE" | while read endpoint; do host=${endpoint%:*} port=${endpoint#*:} [ -z "$port" ] && port=443 echo "Skeniranje $host:$port..." cert_info=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | openssl x509 -text -noout 2>/dev/null) if [ -n "$cert_info" ]; then subject=$(echo "$cert_info" | grep "Subject:" | head -1 | sed 's/.*Subject: //' | tr ',' ';') issuer=$(echo "$cert_info" | grep "Issuer:" | head -1 | sed 's/.*Issuer: //' | tr ',' ';') algo=$(echo "$cert_info" | grep "Signature Algorithm" | head -1 | awk '{print $3}') keysize=$(echo "$cert_info" | grep "Public-Key:" | grep -oP '\d+') not_after=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | openssl x509 -enddate -noout | cut -d= -f2) days_left=$(( ($(date -d "$not_after" +%s) - $(date +%s)) / 86400 )) serial=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | openssl x509 -serial -noout | cut -d= -f2) echo "\"$endpoint\",\"$subject\",\"$issuer\",\"$algo\",\"$keysize\",\"$not_after\",\"$days_left\",\"$serial\"" >> "$OUTPUT" else echo "\"$endpoint\",\"CONNECTION FAILED\",\"\",\"\",\"\",\"\",\"\",\"\"" >> "$OUTPUT" fi done echo "Mrežna inventura završena: $OUTPUT"
#!/bin/bash # cert-inventory-ca.sh - Iz OpenSSL CA-Index CA_INDEX="/etc/pki/CA/index.txt" OUTPUT="inventory-ca-$(date +%Y%m%d).csv" echo "Status,Serial,Istek,Subject,Datoteka" > "$OUTPUT" while IFS=$'\t' read -r status expiry revoke serial unknown subject; do # Status: V=Valid, R=Revoked, E=Expired status_text="" case "$status" in V) status_text="Valid" ;; R) status_text="Revoked" ;; E) status_text="Expired" ;; esac # Konverzija datuma isteka (YYMMDDHHMMSSZ format) expiry_formatted=$(date -d "20${expiry:0:2}-${expiry:2:2}-${expiry:4:2}" +%Y-%m-%d 2>/dev/null) # Datoteka certifikata cert_file="/etc/pki/CA/newcerts/${serial}.pem" echo "\"$status_text\",\"$serial\",\"$expiry_formatted\",\"$subject\",\"$cert_file\"" >> "$OUTPUT" done < "$CA_INDEX" echo "CA inventura završena: $OUTPUT" echo "Certifikati:" echo " Valid: $(grep -c "^\"Valid\"" "$OUTPUT")" echo " Revoked: $(grep -c "^\"Revoked\"" "$OUTPUT")" echo " Expired: $(grep -c "^\"Expired\"" "$OUTPUT")"
#!/usr/bin/env python3 # analyze-inventory.py import pandas as pd from datetime import datetime # Učitavanje svih inventurnih datoteka df = pd.concat([ pd.read_csv('inventory-linux*.csv'), pd.read_csv('inventory-windows*.csv'), pd.read_csv('inventory-network*.csv') ]) # Analiza print("=== Sažetak inventure ===\n") print(f"Ukupni broj certifikata: {len(df)}") print("\n--- Po algoritmu ---") print(df['Algoritam'].value_counts()) print("\n--- Po duljini ključa ---") print(df['Duljina_ključa'].value_counts()) print("\n--- Analiza isteka ---") df['Preostali_dani'] = pd.to_numeric(df['Preostali_dani'], errors='coerce') print(f"Istekli: {len(df[df['Preostali_dani'] < 0])}") print(f"< 30 dana: {len(df[(df['Preostali_dani'] >= 0) & (df['Preostali_dani'] < 30)])}") print(f"30-90 dana: {len(df[(df['Preostali_dani'] >= 30) & (df['Preostali_dani'] < 90)])}") print(f"90-365 dana: {len(df[(df['Preostali_dani'] >= 90) & (df['Preostali_dani'] < 365)])}") print(f"> 1 godina: {len(df[df['Preostali_dani'] >= 365])}") print("\n--- Potencijal migracije ---") rsa = len(df[df['Algoritam'].str.contains('rsa', case=False, na=False)]) ecdsa = len(df[df['Algoritam'].str.contains('ecdsa|ec', case=False, na=False)]) hybrid = len(df[df['Algoritam'].str.contains('ml-dsa|hybrid', case=False, na=False)]) print(f"RSA (za migraciju): {rsa}") print(f"ECDSA (za migraciju): {ecdsa}") print(f"Hybrid (već gotovo): {hybrid}") # Eksport za planiranje migracije df.to_excel('inventory-complete.xlsx', index=False) print("\nPotpuna inventura eksportirana: inventory-complete.xlsx")
| Kategorija | Broj | Migracija |
| ———— | —— | ———– |
| Algoritam | ||
| RSA-2048 | 150 | → Hibridno |
| RSA-4096 | 30 | → Hibridno |
| ECDSA P-256 | 80 | → Hibridno |
| ECDSA P-384 | 20 | → Hibridno |
| ML-DSA/Hybrid | 5 | ✓ Gotovo |
| Istek | ||
| < 30 dana | 12 | Odmah migrirati |
| 30-90 dana | 25 | Faza 1 |
| 90-365 dana | 100 | Faza 2 |
| > 1 godina | 148 | Faza 3 |
| Kritičnost | ||
| Vanjski pristup | 40 | Prioritet 1 |
| Interno kritično | 80 | Prioritet 2 |
| Development | 165 | Prioritet 3 |
| # | Točka provjere | ✓ |
| — | —————- | — |
| 1 | Svi Linux serveri skenirani | ☐ |
| 2 | Svi Windows serveri skenirani | ☐ |
| 3 | Svi TLS endpointi skenirani | ☐ |
| 4 | CA baza podataka eksportirana | ☐ |
| 5 | Podaci konsolidirani | ☐ |
| 6 | Analiza provedena | ☐ |
| 7 | Plan migracije kreiran | ☐ |
« ← Rollback strategija | → Operator scenariji »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional