此指南適用於 PQC 工具組。如需有關設定 DigiCert PQC 工具組的指示,請參閱 PQC Docker 化工具組指南。
DigiCert 的後量子加密 (PQC) 工具組含有建立混合式 TLS 憑證所需的一切。此混合式憑證使用與傳統加密演算法結合的後量子加密演算法。可讓您在測試部署後量子混合式 TLS 的可行性時,同時保有向後相容性。
關於此第一個反覆項目,後量子加密演算法與橢圓曲線加密演算法配對。
此設定指南讓您完全瞭解使用 DigiCert PQC 工具組可以:
s_server
和 s_client
公用桯式測試憑證。DigiCert PQC 工具組可下載用於所有的 Secure Site Pro 客戶。進一步瞭解使用每種 Secure Site Pro 憑證加入的內容。
DigiCert PQC 工具組包含這些檔案:
使用此指南前,請確定符合這些先決條件:
若要阻止您的系統或生產環境發行,建議您遵照這些使用沙箱或虛擬環境的步驟進行:
下載修補檔案前,請準備您的環境。
首先,請安裝必需的依存性和工具。
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install curl unzip make cmake gcc wget zlib1g-dev libjansson-dev
接著,建立您將下載和編輯資源檔案與工具組資源所在的目錄結構。
mkdir -p /app/digicert-pqc/connector
mkdir -p /app/digicert-pqc/certs/configs
mkdir /app/resources
現在,下載 DigiCert PQC 工具組並解壓縮其內容。
登入您的 CertCentral 帳戶。
在資訊看板功能表中,按一下憑證 > 訂單。
在「訂單」頁面上,尋找您的 Sucure Site Pro 憑證訂單,然後按其訂單編號。
在憑證的訂單詳細資料頁面上,按一下 PQC 工具組。
在「後量子加密 (PQC)」頁面上,按一下下載 ISARA PQC 工具組,然後將工具組儲存到 /app/resources 目錄中。
接著,從工具組中解壓縮內容。
cd /app/resources
unzip ./DigiCert_PQC_Toolkit.zip
PQC 工具組包含 ISARA OpenSSL Connector 封存。將此解壓縮到 /app/digicert-pqc/connector。
cd /app/digicert-pqc/connector
tar xzvf /app/resources/digicert-pqc-toolkit_2019-07-26/openssl_connector-Linux-2019-05-27.tgz
在您設定環境和解壓縮所有檔案後,修補和編譯 OpenSSL。
若要開始,請下載 1.0.2r 版 OpenSSL 到 /app/resources 目錄。
cd /app/resources
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2r.tar.gz
接著,請將來源檔案解壓縮到 /app/digicert-pqc 目錄。
cd /app/digicert-pqc
tar xzvf /app/resources/openssl-1.0.2r.tar.gz
現在,套用 ISARA OpenSSL 補丁到解壓縮的來源檔案中。這會對 OpenSSL 做所有必需的修改,以產生和解譯對量子安全的加密演算法。
cd openssl-1.0.2r/
patch -p2 < ../connector/OpenSSL_1_0_2r_ISARA.patch
在修補完成後,用工具組的經過修改的版本取代現有的 openssl.cnf 檔案。經過修改的組態檔案包含一個動態引擎項目,指向 ISARA OpenSSL IQREngine。
cp /app/resources/digicert-pqc-toolkit_2019-07-26/openssl.cnf ./apps
現在您需要編輯經過修改的組態檔案,這樣它會指向 ISARA OpenSSL IQREngine 的位置。
在您喜好的文字編輯中,開啟複製的 openssl.cnf 檔案。
vi ./apps/openssl.cnf
找到第 32 行的 dynamic_path
項目。
將項目變更為此:
dynamic_path = /app/digicert-pqc/connector/lib/libiqre_engine.so
儲存並關閉檔案。
由於您正在建立共用的 OpenSSL 程式庫,您將需要在編譯來源檔案前設定非標準的路徑。
./config --prefix=/app/digicert-pqc/pqpki-openssl-1.0.2r --openssldir=/app/digicert-pqc/pqpki-openssl-1.0.2r shared
接著,執行以下的每個命令,一次一個,以編譯經過修改的來源檔案。
make depend
make all
sudo make install
成功編譯經過修改的 OpenSSL 來源後,使用 LD_LIBRARY_PATH 變數指定兩個動態程式庫位置。這告訴您尋找您的經過修改的 OpenSSL 共用桯式庫,以及用於處理對量子安全的加密演算法的 ISARA PQC 引擎所在。
export LD_LIBRARY_PATH=/app/digicert-pqc/pqpki-openssl-1.0.2r:/app/digicert-pqc/connector/lib
如果您的系統已經使用 LD_LIBRARY_PATH 變數,您可以附加 :$LD_LIBRARY_PATH
到上述命令中,非破壞性的新增新路徑。
現在,您擁有可以產生和解碼對量子安全的加密演算法的 OpenSSL 程式。您已準備好建立完整的混合式憑證鏈 (根、中繼和伺服器憑證),因此您可以測試其功能。
首先,複製納入到 PQC 工具組中的憑證組態檔案到 /app/digicert-pqc/certs 目錄中。這些組態檔案包含產生每個憑證要求和憑證所需的所有資料。
cd /app/digicert-pqc/certs
cp /app/resources/digicert-pqc-toolkit_2019-07-26/certificates/root_req.cfg ./configs
cp /app/resources/digicert-pqc-toolkit_2019-07-26/certificates/intermediate_req.cfg ./configs
cp /app/resources/digicert-pqc-toolkit_2019-07-26/certificates/server_req.cfg ./configs
接著,為為憑證鏈中的每份憑證產生對量子安全的私密金鑰,確定使用經過修改的 OpenSSL 程式和 IQREngine。
根私密金鑰:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm xmss -pkeyopt tree_height:10 -pkeyopt strategy:cpu_constrained -pkeyopt state_filename:xmss_catalyst_mixed_chain_root_private_key_state.bin -out xmss_catalyst_mixed_chain_root_private_key.pem
中繼私密金鑰:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm dilithium -pkeyopt parameter_set:A -out dilithium_catalyst_mixed_chain_intermediate_private_key.pem
伺服器私密金鑰:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm rainbow -pkeyopt parameter_set:A -out rainbow_catalyst_mixed_chain_private_key.pem
您一產生每份憑證的私密金鑰後,立刻解壓縮他們的公用金鑰。
根公用金鑰:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in xmss_catalyst_mixed_chain_root_private_key.pem -pubout -out xmss_catalyst_mixed_chain_root_public_key.pem
