L4Execute — Layer 4 of the platform

Private Hybrid PQC Certificate Authority

Issue X.509 certificates that are valid today and quantum-safe tomorrow. Composite ML-DSA + ECDSA signatures, ACME automation, full lifecycle. The execution arm of your migration plan — or a standalone CA if you've already done the assessment.

Hybrid X.509 (composite signatures)ACME RFC 8555 + PQC draftNIST FIPS 204 / 205Open IETF draft (ours)Private & internal PKI
Sample artefact
Certificate (X.509 v3)
Subject: CN=payments-api.acme.internal
Issuer: CN=Acme PQC Issuing CA G1
Sig Alg: ecdsa-with-SHA384 (classical)
Alt-Sig: ML-DSA-65 (PQC)
Extensions
• id-ce-altSignatureAlgorithm
• id-ce-altSignatureValue
• id-ce-subjectAltPublicKeyInfo
• Composite per draft-ietf-lamps-x509-alt
✓ Validates with classical client (legacy)
✓ Validates with PQC-aware client (future)

Who it's for

  • Banks, telcos, and regulated industries with internal PKI
  • Teams who finished L3 and need to start issuing
  • Organisations that already assessed elsewhere and just need the CA
  • Anyone who needs ACME automation that speaks PQC

What you get

  • Hybrid X.509 issuance (classical + PQC alt-signature)
  • ACME endpoints (RFC 8555) + PQC draft extensions
  • Issuance, renewal, revocation lifecycle
  • Operator portal + REST API
  • CMDB / SIEM / cloud integrations
  • Audit log of every issuance

How it works

Step 1

Stand up the CA

Deploy the issuing CA — managed by us, or in your VPC. Bring your HSM if you have one.

Step 2

Onboard via ACME

Point certbot or any ACME client at the endpoint. PQC-aware clients get hybrid certs.

Step 3

Rotate & report

Automate renewals; surface expiry & algorithm posture back to L2 / L3 — closing the loop.

Ready to execute?

⚠️ The L4 CA currently issues certificates for private and internal PKI. Issued certificates are not trusted by browsers/operating systems out of the box — public-trust root inclusion (WebTrust for CAs) is on our roadmap.