1. Home
  2. /
  3. Use cases
  4. /
  5. ML-DSA (Dilithium) Signing Certificate and Signing in SignServer

ML-DSA (Dilithium) signing certificate and code signing in SignServer

Set up your first quantum-ready PKI. Create your ML-DSA (Dilithium) Root CAs, Issuing CAs, and end entities for code signing. Then sign data in SignServer.

hero-sub-2-white
dilithium-logo

The standards are finalized - we should start testing today

The ML-DSA (Dilithium) algorithm offers strong security and efficiency by leveraging lattice-based cryptography. It ensures reliable protection against both classical and quantum adversaries, making it suitable for various real-world applications.

NIST selected ML-DSA (Dilithium) as one of four algorithms for digital signatures, used when identities need to be verified or documents or code need to be signed. ML-KEM (Kyber), NL-DSA (Falcon) and SLH-DSA (SPHINCS+) are the other three algorithms. The final standards for ML-KEM, ML-DSA, and SLH-DSA were finalized in August 2024. We should begin testing to observe their behavior and prepare for the migration. We recommend using only standardized quantum-safe algorithms in production.

How to get started

Learn how to create a PKI and Certificate Authorities (CAs) using a quantum-safe algorithm

Follow this tutorial to set up a PKI with a Root CA and an Issuing Sub CA using the ML-DSA (Dilithium) algorithms. In this tutorial, you will learn how to:

  • Create certificate profiles for a Root CA and a Sub CA
  • Create Crypto Tokens with ML-DSA 2 and 3 keys used for CA signing keys
  • Create a Root CA using the ML-DSA 3 signature algorithm
  • Create a Sub CA, signed by the Root CA, using the ML-DSA 2 signature algorithms

An end entity certificate will be issued as part of this SignServer tutorial, more information is below.

Prerequisites

An EJBCA instance running where you can create new crypto tokens and CAs. The EJBCA instance must use certificate-based authentication for access to the Admin UI. The same superadmin certificate will be used for SignServer access in the SignServer tutorial that demonstrates quantum-safe signing. 

To learn how to configure a certificate profile template and CA-defined default values, see the tutorial Create a PKI Hierarchy in EJBCA.

 

Documentation

Learn how to configure SignServer for signing using the ML-DSA (Dilithium) quantum-safe algorithm

After using EJBCA as a PKI to issue quantum-safe certificates for signing, you can then use SignServer for quantum-ready signing.

The following tutorial demonstrates how you can use SignServer to sign generic data. In this tutorial, you will learn how to:

  • Create signing key and CSR in SignServer
  • Issue signing certificate
  • Activate signing worker in SignServer
  • Sign data with SignServer

Prerequisites

SignServer is installed and running. To learn how to get started with SignServer Community as a Docker container, follow the Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access

EJBCA running with a quantum-safe PKI setup. To learn how to set up quantum-safe PKI with EJBCA Community as a Docker container.

 

Documentation

Tutorials/documentation

Documentation

Check out the supplementary documentation that goes hand-in-hand with our tutorial videos.

Docker Hub

Get your hands on the EJBCA and SignServer Docker containers by downloading it now from Docker Hub.

YouTube

Take a peek at our playlist on YouTube, and browse through some of our other videos as well.

Discussions

You can ask your questions and learn from PKI and Signing specialists in the SignServer forum on GitHub Discussions

Would you like to gain more knowledge on the subject?

Keyfactor has created PQC Lab, a place for IT leaders, security pros, and developers to learn, explore, and prepare for the quantum-safe world.

Related open-source projects