中繼公用金鑰:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in dilithium_catalyst_mixed_chain_intermediate_private_key.pem -pubout -out dilithium_catalyst_mixed_chain_intermediate_public_key.pem
伺服器公用金鑰:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in rainbow_catalyst_mixed_chain_private_key.pem -pubout -out rainbow_catalyst_mixed_chain_public_key.pem
選擇 ECC 混合鏈憑證的曲線。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl ecparam -out ecdsa_catalyst_mixed_chain_parameters.pem -name secp384r1
產生所有加密金鑰後,您已準備好建立鏈中的每份憑證的 CSR 和產生根、中繼與伺服器憑證。
首先,建立使用於根發行者的 CSR。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl req -new -newkey ec:ecdsa_catalyst_mixed_chain_parameters.pem -keyout ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -out ecdsa_without_xmss_x509_catalyst_mixed_chain_root_req.pem -config ./configs/root_req.cfg -nodes
接著您需要建立用於根的自我簽署 X509 憑證。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509 -req -set_serial 8026 -extfile ./configs/root_req.cfg -in ecdsa_without_xmss_x509_catalyst_mixed_chain_root_req.pem -signkey ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -out ecdsa_without_xmss_x509_catalyst_mixed_chain_root_certificate.pem
在那之後,將根憑證延伸到混合式根憑證。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSDirectExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -x509in ecdsa_without_xmss_x509_catalyst_mixed_chain_root_certificate.pem -x509out xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -privin ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -pubqs xmss_catalyst_mixed_chain_root_public_key.pem -privqs xmss_catalyst_mixed_chain_root_private_key.pem::xmss_catalyst_mixed_chain_root_private_key_state.bin -privqs_engine
現在您可以建立用於中繼憑證的 CSR。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl req -new -newkey ec:ecdsa_catalyst_mixed_chain_parameters.pem -keyout ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem -out ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_req.pem -config ./configs/intermediate_req.cfg -nodes
將中繼憑證 CSR 延伸到混合式 CSR 中。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl reqQSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -reqin ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_req.pem -reqout dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem -privin ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem -pubqs dilithium_catalyst_mixed_chain_intermediate_public_key.pem -privqs dilithium_catalyst_mixed_chain_intermediate_private_key.pem
接著產生中繼憑證。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509 -req -set_serial 8014 -extfile ./configs/intermediate_req.cfg -in dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem -CA xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -CAkey ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem -out ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_certificate.pem
將中繼憑證延伸到混合式中繼憑證中。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -x509in ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_certificate.pem -x509out dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -reqin dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem -privqs xmss_catalyst_mixed_chain_root_private_key.pem::xmss_catalyst_mixed_chain_root_private_key_state.bin -privqs_engine
現在根和中繼憑證都已產生,下一步是產生伺服器憑證。
首先您需要建立用於伺服器憑證的 CSR。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl req -new -newkey ec:ecdsa_catalyst_mixed_chain_parameters.pem -keyout ecdsa_without_rainbow_catalyst_mixed_chain_private_key.pem -out ecdsa_without_rainbow_x509_catalyst_mixed_chain_req.pem -config ./configs/server_req.cfg -nodes
然後將伺服器憑證 CSR 延伸到混合式 CSR 中。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl reqQSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -reqin ecdsa_without_rainbow_x509_catalyst_mixed_chain_req.pem -reqout rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem -privin ecdsa_without_rainbow_catalyst_mixed_chain_private_key.pem -pubqs rainbow_catalyst_mixed_chain_public_key.pem -privqs rainbow_catalyst_mixed_chain_private_key.pem
在那之後,您可以產生伺服器憑證。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509 -req -set_serial 8015 -req -extfile ./configs/server_req.cfg -in rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem -CA dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -CAkey ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem -out ecdsa_without_rainbow_x509_catalyst_mixed_chain_certificate.pem
最後,將伺服器憑證延伸到混合式伺服器憑證中。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSExtend -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -x509in ecdsa_without_rainbow_x509_catalyst_mixed_chain_certificate.pem -x509out rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem -reqin rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem -privqs dilithium_catalyst_mixed_chain_intermediate_private_key.pem
建立所有憑證後,表示您已準備好確認您有功能性混合式憑證鏈。
首先,確認混合鏈使用舊密碼運作。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl verify -engine IQREngine -verbose -CAfile xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -untrusted dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem
您應該看到此輸出:
engine "IQREngine" set.
rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem: OK
接著,確認混合式憑證鏈使用量子安全加密運作。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl x509QSVerify -engine /app/digicert-pqc/connector/lib/libiqre_engine.so -root xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -untrusted dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -cert rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem
哪一個應提供此輸出:
engine "IQREngine" set.
2 : ok : /C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
1 : ok : /C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
0 : ok : /C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=digicert.pqc
Success!!
確認已建立所有檔案後,執行 ls
命令。如果成功,應該看到像這樣的輸出:
configs
dilithium_catalyst_mixed_chain_intermediate_private_key.pem
dilithium_catalyst_mixed_chain_intermediate_public_key.pem
dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem
dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem
ecdsa_catalyst_mixed_chain_parameters.pem
ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem
ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_certificate.pem
ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_req.pem
ecdsa_without_rainbow_catalyst_mixed_chain_private_key.pem
ecdsa_without_rainbow_x509_catalyst_mixed_chain_certificate.pem
ecdsa_without_rainbow_x509_catalyst_mixed_chain_req.pem
ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem
ecdsa_without_xmss_x509_catalyst_mixed_chain_root_certificate.pem
ecdsa_without_xmss_x509_catalyst_mixed_chain_root_req.pem
rainbow_catalyst_mixed_chain_private_key.pem
rainbow_catalyst_mixed_chain_public_key.pem
rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem
rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem
xmss_catalyst_mixed_chain_root_private_key.pem
xmss_catalyst_mixed_chain_root_private_key_state.bin
xmss_catalyst_mixed_chain_root_public_key.pem
xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem
若要測試您的對量子安全的混合式憑證鏈,請使用 OpenSSL 的 s_server
和 s_client
公用程式。若要同時使用這兩種公用程式,請開啟兩個終端工作階段,一個用於伺服器,一個用於用戶端。
首先,加入伺服器憑證的 CN 值到您的主機檔案中。
echo "$(hostname -I) digicert.pqc" | sudo tee -a /etc/hosts
接著,確定您在 /app/digicert-pqc/certs 目錄中。
cd /app/digicert-pqc/certs
然後,在您開啟的其中一個終端中,啟動伺服器。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_server -engine IQREngine -cert dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -certform PEM -key dilithium_catalyst_mixed_chain_intermediate_private_key.pem -keyform PEM -debug -tls1_2
執行上述的命令後,您應該會看到此輸出:
engine "IQREngine" set.
