Planning for post-quantum cryptography
Trust Architecture Playbook: Issuance pillar
Quantum computing poses a long-term threat to classical asymmetric cryptography. Sufficiently powerful quantum computers could break RSA and ECC algorithms, compromising the security of current certificate and CA key material. NIST finalized the first post-quantum cryptography (PQC) algorithm standards in 2024. Organizations should begin assessing and planning for PQC migration now, even if full deployment is still years away.
PQC support in DigiCert Private CA
DigiCert® Private CA supports PQC certificate issuance for private-trust use cases. PQC certificates can be issued and managed through Trust Lifecycle Manager using the same certificate profile workflow as classical certificates. Supported enrollment methods include CSR (web-based), EST, and REST API.
Supported PQC signature algorithms
DigiCert Private CA can issue PQC certificates using the following signature algorithms:
ML-DSA (formerly CRYSTALS-Dilithium): The primary NIST-standardized PQC signature algorithm (FIPS 204). All three parameter sets are supported: MLDSA-44, MLDSA-65, and MLDSA-87. ML-DSA is the recommended algorithm for most use cases.
SLH-DSA (formerly SPHINCS+): A stateless hash-based signature scheme standardized in FIPS 205. All NIST-standardized SLH-DSA parameter sets are supported.
![]() |
HSM and revocation requirements
PQC key generation in DigiCert Private CA requires an HSM that supports PQC algorithms. If PQC is a defined or near-term requirement, factor HSM selection into your planning before provisioning any CA infrastructure. Two HSMs are currently supported across both DigiCert-hosted and customer-hosted Private CA deployments:
Crypto4A: Supports PQC and operates as a FIPS 140-validated cryptographic module.
Thales SafeNet Luna: Supports PQC starting with firmware version 7.9. Verify your firmware version before deploying PQC to avoid configuration errors.
CRL-based revocation is fully supported for ML-DSA and SLH-DSA certificates. Ensure CRL infrastructure is in place before issuing PQC certificates and verify that relying party systems support CRL-based revocation. OCSP is not yet supported for PQC certificates.
Additional PQC signature algorithms
Contact your DigiCert account representative with questions about these additional PQC signature algorithms.
FN-DSA is a lattice-based signature algorithm currently being standardized by NIST as FIPS 206. It is designed to produce compact public keys and signatures, resulting in smaller X.509 certificates than ML-DSA and SLH-DSA, making it attractive for bandwidth- and storage-constrained environments.
NIST status: In development (Draft FIPS 206; not yet a final standard). Interested users can generate and evaluate Falcon-based X.509 certificates today using the DigiCert PQC Labs.
LMS is a stateful hash-based signature algorithm standardized in RFC 8554 and approved by NIST for use through SP 800-208 (Recommendation for Stateful Hash-Based Signature Schemes). LMS relies solely on the security of cryptographic hash functions and produces compact public keys and relatively small signatures, making it well suited for firmware signing, secure boot, and software update ecosystems where the signer can securely maintain signing state.
NIST status: Approved for use under NIST SP 800-208 (not a FIPS standard). LMS is intended for specialized applications that can safely manage signing state and is not recommended for general-purpose PKI or WebPKI certificate issuance.
XMSS is a stateful hash-based signature algorithm standardized in RFC 8391 and approved by NIST for use through SP 800-208. Like LMS, XMSS provides post-quantum security based solely on cryptographic hash functions while generating small public keys and relatively compact signatures compared to stateless hash-based schemes such as SLH-DSA. It is particularly well suited for firmware signing, secure boot, and long-lived trust anchors.
NIST status: Approved for use under NIST SP 800-208 (not a FIPS standard). XMSS requires careful management of signing state and is therefore intended for controlled signing environments rather than large-scale certificate authorities or public WebPKI deployments.
PQC readiness planning
PQC migration is a long-term project. Begin with these steps:
Inventory your cryptographic assets: Use Trust Lifecycle Manager's crypto hygiene reporting to identify all certificates using classical algorithms. This inventory is the foundation of your PQC migration plan.
Identify high-risk assets: Prioritize long-lived certificates, CA keys, and certificates protecting sensitive long-lived data. These are the most exposed to harvest-now-decrypt-later attacks, in which adversaries capture encrypted data today with the intent to decrypt it once quantum computing capabilities mature.
Assess HSM readiness: For private trust issuance, determine whether your existing HSMs support PQC algorithms and plan hardware upgrades accordingly.
Pilot PQC issuance: Issue PQC certificates in a test environment and validate chain building, revocation, and application compatibility before any production deployment.
Aviso
Building a cryptographic baseline is covered in the Baseline pillar of the DigiCert® Trust Architecture Playbook.
