Practical guidance for migrating to quantum-safe cryptography — foundations, day-to-day certificate operations, and the API surface our customers actually run in production.
A sufficiently large quantum computer running Shor\u2019s algorithm can break RSA, ECDSA, and Diffie-Hellman in polynomial time. That breaks every TLS, S/MIME, code-signing, and SSH chain in production today.
In August 2024 NIST finalised three post-quantum signature standards: FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), and the FIPS 206 (FN-DSA, based on Falcon) draft. ML-DSA-65 is the recommended default for general-purpose signing — security level 3, ~3.3 KB signatures, fast verification.
The migration is non-trivial because PQC keys and signatures are larger than their classical counterparts (a Dilithium3 signature is roughly 18\u00d7 the size of an ECDSA P-256 signature). The hybrid pattern — classical and PQC signatures in parallel on the same certificate — is the recommended deployment strategy until every relying party can speak PQC natively.
Order. Sign in to the portal, choose basic / premium / wildcard / multi_domain, pick an algorithm (default ML-DSA-65), and submit the SAN list.
Validate. HTTP-01 serves a token on http://<host>/.well-known/acme-challenge/. DNS-01 publishes a TXT record. The portal polls until validation completes.
Deploy. Download the PEM bundle (leaf || classical CA || cross-signed chain) and install in your TLS terminator. Hybrid certificates work in every standards-compliant TLS 1.2 / 1.3 stack today; the PQC payload is parsed only by PQC-aware clients.
Renew & rotate. Use POST /api/v1/keys/rotate for an in-place rotation or POST /api/v1/certificates/{id}/renew for a fresh certificate. ACME clients handle this automatically.
NIST and CISA both recommend starting now. The "harvest-now, decrypt-later" threat means traffic captured today can be decrypted once a cryptographically-relevant quantum computer exists. Begin with discovery and a hybrid (classical + PQC) deployment so you keep current interoperability while gaining quantum resistance.
For most TLS and code-signing workloads, ML-DSA-65 (FIPS 204, formerly Dilithium3) is the recommended default — it has the best balance of signature size, performance, and NIST security level 3. Choose ML-DSA-87 if you need NIST level 5; SLH-DSA when you need a hash-based fallback that does not depend on lattice assumptions.
Yes, when issued in hybrid mode. QuantumSecure issues RFC 5280 X.509 certificates signed with a classical key, and embeds the PQC public key plus an issuer-signed PQC alt-signature in extensions 2.5.29.72 / 73 / 74 (draft-ietf-lamps-x509-alt). Today’s TLS stacks validate the classical signature and ignore the unknown extensions; PQC-aware verifiers validate both halves.
QuantumSecure operates a private post-quantum CA. Our root is intentionally not in the public WebPKI trust stores, because no public root program currently accepts PQC roots. Use these certificates for internal infrastructure, mTLS between services, code signing, and any context where you control the trust store.
Two parallel signatures over the same TBSCertificate bytes: a classical signature (RSA, ECDSA, or Ed25519) in the standard X.509 signature field, and a PQC signature (ML-DSA / Falcon / SLH-DSA) in the altSignatureValue extension. A relying party can validate one, the other, or both.
Yes. We expose an RFC 8555-style ACME directory at https://api.quantumsecure.app/acme/directory. HTTP-01 and DNS-01 challenges are supported. The PQC additions are documented in our IETF draft (draft-quantumsecure-acme-pqc).
Expected for QuantumSecure-issued certificates — our root is not in public trust stores. Use these certificates for internal infrastructure, mTLS, code-signing, or any context where you can distribute the QuantumSecure root.
PQC signatures are larger. ML-DSA-65 adds ~3.3 KB to the Certificate message. If a middlebox limits handshake size, prefer Falcon-512 (~666 B signatures) for latency-sensitive endpoints, or enable record-layer fragmentation in your TLS terminator.
Older certbot builds parse only RSA / ECDSA JWKs. Use the certbot-quantumsecure plugin (in the public repo) which understands the kty=PQC JWK shape, or fall back to classical-only issuance via ACME_CERT_FORMAT=classical-only.