Using default temp DH parameters
ACCEPT
接著,切換到第二個終端視窗,確定您在 /app/digicert-pqc/certs 目錄中。
cd /app/digicert-pqc/certs
然後使用 s_client
公用程式連線到執行中的伺服器。
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_client -engine IQREngine -CAfile xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -showcerts -tls1_2 -cipher 'ECDHE-NHDH-DILM-AES256-GCM-SHA384'
如果一切設定正確,在執行 s_client
公用程式的終端視窗中,您應該會看到此輸出:
engine "IQREngine" set.
CONNECTED(00000003)
depth=1 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Root
verify return:1
depth=0 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Test Intermediate CA
verify return:1
---
Certificate chain
0 s:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
i:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
issuer=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 9868 bytes and written 2331 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-NHDH-DILM-AES256-GCM-SHA384
Server public key is 521 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-NHDH-DILM-AES256-GCM-SHA384
Session-ID: {{Session-ID}}
Session-ID-ctx:
Master-Key: {{Master-Key}}
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
[...]
Start Time: 1563994600
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
在執行 s_server 公用程式的終端視窗中,您應該會看到此輸出:
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 96 .....
read from 0x5581e0750b80 [0x5581e07656f8] (150 bytes => 150 (0x96))
0000 - 01 00 00 92 03 03 d9 c0-5a 73 35 d0 4e f2 31 f6 ........Zs5.N.1.
[...]
write to 0x5581e0750b80 [0x5581e076e100] (71 bytes => 71 (0x47))
0000 - 16 03 03 00 42 02 00 00-3e 03 03 c2 3b df 2f 01 ....B...>...;./.
[...]
write to 0x5581e0750b80 [0x5581e0769c43] (4953 bytes => 4953 (0x1359))
0000 - 16 03 03 13 54 0b 00 13-50 00 13 4d 00 13 4a 30 ....T...P..M..J0
[...]
write to 0x5581e0750b80 [0x5581e0769c43] (4609 bytes => 4609 (0x1201))
0000 - 16 03 03 11 fc 0c 00 11-f8 03 00 17 41 04 0d 97 ............A...
[...]
write to 0x5581e0750b80 [0x5581e076e100] (9 bytes => 9 (0x9))
0000 - 16 03 03 00 04 0e 00 00-00 .........
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 03 08 48 ....H
read from 0x5581e0750b80 [0x5581e07656f8] (2120 bytes => 2120 (0x848))
0000 - 10 00 08 44 41 04 29 0a-07 84 0c f3 a4 e4 3e d1 ...DA.).......>.
[...]
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x5581e0750b80 [0x5581e07656f8] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x5581e0750b80 [0x5581e07656f8] (40 bytes => 40 (0x28))
0000 - e1 d7 30 8b 12 ef d1 dc-31 90 97 d0 0e 54 9c aa ..0.....1....T..
[...]
write to 0x5581e0750b80 [0x5581e076e100] (175 bytes => 175 (0xAF))
0000 - 16 03 03 00 aa 04 00 00-a6 00 00 1c 20 00 a0 02 ............ ...
[...]
write to 0x5581e0750b80 [0x5581e076e100] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
write to 0x5581e0750b80 [0x5581e076e100] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 d0 99 97-94 6d a1 5c f8 b0 c0 65 ....(....m.\...e
[...]
-----BEGIN SSL SESSION PARAMETERS-----
[...]
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-NHDH-DILM-AES256-GCM-SHA384:ECDHE-NHDH-SIDH-DILM-AES256-GCM-SHA384
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:XMSS+SHA512:XMSSmt+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512:0xE0+SHA512
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:0xFE01
Shared Elliptic curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:UNDEF
CIPHER is ECDHE-NHDH-DILM-AES256-GCM-SHA384
Secure Renegotiation IS supported
恭喜!您已使用 DigiCert 的 PQC 工具組和 ISARA Catalyst OpenSSL Connector 引擎成功建立對量子安全的混合式憑證鏈。