Post-Quantum Cryptography (PQC) PKI and Signing
Get ready for PQC with updates on cryptographic standardization, migration strategies, required protocol and format changes, and the latest PQC capabilities and interoperability. Follow our step-by-step guides to get hands-on experience.
Get started with a PQC-Ready PKI and Signing Test Drive
Explore PQC use cases, such as issuing quantum-safe certificates, signing, and timestamping, in the ready-to-use PQC Lab Test Drive.
The ready-to-use PQC Lab Test Drive is a free, 30-day SaaS-based playground set up exclusively for you, where you can issue quantum-safe certificates with EJBCA and perform PQC signing and timestamping with SignServer. Preconfigured with NIST-approved algorithms, enrollment protocols, and signing formats (CMP, ACME, EST, REST, plain signer, CMS, JAR, etc.), it lets you experience post-quantum PKI and signing in action without complex setup.
Learn more and sign up to get started: Keyfactor PQC Lab Test Drive
Get started with your first Post-Quantum PKI and Signing
Try issuing a post-quantum signing certificate with EJBCA and then sign code in SignServer to experiment and prepare for the transition to quantum-safe algorithms.
Learn how to set up your first post-quantum PKI with EJBCA and sign data using SignServer with the NIST-approved quantum-safe algorithm ML-DSA.
Build a Post-Quantum Ready PKI with Hybrid CAs
Learn how to configure hybrid post-quantum certificate authorities (CAs) using EJBCA Enterprise and issue certificates with ML-DSA and ML-KEM, two cryptographic algorithms designed to resist quantum attacks and standardized by NIST.
This hands-on guide is based on the Keyfactor PQC Lab Test Drive - a pre-configured demo environment deployed through the Azure Marketplace. The environment runs EJBCA Enterprise 9.2 with support for ML-DSA and hybrid key configurations, enabling you to explore post-quantum readiness without needing to set up your own infrastructure.
Try Hybrid PKI and certificates with EJBCA
When transitioning from classic cryptography to post-quantum cryptography (PQC), there will be a period where different endpoints support different algorithms. Some endpoints will have been updated, while others may not. To ensure secure communication during this phase, a method for negotiating capabilities between endpoints is essential. Hybrid certificates offer an effective solution for this migration, allowing seamless transitions between cryptographic algorithms. For instance, if one endpoint is not yet PQC-capable, it can fall back to classic encryption, ensuring compatibility and security throughout the transition.
EJBCA supports Hybrid certificates, also known as Catalyst or X.509 Alternative. They are standardized as X.509 Alternative Keys and are further being discussed in the ITU-T X.509, X9.146 (20240122), and in a non-quantum context in ISO 15118-20.
Try out quantum-safe signing
Try out quantum-safe signing to experiment and prepare for the transition to quantum-safe algorithms.
Quantum-Safe Code Signing
With NIST’s standardization of post-quantum cryptographic algorithms, SignServer supports the NIST-approved ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) algorithms.
This guide demonstrates code signing based on SignServer using the quantum-safe SLH-DSA or ML-DSA algorithms through Bouncy Castle and allows you to try out creating quantum-safe keys and signatures.