3.7 Post-Quantum Cryptography

Our roadmap and architectural readiness for quantum-safe signatures (ML-DSA) and hybrid certificates.

Classical public-key cryptography (RSA and ECDSA) is theoretically vulnerable to future quantum computers running Shor’s algorithm. To safeguard data against “store-now, decrypt-later” attacks, the cryptographic community is actively transitioning to quantum-safe alternatives.

This page outlines CertKit’s architectural readiness for Post-Quantum Cryptography (PQC) and our implementation roadmap.

Tracking Major Initiatives

CertKit is actively tracking the latest standards and proposals, including:

  • NIST PQC Standardization: Specifically ML-DSA (Module-Lattice Digital Signature Algorithm, formerly Dilithium) and Falcon for digital signatures.
  • CA Post-Quantum Initiatives: Certificate Authorities are leading the charge on post-quantum PKI. We are closely tracking Let’s Encrypt’s post-quantum certificate plans (such as the June 3, 2026 PQ Certs Announcement) and Google Trust Services’ post-quantum ACME testing.

Hybrid (Dual-Signature) Certificates

The transition to pure post-quantum certificates will take years due to legacy browser and device limitations. To bridge this gap, CAs are championing hybrid (dual-signature) certificates:

  • Dual Cryptography: A single certificate contains both a classical key/signature (such as ECDSA) and an auxiliary post-quantum signature (such as ML-DSA).
  • Graceful Degradation: Legacy browsers and client libraries that do not recognize post-quantum signatures simply ignore them and validate the classical signature. Modern, PQ-safe clients can validate both signatures to establish quantum-resistant trust.

CertKit’s Commitment

Our core platform, S3-compatible explorer, on-premise Keystore service, and cross-platform agents are designed with cryptographic agility at their foundation:

  • Ready at Launch: CertKit is committed to being one of the first automated lifecycle managers to natively support post-quantum and hybrid certificates.
  • Seamless Upgrade Paths: As soon as Let’s Encrypt or your configured external ACME issuers transition PQ profiles to public directories, you will be able to select them directly from the CertKit dropdown, store them in your secure S3 buckets, and deploy them automatically using the CertKit Agent.