Inhaltsverzeichnis
3.3 Operazioni
Attivita operative per l'infrastruttura crittografica PQ.
Health Check
Eseguire questi controlli regolarmente:
Check rapido (giornaliero)
# OpenSSL disponibile? openssl version # Atteso: OpenSSL 3.6.0 o superiore # Algoritmi PQ attivi? openssl list -signature-algorithms | grep -i "ml-dsa" | head -1 # Atteso: ML-DSA-44, ML-DSA-65, o ML-DSA-87
Health Check completo
Linux/macOS:
#!/bin/bash echo "=== WvdS PQ Crypto Health Check ===" # 1. OpenSSL echo -n "OpenSSL: " openssl version | grep -q "3\.[6-9]\|[4-9]\." && echo "OK" || echo "FAIL (Versione troppo vecchia)" # 2. ML-DSA Support echo -n "ML-DSA: " openssl list -signature-algorithms 2>/dev/null | grep -qi "ml-dsa" && echo "OK" || echo "FAIL" # 3. ML-KEM Support echo -n "ML-KEM: " openssl list -kem-algorithms 2>/dev/null | grep -qi "ml-kem" && echo "OK" || echo "FAIL" # 4. Provider echo -n "Provider: " openssl list -providers | grep -q "default" && echo "OK" || echo "FAIL" # 5. FIPS (opzionale) echo -n "FIPS: " openssl list -providers | grep -qi "fips" && echo "OK" || echo "Non configurato" # 6. .NET Runtime echo -n ".NET 8: " dotnet --list-runtimes 2>/dev/null | grep -q "NETCore.App 8" && echo "OK" || echo "FAIL" echo "=== Health Check completato ==="
Windows (PowerShell):
Write-Host "=== WvdS PQ Crypto Health Check ===" -ForegroundColor Cyan # 1. OpenSSL $opensslVersion = & openssl version 2>$null if ($opensslVersion -match "3\.[6-9]") { Write-Host "OpenSSL: OK ($opensslVersion)" -ForegroundColor Green } else { Write-Host "OpenSSL: FAIL" -ForegroundColor Red } # 2. ML-DSA $mldsa = & openssl list -signature-algorithms 2>$null | Select-String "ML-DSA" if ($mldsa) { Write-Host "ML-DSA: OK" -ForegroundColor Green } else { Write-Host "ML-DSA: FAIL" -ForegroundColor Red } # 3. ML-KEM $mlkem = & openssl list -kem-algorithms 2>$null | Select-String "ML-KEM" if ($mlkem) { Write-Host "ML-KEM: OK" -ForegroundColor Green } else { Write-Host "ML-KEM: FAIL" -ForegroundColor Red } # 4. .NET $dotnet = & dotnet --list-runtimes 2>$null | Select-String "NETCore.App 8" if ($dotnet) { Write-Host ".NET 8: OK" -ForegroundColor Green } else { Write-Host ".NET 8: FAIL" -ForegroundColor Red } Write-Host "=== Health Check completato ===" -ForegroundColor Cyan
Certificati via OpenSSL CLI
Creare Root CA
Classico (RSA 4096):
# 1. Generare chiave privata openssl genpkey -algorithm RSA -out root-ca.key -pkeyopt rsa_keygen_bits:4096 # 2. Creare Root CA self-signed openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 \ -subj "/C=DE/O=Organizzazione/CN=Root CA" # 3. Visualizzare certificato openssl x509 -in root-ca.crt -text -noout
Post-Quantum (ML-DSA-65):
# 1. Generare chiave privata ML-DSA openssl genpkey -algorithm ML-DSA-65 -out root-ca-pq.key # 2. Creare PQ Root CA self-signed openssl req -new -x509 -key root-ca-pq.key -out root-ca-pq.crt -days 3650 \ -subj "/C=DE/O=Organizzazione/CN=PQ Root CA" # 3. Visualizzare certificato openssl x509 -in root-ca-pq.crt -text -noout
Creare Intermediate CA
# 1. Chiave privata per Intermediate openssl genpkey -algorithm RSA -out intermediate.key -pkeyopt rsa_keygen_bits:4096 # 2. Creare CSR openssl req -new -key intermediate.key -out intermediate.csr \ -subj "/C=DE/O=Organizzazione/CN=Intermediate CA" # 3. Firmare con Root CA (con estensioni CA) openssl x509 -req -in intermediate.csr -CA root-ca.crt -CAkey root-ca.key \ -CAcreateserial -out intermediate.crt -days 1825 \ -extfile <(echo "basicConstraints=critical,CA:TRUE,pathlen:0 keyUsage=critical,keyCertSign,cRLSign") # 4. Verificare catena openssl verify -CAfile root-ca.crt intermediate.crt
Creare certificato End-Entity
# 1. Chiave privata openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048 # 2. CSR con SAN (Subject Alternative Name) openssl req -new -key server.key -out server.csr \ -subj "/C=DE/O=Organizzazione/CN=server.example.com" \ -addext "subjectAltName=DNS:server.example.com,DNS:www.example.com" # 3. Firmare con Intermediate openssl x509 -req -in server.csr -CA intermediate.crt -CAkey intermediate.key \ -CAcreateserial -out server.crt -days 365 \ -extfile <(echo "basicConstraints=CA:FALSE keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName=DNS:server.example.com,DNS:www.example.com") # 4. Verificare catena completa openssl verify -CAfile root-ca.crt -untrusted intermediate.crt server.crt
Ispezionare certificato
