Sie befinden sich hier: start » hr » Interna dokumentacija » WvdS Kripto-biblioteka » 6. Scenariji » Kratka referenca » Izgradnja PKI-infrastrukture

Inhaltsverzeichnis

Izgradnja PKI-infrastrukture

Kompaktne upute za izgradnju PQ-sposobne PKI. → Detalji: PKI-scenariji

Hijerarhija

Root-CA (Offline, ML-DSA-87)
    └── Intermediate-CA (Online, ML-DSA-65)
            ├── Serverski certifikati (Hybrid: ECDSA + ML-DSA)
            ├── Klijentski certifikati (ML-DSA-65)
            └── Korisnički certifikati (ML-DSA-65)

1. Root-CA

using var mlDsa = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);
 
var rootDn = new X500DistinguishedNameBuilder();
rootDn.AddCommonName("WvdS Root CA");
rootDn.AddOrganizationName("EMSR DATA d.o.o.");
 
var request = new CertificateRequest(rootDn.Build(), mlDsa, HashAlgorithmName.SHA512);
 
request.CertificateExtensions.Add(
    new X509BasicConstraintsExtension(true, true, 2, true));
request.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));
 
var rootCert = request.CreateSelfSigned(
    DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(20));
 
File.WriteAllBytes("root-ca.pfx", rootCert.Export(X509ContentType.Pfx, "lozinka"));

Detalji: Kreiranje Root-CA

2. Intermediate-CA

var rootCert = new X509Certificate2("root-ca.pfx", "lozinka");
using var mlDsa = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
 
var dn = new X500DistinguishedNameBuilder();
dn.AddCommonName("WvdS Intermediate CA");
 
var csr = new CertificateRequest(dn.Build(), mlDsa, HashAlgorithmName.SHA384);
csr.CertificateExtensions.Add(new X509BasicConstraintsExtension(true, true, 0, true));
csr.CertificateExtensions.Add(
    new X509KeyUsageExtension(
        X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true));
 
var serial = new byte[20];
RandomNumberGenerator.Fill(serial);
serial[0] &= 0x7F;
 
var intCert = csr.Create(rootCert, DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddYears(10), serial);

Detalji: Kreiranje Intermediate-CA

3. Trust Store

var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(new X509Certificate2("root-ca.crt"));
store.Close();

Detalji: Konfiguracija Trust Store

Preporuke

Komponenta Algoritam Valjanost
Root-CA ML-DSA-87 20-30 godina
Intermediate-CA ML-DSA-65 5-10 godina
End-Entity Hybrid ili ML-DSA-65 1-2 godine

« ← Kratka referenca | → PKI-scenariji (Detalji) »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , ,
Zuletzt geändert: 30.01.2026. u 08:48

Seiten-Werkzeuge