Set up your first quantum-ready PKI. Create your ML-DSA (Dilithium) Root CAs, Issuing CAs, and end entities for code signing. Then sign data in SignServer.
The ML-DSA (Dilithium) algorithm offers strong security and efficiency by leveraging lattice-based cryptography. It ensures reliable protection against both classical and quantum adversaries, making it suitable for various real-world applications.
NIST selected ML-DSA (Dilithium) as one of four algorithms for digital signatures, used when identities need to be verified or documents or code need to be signed. ML-KEM (Kyber), NL-DSA (Falcon) and SLH-DSA (SPHINCS+) are the other three algorithms. The final standards for ML-KEM, ML-DSA, and SLH-DSA were finalized in August 2024. We should begin testing to observe their behavior and prepare for the migration. We recommend using only standardized quantum-safe algorithms in production.
Follow this tutorial to set up a PKI with a Root CA and an Issuing Sub CA using the ML-DSA (Dilithium) algorithms. In this tutorial, you will learn how to:
An end entity certificate will be issued as part of this SignServer tutorial, more information is below.
An EJBCA instance running where you can create new crypto tokens and CAs. The EJBCA instance must use certificate-based authentication for access to the Admin UI. The same superadmin certificate will be used for SignServer access in the SignServer tutorial that demonstrates quantum-safe signing.
To learn how to configure a certificate profile template and CA-defined default values, see the tutorial Create a PKI Hierarchy in EJBCA.
After using EJBCA as a PKI to issue quantum-safe certificates for signing, you can then use SignServer for quantum-ready signing.
The following tutorial demonstrates how you can use SignServer to sign generic data. In this tutorial, you will learn how to:
SignServer is installed and running. To learn how to get started with SignServer Community as a Docker container, follow the Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access.
EJBCA running with a quantum-safe PKI setup. To learn how to set up quantum-safe PKI with EJBCA Community as a Docker container.
Check out the supplementary documentation that goes hand-in-hand with our tutorial videos.
Get your hands on the EJBCA and SignServer Docker containers by downloading it now from Docker Hub.
Take a peek at our playlist on YouTube, and browse through some of our other videos as well.
You can ask your questions and learn from PKI and Signing specialists in the SignServer forum on GitHub Discussions
Keyfactor has created PQC Lab, a place for IT leaders, security pros, and developers to learn, explore, and prepare for the quantum-safe world.