# Mostrare dettagli certificato openssl x509 -in cert.crt -text -noout # Solo Subject e Issuer openssl x509 -in cert.crt -subject -issuer -noout # Periodo di validita openssl x509 -in cert.crt -dates -noout # Fingerprint openssl x509 -in cert.crt -fingerprint -sha256 -noout # Estrarre chiave pubblica openssl x509 -in cert.crt -pubkey -noout # Algoritmo di firma openssl x509 -in cert.crt -text -noout | grep "Signature Algorithm"
Convertire formati certificato
# PEM a DER openssl x509 -in cert.pem -outform DER -out cert.der # DER a PEM openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem # PEM a PKCS#12 (PFX) openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile ca-chain.crt # PKCS#12 a PEM (Certificato + Chiave) openssl pkcs12 -in cert.pfx -out cert-and-key.pem -nodes
Gestione Trust Store
Windows Certificate Store
Importare certificato CA (PowerShell come amministratore):
# Root CA in Trusted Root Certification Authorities Import-Certificate -FilePath "root-ca.crt" -CertStoreLocation Cert:\LocalMachine\Root # Intermediate CA in Intermediate Certification Authorities Import-Certificate -FilePath "intermediate.crt" -CertStoreLocation Cert:\LocalMachine\CA # Verificare Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*Root CA*"}
Elencare certificati:
# Tutte le Root CA Get-ChildItem Cert:\LocalMachine\Root | Format-Table Subject, Thumbprint, NotAfter # Certificati in scadenza (< 30 giorni) Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.NotAfter -lt (Get-Date).AddDays(30)} | Format-Table Subject, NotAfter
Rimuovere certificato:
# Per Thumbprint Get-ChildItem Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "ABC123..."} | Remove-Item
Linux Trust Store
Debian/Ubuntu:
# Aggiungere certificato CA sudo cp root-ca.crt /usr/local/share/ca-certificates/wvds-root-ca.crt sudo update-ca-certificates # Verificare ls /etc/ssl/certs/ | grep wvds # Rimuovere certificato sudo rm /usr/local/share/ca-certificates/wvds-root-ca.crt sudo update-ca-certificates --fresh
RHEL/CentOS:
# Aggiungere certificato CA sudo cp root-ca.crt /etc/pki/ca-trust/source/anchors/wvds-root-ca.crt sudo update-ca-trust # Verificare trust list | grep -A2 "WvdS"
macOS Keychain
# Aggiungere CA al System Keychain sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain root-ca.crt # Verificare security find-certificate -a -c "Root CA" /Library/Keychains/System.keychain
Backup & Recovery
Componenti da salvare:
| Componente | Percorso | Frequenza | Priorita |
|---|---|---|---|
| Root CA Private Key | Storage offline | Dopo creazione | Critico |
| Intermediate CA Key | Server | Giornaliero | Alta |
| Storage chiavi PQ | %LOCALAPPDATA%\WvdS.Crypto\PqKeys\ | Giornaliero | Alta |
| Certificati (PFX) | Directory applicazione | Dopo creazione | Media |
Script di backup (Linux):
#!/bin/bash BACKUP_DIR="/backup/pq-crypto/$(date +%Y%m%d)" mkdir -p "$BACKUP_DIR" # Storage chiavi PQ cp -r ~/.local/share/wvds-crypto/pqkeys/ "$BACKUP_DIR/" # Certificati cp /etc/ssl/certs/wvds-*.crt "$BACKUP_DIR/" # Proteggere permessi chmod 700 "$BACKUP_DIR" chmod 600 "$BACKUP_DIR"/* echo "Backup creato: $BACKUP_DIR"
Importante: Lo storage chiavi PQ non e incluso nel backup del Windows Certificate Store!
Monitoring
Monitorare scadenza certificati:
# Tutti i certificati con scadenza < 30 giorni for cert in /etc/ssl/certs/*.crt; do expiry=$(openssl x509 -in "$cert" -enddate -noout 2>/dev/null | cut -d= -f2) if [ -n "$expiry" ]; then expiry_epoch=$(date -d "$expiry" +%s 2>/dev/null) now_epoch=$(date +%s) days_left=$(( (expiry_epoch - now_epoch) / 86400 )) if [ "$days_left" -lt 30 ]; then echo "ATTENZIONE: $cert scade tra $days_left giorni" fi fi done
Scadenze per rinnovo:
| Tipo certificato | Rinnovo prima della scadenza |
|---|---|
| Root CA | 30 giorni |
| Intermediate CA | 14 giorni |
| End-Entity | 7 giorni |
Approfondimenti
- Troubleshooting – Risolvere problemi operativi
- Sicurezza – Best Practice
- Configurazione – Attivare modalita FIPS
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: il 30/01/2026 alle 08:57
