Skip to main content

Issue PQC SPHINCS+ certificates

Use DigiCert​​®​​ Trust Lifecycle Manager to issue and manage (revoke, suspend/resume, or recover) private post-quantum cryptography (PQC) certificates using the SPHINCS+ (SLHDSA) algorithm with the following key sizes.

Key type

Key sizes / Signing algorithms

SLHDSA

  • SLHDSA SHA2-128f

  • SLHDSA SHA2-128s

  • SLHDSA SHA2-192f

  • SLHDSA SHA2-192s

  • SLHDSA SHA2-256f

  • SLHDSA SHA2-256s

  • SLHDSA SHAKE-128f

  • SLHDSA SHAKE-128s

  • SLHDSA SHAKE-192f

  • SLHDSA SHAKE-192s

  • SLHDSA SHAKE-256f

  • SLHDSA SHAKE-256s

Before you begin

You need at least one private issuing CA available in DigiCert® CA Manager.

Notice

Contact your DigiCert account representative or system administrator if you need help verifying or creating a CA.

Available certificate templates

Use the following base templates to create certificate profiles in Trust Lifecycle Manager for requesting PQC SPHINCS+ certificates from a private issuing CA in DigiCert® CA Manager. Supported enrollment methods include CSR, EST, and REST API.

Create a certificate profile

To create a PQC certificate profile for issuing SPHINCS+ certificates:

  1. From the Trust Lifecycle Manager main menu, select Policies > Certificate profiles.

  2. Select the Create profile from template action at the top of the page.

  3. Select one of the templates from the above table as the basis for creating the certificate profile.

    Work through the profile creation wizard, focusing on the PQC-related options described below and making other selections for your business needs and types of certificates you want to issue. After filling out each screen, select Next to move to the next screen.

  4. On the initial Primary options screen of the profile creation wizard, configure the:

    • General information: Select the applicable business unit and issuing CA for the certificates.

    • Enrollment method: Select one of the following.

      • CSR to enroll from a CSR using a web-based enrollment flow.

      • EST to enroll from a remote client using the EST protocol (not available for S/MIME certificates).

      • REST API to enroll from a CSR using the Trust Lifecycle Manager REST API.

    • Authentication method: Select one of the available authentication methods for the enrollment method you selected.

  5. On the Certificate options screen:

    • Key type: Select SLHDSA.

    • Key sizes: Select one or more key sizes to allow for enrolling PQC SHINCS+ certificates.

  6. On the Additional options screen:

    • Certificate delivery format: Select whether to deliver certificates in X.509 or PKCS#7 format. For PKCS#7, select an option for how to include the CA chain.

  7. Select Create to save the new certificate profile.

CSRs and private keys for testing

You can use these CSRs and their corresponding private keys to test issuance of SPHINCS+ (SLHDSA) certificates via API or web-based enrollment.

CSR/key files

Use the links to download each example CSR file and its corresponding private key in PEM-encoded format.

OpenSSL commands

The following OpenSSL commands were used to generate the example CSR/key files in the above table.

Key type/size

OpenSSL command

SLHDSA SHA2-128f

openssl req -new -newkey sphincssha2128fsimple -keyout digicert_slhdsa-sha2-128f.key -out digicert_slhdsa-sha2-128f.csr -nodes -subj "/CN=SLH-DSA-SHA2-128f/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHA2-128s

openssl req -new -newkey sphincssha2128ssimple -keyout digicert_slhdsa-sha2-128s.key -out digicert_slhdsa-sha2-128s.csr -nodes -subj "/CN=SLH-DSA-SHA2-128s/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHA2-192f

openssl req -new -newkey sphincssha2192fsimple -keyout digicert_slhdsa-sha2-192f.key -out digicert_slhdsa-sha2-192f.csr -nodes -subj "/CN=SLH-DSA-SHA2-192f/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHA2-192s

