1. Home
  2. /
  3. Use cases
  4. /
  5. ML-DSA (Dilithium) Signing Certificate and Signing in SignServer

ML-DSA (Dilithium) signing certificate and code signing in SignServer

Set up your first quantum-ready PKI. Create your ML-DSA (Dilithium) Root CAs, Issuing CAs, and end entities for code signing. Then sign data in SignServer.

hero-sub-2-white
dilithium-logo

The standards are finalized - we should start testing today

The ML-DSA (Dilithium) algorithm offers strong security and efficiency by leveraging lattice-based cryptography. It ensures reliable protection against both classical and quantum adversaries, making it suitable for various real-world applications.

NIST selected ML-DSA (Dilithium) as one of four algorithms for digital signatures, used when identities need to be verified or documents or code need to be signed. ML-KEM (Kyber), NL-DSA (Falcon) and SLH-DSA (SPHINCS+) are the other three algorithms. The final standards for ML-KEM, ML-DSA, and SLH-DSA were finalized in August 2024. We should begin testing to observe their behavior and prepare for the migration. We recommend using only standardized quantum-safe algorithms in production.

How to get started

Learn how to create a PKI and Certificate Authorities (CAs) using a quantum-safe algorithm

Follow this tutorial to set up a PKI with a Root CA and an Issuing Sub CA using the ML-DSA (Dilithium) algorithms. In this tutorial, you will learn how to:

  • Create certificate profiles for a Root CA and a Sub CA
  • Create Crypto Tokens with ML-DSA 2 and 3 keys used for CA signing keys
  • Create a Root CA using the ML-DSA 3 signature algorithm
  • Create a Sub CA, signed by the Root CA, using the ML-DSA 2 signature algorithms

An end entity certificate will be issued as part of this SignServer tutorial, more information is below.

Prerequisites

An EJBCA instance running where you can create new crypto tokens and CAs. The EJBCA instance must use certificate-based authentication for access to the Admin UI. The same superadmin certificate will be used for SignServer access in the SignServer tutorial that demonstrates quantum-safe signing. 

To learn how to configure a certificate profile template and CA-defined default values, see the tutorial Create a PKI Hierarchy in EJBCA.

 

Documentation

Learn how to configure SignServer for signing using the ML-DSA (Dilithium) quantum-safe algorithm

After using EJBCA as a PKI to issue quantum-safe certificates for signing, you can then use SignServer for quantum-ready signing.

The following tutorial demonstrates how you can use SignServer to sign generic data. In this tutorial, you will learn how to:

  • Create signing key and CSR in SignServer
  • Issue signing certificate
  • Activate signing worker in SignServer
  • Sign data with SignServer

Prerequisites

SignServer is installed and running. To learn how to get started with SignServer Community as a Docker container, follow the Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access

EJBCA running with a quantum-safe PKI setup. To learn how to set up quantum-safe PKI with EJBCA Community as a Docker container.

 

Documentation

Tutorials/documentation

Documentation

Check out the supplementary documentation that goes hand-in-hand with our tutorial videos.

Docker Hub

Get your hands on the EJBCA and SignServer Docker containers by downloading it now from Docker Hub.

YouTube

Take a peek at our playlist on YouTube, and browse through some of our other videos as well.

Discussions

You can ask your questions and learn from PKI and Signing specialists in the SignServer forum on GitHub Discussions

Would you like to gain more knowledge on the subject?

Keyfactor has created PQC Lab, a place for IT leaders, security pros, and developers to learn, explore, and prepare for the quantum-safe world.

Related open-source projects

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data