Skip to main content

Use post-quantum cryptography

To help you prepare your environments for the impact of quantum computing in the future, DigiCert supports post-quantum cryptography (PQC) signature algorithms.

Supported PQC signature algorithms

DigiCert supports these PQC algorithms in our private CA resources. PQC isn't supported through DigiCert public CAs.

  • ML-DSA (formerly known as CRYSTALS-Dilithium and Dilithium)

    DigiCert employs the version of this algorithm standardized by the National Institute of Standards and Technology (NIST). All ML-DSA key types are supported:

    • MLDSA-44

    • MLDSA-65

    • MLDSA-87

  • SLH-DSA (formerly known as SPHINCS+)

    DigiCert employs the version of this algorithm defined in the NIST initial public draft. We'll update this with the finalized version soon. All SLH-DSA key types are supported:

    • SLHDSA-128

    • SLHDSA-192

    • SLHDSA-256

Opmerking

When using these PQC algorithms, be aware of partial or restricted support for:

  • Root and key storage. PQC-derived roots require SoftHSM or a supported hardware HSM for key storage.

  • CRL support. ML-DSA and SLH-DSA certificates fully support certificate revocation list (CRL) checking.

  • OCSP support. ML-DSA and SLH-DSA certificates do not yet support online certificate status protocol (OCSP) checking.

Integrating PQC signature algorithms

Applying a PQC signature algorithm varies among the DigiCert portals and their associated tasks. In general, select the template or profile that identifies PQC support for the algorithm. Then specify algorithm type, key size, and other settings as needed.

For example, in CA Services, to generate a PQC-signed root CA:

  1. Go to Roots.

  2. Select Create root CA.

  3. For Template, select the template name that identifies the PQC algorithm you want to use.

  4. Specify other settings as needed and create the new root CA.

  5. Issue intermediate CAs and end-entity certificates signed by the root CA and the selected PQC algorithm.

Emerging PQC signature algorithms

Go to DigiCert's PQC Labs to research and evaluate other PQC algorithms, such as Composite ML-KEM (CRYSTALS-Kyber) and FN-DSA (Falcon).

Supported PQC hardware security modules (HSM)

To use PQC algorithms for your CAs and certificates, you must configure an HSM that supports PQC key generation and signing operations.

DigiCert Private CA supports the following HSMs for PQC use:

  • Crypto4A: Supports PQC and operates as a FIPS 140-validated cryptographic module. Supported in both DigiCert-hosted and customer-hosted environments..

  • Thales SafeNet Luna: Supports PQC starting with firmware version 7.9. Supported in both DigiCert-hosted and customer-hosted environments.

    Belangrijk

    • Luna firmware versions up to 7.8 operate under existing FIPS 140 validation but do not support PQC.

    • Firmware version 7.9 introduces PQC support. The cryptographic module configuration that includes this firmware is still undergoing FIPS validation.

    • DigiCert Private CA does not check the firmware version when you select the HSM for a CA. So, always confirm that your firmware is 7.9, or later, before using PQC.

DigiCert continues to evaluate and add support for additional HSMs that enable PQC usage under FIPS 140 validation.

In deze sectie: