Inhaltsverzeichnis
Classic → Hybrid migracija
Složenost: Srednja
Trajanje: 6-12 mjeseci (potpuno)
Rizik: Nizak-Srednji
Postupna migracija s klasičnog PKI-a (RSA/ECDSA) na hibridni način (Klasično + ML-DSA).
Pregled
flowchart TB
subgraph PHASE1["Faza 1: Priprema"]
P1A[Inventura]
P1B[Testno okruženje]
P1C[Ažuriranje alata]
end
subgraph PHASE2["Faza 2: Infrastruktura"]
P2A[Root-CA Hybrid]
P2B[Intermediate-CA]
P2C[CRL/OCSP ažuriranje]
end
subgraph PHASE3["Faza 3: Rollout"]
P3A[Server certifikati]
P3B[Klijent certifikati]
P3C[Code-Signing]
end
subgraph PHASE4["Faza 4: Validacija"]
P4A[Monitoring]
P4B[Audit]
P4C[Dokumentacija]
end
P1A --> P1B --> P1C --> P2A
P2A --> P2B --> P2C --> P3A
P3A --> P3B --> P3C --> P4A
P4A --> P4B --> P4C
style P2A fill:#fff3e0
style P3A fill:#e8f5e9
Faza 1: Priprema (1-2 mjeseca)
1.1 Provođenje inventure
#!/bin/bash # inventory-certs.sh - Inventura certifikata echo "=== Inventura certifikata $(date) ===" > inventory.csv echo "Put,Subject,Algoritam,Veličina ključa,Istek,Dani" >> inventory.csv # Lokalni certifikati for cert in /etc/ssl/certs/*.pem /etc/pki/tls/certs/*.pem; do [ -f "$cert" ] || continue subject=$(openssl x509 -in "$cert" -subject -noout 2>/dev/null | sed 's/subject=//') algo=$(openssl x509 -in "$cert" -text -noout 2>/dev/null | grep "Public Key Algorithm" | awk '{print $4}') keysize=$(openssl x509 -in "$cert" -text -noout 2>/dev/null | grep "Public-Key:" | grep -oP '\d+') expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2) days=$(( ($(date -d "$expiry" +%s) - $(date +%s)) / 86400 )) echo "\"$cert\",\"$subject\",\"$algo\",\"$keysize\",\"$expiry\",\"$days\"" >> inventory.csv done # Udaljeni endpointi ENDPOINTS=( "api.example.com:443" "web.example.com:443" "mail.example.com:465" ) for endpoint in "${ENDPOINTS[@]}"; do host=${endpoint%:*} port=${endpoint#*:} cert_info=$(echo | openssl s_client -connect "$endpoint" -servername "$host" 2>/dev/null | openssl x509 -text -noout 2>/dev/null) # ... analogno evaluirati done echo "Inventura završena: inventory.csv"
→ Detalji: Inventura certifikata
1.2 Postavljanje testnog okruženja
# Docker-bazirani test-PKI docker run -d --name test-ca \ -v /test-pki:/pki \ -e OPENSSL_CONF=/pki/openssl.cnf \ alpine/openssl # OpenSSL 3.6 za PQ docker exec test-ca openssl version # OpenSSL 3.6.0 ... # Test: Kreiranje hibridnog certifikata docker exec test-ca openssl genpkey -algorithm ML-DSA-65 -out /pki/test-mldsa.key
1.3 Ažuriranje alata
| Alat | Min. verzija | PQ podrška |
| —— | ————– | ———— |
| OpenSSL | 3.6.0 | ML-DSA, ML-KEM |
| .NET | 9.0+ | Putem WvdS.System.Security.Cryptography |
| Java | 21+ | Putem BouncyCastle 1.78 |
| curl | 8.5+ | Hibridni TLS |
Faza 2: Infrastruktura (2-3 mjeseca)
2.1 Migracija Root-CA na hibridni način
Migracija Root-CA je najkritičniji korak. Pažljivo planirajte i temeljito testirajte.
Opcija A: Novi hibridni Root-CA (preporučeno)
// Kreiranje novog hibridnog Root-CA using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384); var request = new CertificateRequest( "CN=My Organization Root CA - Hybrid, O=My Organization", ecdsa, HashAlgorithmName.SHA384); // CA ekstenzije request.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, true, 2, true)); request.CertificateExtensions.Add( new X509KeyUsageExtension( X509KeyUsageFlags.KeyCertSign | X509KeyUsageFlags.CrlSign, true)); // Hibridni Self-Signed (ECDSA + ML-DSA) var hybridRoot = request.CreateSelfSigned( DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(25), CryptoMode.Hybrid); // Eksport File.WriteAllBytes("hybrid-root-ca.pfx", hybridRoot.Export(X509ContentType.Pfx, "secure-password"));
Opcija B: Cross-certifikacija (prijelaz)
// Stari Root-CA cross-certificira novi hibridni CA using var oldRoot = new X509Certificate2("old-root.pfx", "password"); using var newHybridRoot = new X509Certificate2("hybrid-root.pfx", "password"); // Kreiranje cross-certifikata var crossCertRequest = new CertificateRequest( newHybridRoot.SubjectName, newHybridRoot.GetECDsaPublicKey()!, HashAlgorithmName.SHA384); // Potpisano od starog Roota var crossCert = crossCertRequest.Create( oldRoot, newHybridRoot.NotBefore, newHybridRoot.NotAfter, newHybridRoot.SerialNumberBytes.ToArray());
2.2 Migracija Intermediate-CA
# Novi hibridni Intermediate-CA # 1. Generiranje ključa openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -out intermediate.key # 2. Kreiranje CSR-a openssl req -new -key intermediate.key \ -out intermediate.csr \ -subj "/CN=My Organization Intermediate CA - Hybrid/O=My Organization" # 3. Potpisivanje s Hybrid-Root (s WvdS-om)
// Potpisivanje Intermediate s Hybrid-Root using var hybridRoot = new X509Certificate2("hybrid-root.pfx", "password"); var intermediateCsr = CertificateRequest.LoadSigningRequest( File.ReadAllBytes("intermediate.csr"), HashAlgorithmName.SHA384); // Dodavanje CA ekstenzija intermediateCsr.CertificateExtensions.Add( new X509BasicConstraintsExtension(true, true, 1, true)); var intermediate = intermediateCsr.Create( hybridRoot, DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(10), Guid.NewGuid().ToByteArray(), CryptoMode.Hybrid);
2.3 CRL/OCSP ažuriranje
// Kreiranje hibridno potpisane CRL var crlBuilder = new CertificateRevocationListBuilder(); // Preuzimanje starih CRL unosa foreach (var entry in existingCrlEntries) { crlBuilder.AddEntry(entry.SerialNumber, entry.RevocationDate, entry.Reason); } // Potpisivanje s hibridnim CA byte[] newCrl = crlBuilder.Build( hybridIntermediate, newCrlNumber, DateTimeOffset.UtcNow.AddDays(7), HashAlgorithmName.SHA384, CryptoMode.Hybrid);
Faza 3: Rollout (3-6 mjeseci)
3.1 Server certifikati
Matrica prioriteta:
| Tip servera | Prioritet | Razlog |
| ————- | ———– | ——– |
| Extern-facing API | Visok | Najveći rizik |
| Interni mikroservisi | Srednji | Lateralno kretanje |
| Development | Nizak | Testno okruženje |
# Batch obnova s hibridnim for server in $(cat servers.txt); do # Kreiranje CSR-a ssh "$server" "openssl req -new -key /etc/ssl/private/server.key \ -out /tmp/renew.csr -subj \"/CN=$server\"" # Preuzimanje CSR-a scp "$server:/tmp/renew.csr" "./csrs/$server.csr" # Izdavanje hibridnog certifikata (putem API-ja ili skripte) ./sign-hybrid.sh "./csrs/$server.csr" "./certs/$server.pem" # Deployment certifikata scp "./certs/$server.pem" "$server:/etc/ssl/certs/server.pem" ssh "$server" "systemctl reload nginx" done
3.2 Klijent certifikati
// Izdavanje klijent certifikata s hibridnim var clientCsr = CertificateRequest.LoadSigningRequest(csrBytes, HashAlgorithmName.SHA384); clientCsr.CertificateExtensions.Add( new X509EnhancedKeyUsageExtension( new OidCollection { new Oid("1.3.6.1.5.5.7.3.2") }, // Client Auth false)); var clientCert = clientCsr.Create( intermediate, DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1), Guid.NewGuid().ToByteArray(), CryptoMode.Hybrid);
3.3 Code-Signing certifikati
→ Pogledajte CI/CD Code-Signing za integraciju u pipeline
Faza 4: Validacija (1-2 mjeseca)
4.1 Aktivacija monitoringa
# Prometheus Alert za hibridni status - alert: NonHybridCertificateInProduction expr: x509_cert_algorithm{env="production"} !~ ".*ML-DSA.*|.*Hybrid.*" for: 24h labels: severity: warning annotations: summary: "Ne-hibridni certifikat u produkciji: {{ $labels.filepath }}"
4.2 Kontrolna lista
| # | Točka provjere | Status |
| — | —————- | ——– |
| 1 | Svi CA certifikati na hibridnom | ☐ |
| 2 | Svi server certifikati obnovljeni | ☐ |
| 3 | CRL/OCSP s hibridnim potpisan | ☐ |
| 4 | Trust Storeovi ažurirani | ☐ |
| 5 | Monitoring ne pokazuje samo klasične | ☐ |
| 6 | Rollback testiran | ☐ |
| 7 | Dokumentacija ažurirana | ☐ |
Rollback plan
Kod problema:
# 1. Povratak na klasični CA export CA_CERT=/etc/pki/CA/classic-intermediate.pem export CA_KEY=/etc/pki/CA/classic-intermediate.key # 2. Ponovno izdavanje certifikata s klasičnim CA ./issue-classic.sh # 3. Opoziv hibridnih CA certifikata (ako je potrebno) ./revoke-hybrid-certs.sh
→ Detalji: Rollback strategija
Povezana dokumentacija
- Paralelni rad – Alternativna strategija
- Inventura – Detaljan popis
- Kripto načini – Objašnjenje hibridnog
« ← Migracija | → Paralelni rad »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 06:25