openssl req -new -newkey sphincssha2192ssimple -keyout digicert_slhdsa-sha2-192s.key -out digicert_slhdsa-sha2-192s.csr -nodes -subj "/CN=SLH-DSA-SHA2-192s/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHA2-256f

openssl req -new -newkey sphincssha2256fsimple -keyout digicert_slhdsa-sha2-256f.key -out digicert_slhdsa-sha2-256f.csr -nodes -subj "/CN=SLH-DSA-SHA2-256f/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHA2-256s

openssl req -new -newkey sphincssha2256ssimple -keyout digicert_slhdsa-sha2-256s.key -out digicert_slhdsa-sha2-256s.csr -nodes -subj "/CN=SLH-DSA-SHA2-256s/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHAKE-128f

openssl req -new -newkey sphincsshake128fsimple -keyout digicert_slhdsa-shake-128f.key -out digicert_slhdsa-shake-128f.csr -nodes -subj "/CN=SLH-DSA-SHAKE-128f/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHAKE-128s

openssl req -new -newkey sphincsshake128ssimple -keyout digicert_slhdsa-shake-128s.key -out digicert_slhdsa-shake-128s.csr -nodes -subj "/CN=SLH-DSA-SHAKE-128s/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHAKE-192f

openssl req -new -newkey sphincsshake192fsimple -keyout digicert_slhdsa-shake-192f.key -out digicert_slhdsa-shake-192f_priv.pem -nodes -subj "/CN=SLH-DSA-SHAKE-192f/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHAKE-192s

openssl req -new -newkey sphincsshake192ssimple -keyout digicert_slhdsa-shake-192s.key -out digicert_slhdsa-shake-192s.csr -nodes -subj "/CN=SLH-DSA-SHAKE-192s/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHAKE-256f

openssl req -new -newkey sphincsshake256fsimple -keyout digicert_slhdsa-shake-256f.key -out digicert_slhdsa-shake-256f.csr -nodes -subj "/CN=SLH-DSA-SHAKE-256f/O=DigiCert, Inc./C=US" --provider oqsprovider

SLHDSA SHAKE-256s

openssl req -new -newkey sphincsshake256ssimple -keyout digicert_slhdsa-shake-256s.key -out digicert_slhdsa-shake-256s.csr -nodes -subj "/CN=SLH-DSA-SHAKE-256s/O=DigiCert, Inc./C=US" --provider oqsprovider

Test SPHINCS+ issuance via web-based enrollment

Follow these steps to test issuance of PQC SPHINCS+ certificates from a CSR via web-based enrollment using one of the supported authentication methods.

Before you begin

  • Create a PQC certificate profile for SPHINCS+ certificates (key type SLHDSA) that uses the CSR enrollment method and one of the supported authentication methods (for example, Manual approval). Copy the Enrollment URL generated when saving the profile.

  • Download a testing CSR from the above table for one of the allowed Key sizes you configured in the PQC SPHINCS+ certificate profile.

Request a PQC certificate

  1. Use a web browser to access the Enrollment URL for the PQC certificate profile you created. You can get this URL from the profile details page, or from the self-service portal if enabled.

  2. Complete the enrollment form and upload the testing CSR you downloaded from the above table.

  3. Select Submit to submit the enrollment request.

Approve the enrollment request

  1. Log into Trust Lifecycle Manager as a user with the Manager or User and certificate manager role.

  2. Use one of the following methods to load the pending enrollment requests:

    • Select Enrollments from the Trust Lifecycle Manager main menu. Filter the list as needed.

    • On the Dashboard page, in the Pending requests widget, select the numbered link under Pending approval to load the pending enrollments.

  3. Find the pending enrollment for the PQC certificate request. Select the seat ID to review the enrollment before approving, or to approve immediately open the actions (icon) menu and select Approve.

Download the certificate

  1. After approving the enrollment request, an email is sent to the requester address with a download link.

  2. Select the link in the confirmation email and follow the instructions to download the new PQC certificate.

In this section: