Složenost: Srednja
Trajanje: Neograničeno (dok se Classic ne isključi)
Rizik: Nizak
Istovremeni rad klasičnog i Post-Quantum PKI-a za maksimalnu kompatibilnost.
| Scenarij | Preporuka |
| ———- | ———– |
| Legacy sustavi se ne mogu ažurirati | ✓ Paralelno |
| Postupna migracija tijekom godina | ✓ Paralelno |
| Regulatorni zahtjevi za povratnu kompatibilnost | ✓ Paralelno |
| Greenfield / Novi projekt | ✗ Direktno Hibridno |
| Svi klijenti se mogu ažurirati | ✗ Hibridna migracija |
/etc/pki/
├── classic/
│ ├── root-ca.pem
│ ├── intermediate-ca.pem
│ ├── intermediate-ca.key
│ ├── crl/
│ └── issued/
├── hybrid/
│ ├── root-ca.pem
│ ├── intermediate-ca.pem
│ ├── intermediate-ca.key
│ ├── crl/
│ └── issued/
└── scripts/
├── issue-classic.sh
├── issue-hybrid.sh
└── issue-both.sh
#!/bin/bash # /etc/pki/scripts/issue-both.sh # Izdaje certifikat od OBA PKI-a CSR_FILE="$1" OUTPUT_PREFIX="$2" if [ -z "$CSR_FILE" ] || [ -z "$OUTPUT_PREFIX" ]; then echo "Usage: $0 <csr-file> <output-prefix>" exit 1 fi # Izdavanje klasičnog certifikata echo "Izdavanje klasičnog certifikata..." openssl ca -config /etc/pki/classic/openssl.cnf \ -in "$CSR_FILE" \ -out "${OUTPUT_PREFIX}-classic.pem" \ -days 365 \ -batch # Izdavanje hibridnog certifikata echo "Izdavanje hibridnog certifikata..." /usr/local/bin/wvds-sign --mode hybrid \ --ca /etc/pki/hybrid/intermediate-ca.pfx \ --csr "$CSR_FILE" \ --out "${OUTPUT_PREFIX}-hybrid.pem" \ --days 365 echo "Gotovo:" echo " Klasično: ${OUTPUT_PREFIX}-classic.pem" echo " Hibridno: ${OUTPUT_PREFIX}-hybrid.pem"
server { listen 443 ssl; server_name api.example.com; # Primarno: Hibridni certifikat ssl_certificate /etc/ssl/certs/api-hybrid.pem; ssl_certificate_key /etc/ssl/private/api.key; # Fallback: Klasični certifikat (za stare klijente) # Napomena: Nginx podržava samo jedan certifikat po server bloku # Za pravi dual-mode: Zasebni server blokovi ili SNI } # Alternativa: Zasebni server za Legacy server { listen 443 ssl; server_name api-legacy.example.com; ssl_certificate /etc/ssl/certs/api-classic.pem; ssl_certificate_key /etc/ssl/private/api.key; }
<VirtualHost *:443> ServerName api.example.com # Moderni klijenti → Hibridno SSLCertificateFile /etc/ssl/certs/api-hybrid.pem SSLCertificateKeyFile /etc/ssl/private/api.key SSLCertificateChainFile /etc/ssl/certs/hybrid-chain.pem </VirtualHost> <VirtualHost *:443> ServerName api-legacy.example.com # Legacy klijenti → Klasično SSLCertificateFile /etc/ssl/certs/api-classic.pem SSLCertificateKeyFile /etc/ssl/private/api.key SSLCertificateChainFile /etc/ssl/certs/classic-chain.pem </VirtualHost>
# Trust Store s oba Root-CA cat /etc/pki/classic/root-ca.pem /etc/pki/hybrid/root-ca.pem > /etc/ssl/certs/ca-bundle.pem # Ili pojedinačno dodati update-ca-trust extract
# Uvoz oba Root-CA Import-Certificate -FilePath "classic-root.cer" -CertStoreLocation Cert:\LocalMachine\Root Import-Certificate -FilePath "hybrid-root.cer" -CertStoreLocation Cert:\LocalMachine\Root
# CRL Distribution Points # Klasično: http://crl.example.com/classic/intermediate.crl # Hibridno: http://crl.example.com/hybrid/intermediate.crl # Nginx za distribuciju CRL-a location /crl/classic/ { alias /etc/pki/classic/crl/; types { application/pkix-crl crl; } } location /crl/hybrid/ { alias /etc/pki/hybrid/crl/; types { application/pkix-crl crl; } }
# Prometheus: Nadzor oba PKI-a scrape_configs: - job_name: 'pki-classic' static_configs: - targets: ['localhost:9793'] params: path: ['/etc/pki/classic/issued/*.pem'] relabel_configs: - target_label: pki replacement: 'classic' - job_name: 'pki-hybrid' static_configs: - targets: ['localhost:9793'] params: path: ['/etc/pki/hybrid/issued/*.pem'] relabel_configs: - target_label: pki replacement: 'hybrid'
Metrike nadzorne ploče:
| Metrika | Klasično | Hibridno |
| ——— | ———- | ———- |
| Aktivni certifikati | count(x509{pki=„classic“}) | count(x509{pki=„hybrid“}) |
| Istek < 30d | count(…) | count(…) |
| CRL Next Update | crl_next_update{pki=„classic“} | crl_next_update{pki=„hybrid“} |
#!/bin/bash # migration-status.sh - Napredak migracije echo "=== PKI Migration Status ===" classic_count=$(find /etc/pki/classic/issued -name "*.pem" | wc -l) hybrid_count=$(find /etc/pki/hybrid/issued -name "*.pem" | wc -l) total=$((classic_count + hybrid_count)) if [ "$total" -gt 0 ]; then hybrid_percent=$((hybrid_count * 100 / total)) else hybrid_percent=0 fi echo "Klasično: $classic_count" echo "Hibridno: $hybrid_count" echo "Ukupno: $total" echo "Migracija: $hybrid_percent%" # Grafički prikaz echo "" echo -n "Napredak: [" for i in $(seq 1 50); do if [ $i -le $((hybrid_percent / 2)) ]; then echo -n "█" else echo -n "░" fi done echo "] $hybrid_percent%"
Vremenski okvir:
| Faza | Akcija | Okidač |
| —— | ——– | ——– |
| Aktivno | Oba PKI-a izdaju | Početak |
| Prijelaz | Classic samo obnova | 80% Hibridno |
| Sunset | Classic samo ističe | 95% Hibridno |
| Kraj | Classic-CA offline | Svi Classic istekli |
| # | Točka provjere | ✓ |
| — | —————- | — |
| 1 | Oba PKI-a postavljena | ☐ |
| 2 | Dual-Issue skripte funkcioniraju | ☐ |
| 3 | Trust Storeovi sadrže oba CA | ☐ |
| 4 | CRL/OCSP dostupan za oba | ☐ |
| 5 | Monitoring aktivan za oba | ☐ |
| 6 | Praćenje migracije postavljeno | ☐ |
| 7 | Plan postupnog ukidanja dokumentiran | ☐ |
« ← Classic → Hybrid | → Rollback strategija »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional