Operator Scenarios

Target Audience: System administrators, PKI operators, DevOps
Focus: Daily operations, runbooks, checklists, automation

Practice-oriented guides for the operational management of a PQ-capable PKI.

Overview

flowchart TB subgraph DAILY["📋 DAILY OPERATIONS"] D1[Issue certificate] D2[Renew certificate] D3[Revoke certificate] D4[Health Check] end subgraph AUTO["⚙️ AUTOMATION"] A1[ACME/Let's Encrypt] A2[CI/CD Signing] A3[Kubernetes Cert-Manager] A4[Scheduled Renewal] end subgraph MON["📊 MONITORING"] M1[Expiration monitoring] M2[Revocation check] M3[Audit logging] M4[Alerting] end subgraph MIG["🔄 MIGRATION"] G1[Classic → Hybrid] G2[Parallel operation] G3[Rollback] G4[Inventory] end subgraph DR["🛡️ DISASTER RECOVERY"] R1[CA Backup/Restore] R2[Key Ceremony] R3[Emergency revocation] end subgraph CLOUD["☁️ CLOUD"] C1[Azure Key Vault] C2[AWS KMS] C3[HashiCorp Vault] end DAILY --> AUTO AUTO --> MON MON --> MIG MIG --> DR style D1 fill:#e8f5e9 style A1 fill:#fff3e0 style M1 fill:#e3f2fd style G1 fill:#fce4ec

Categories

Daily Operations

Runbooks for daily operational tasks.

Runbook	Description	Duration
Issue certificate	Review CSR, sign, deliver	~10 min
Renew certificate	Renew expiring certificates	~15 min
Revoke certificate	Revoke compromised certificates	~5 min
Health Check	Daily system check	~5 min

Automation

Priority 1 – Reduces manual work and errors

Scenario	Description	Complexity
ACME Integration	Let's Encrypt / ACME protocol	Medium
CI/CD Code Signing	Automatic signing in pipelines	High
Kubernetes Cert-Manager	Certificates in K8s	High
Scheduled Renewal	Automatic renewal	Low

Monitoring & Alerting

Priority 2 – Critical for production operations

Scenario	Description	Tools
Expiration Monitoring	Monitor certificate expiration	Prometheus, Grafana
Revocation Check	CRL/OCSP availability	curl, PowerShell
Audit Logging	Compliance-compliant logging	Syslog, ELK
Alerting Setup	Configure notifications	PagerDuty, Teams

Migration

Priority 3 – For existing PKI infrastructures

Scenario	Description	Risk
Classic → Hybrid	Migrate RSA/ECDSA to Hybrid	Medium
Parallel Operation	Classic + PQ simultaneously	Low
Rollback Strategy	Plan emergency fallback	-
Certificate Inventory	Stock taking	Low

Disaster Recovery

Scenario	Description	Critical
CA Backup/Restore	Backup and restore CA keys	Yes
Key Ceremony	Secure key generation	Yes
Emergency Revocation	Mass revocation	Yes

Cloud Integration

Scenario	Cloud	HSM
Azure Key Vault	Azure	Managed HSM
AWS KMS	AWS	CloudHSM
HashiCorp Vault	Multi-Cloud	Transit

Quick Start for Operators

Day 1: Basics

Perform Health Check
Issue first certificate

Week 1: Automation

Set up automatic renewal
Configure expiration monitoring

Month 1: Production

Set up alerting
Implement backup strategy

Inhaltsverzeichnis