Skip to main content

Rekey a certificate profile to PQC

You can update your certificate profile to use a post-quantum cryptography (PQC) algorithm so that certificates issued during renewal use a PQC keypair. This approach lets you transition to PQC without interrupting existing certificates.

Note

Using PQC algorithms has the following limitations:

  • Keypairs using PQC algorithms can't be stored on HSM. If you rekey an HSM-backed keypair to PQC, the new keypair is generated on disk instead of the HSM.

  • CertCentral profiles don’t support PQC algorithms.

Before you begin

Before you begin, make sure you have:

  • A Software Trust Manager account

  • A certificate profile with auto-renewal enabled

  • Manage certificate profiles permission or Lead user role

To rekey a certificate profile to a PQC algorithm

  1. In the Managers (grid icon) menu, select Software Trust.

  2. Go to Certificates > Certificate profiles.

  3. Select the certificate profile you want to update.

  4. Select the edit (blue_edit_pencil_icon.png) icon.

  5. In the Auto-renew section, select Yes.

  6. In the Auto-renew scope section, select Apply to new and existing certificates.

  7. Select Initiate rekey process upon certificate auto-renewal.

  8. Select the desired Rekey algorithm and Security level.

    If you’re using an HSM keypair with a PQC algorithm, a warning displays.

  9. Select Update certificate profile.

What happens next

When a certificate using this profile reaches its renewal period:

  • A new PQC keypair is generated

  • A new certificate is issued using the PQC keypair

  • The new keypair replaces the previous keypair

See also

Generate a certificate using a PQC keypair

Enable PQC algorithms for keypairs

In this section: