Tech Update: Preparing for the migration to post-quantum public key algorithms with hybrid certificates

You can now use X.509 Section 9.8 extensions to enable hybrid certificates and CRLs with the Bouncy Castle APIs. Support for this has been problematic up until recently due to patent issues which are now resolved. While we are early adopters, we expect other libraries to follow suit soon. This feature is most interesting for users looking at planning the migration process from classical public key algorithms to post-quantum public key algorithms.

Preparing for PQC migration

The “alt” extensions described in X.509, Section 9.8, are designed to support an additional public key and/or signature. The use of the extensions enable a certificate to support keys from both classical and post-quantum algorithms together. This allows the certificate to be deployed even to hardware that cannot currently support the post-quantum algorithm used in the “alt” extensions and is still used in its original classical context. As the software on the machine using the certificate is updated to utilize post-quantum algorithms, the same certificate can continue to be used.

Hybrid Certificate support in Bouncy Castle, EJBCA and SignServer

Supporting this in Bouncy Castle is also the first step to using the X.509 alt extension in EJBCA, SignServer and other Keyfactor products. However, the Bouncy Castle Kotlin project lets you try it out now.

Try it out today with the Bouncy Castle Kotlin project

Bouncy Castle Kotlin uses the Bouncy Castle Java libraries to create PQC keys. There are examples of how to create hybrid certificates and more. This makes getting started with PQC hybrid certificates easy!

• Access the BC Kotlin project on GitHub – Engineers, PKI and cryptography professionals, this is for you.

Check out our tutorial videos:

• Video Tutorial – Use the Bouncy Castle Kotlin project to generate PQC Keys
• Video Tutorial – Use the Bouncy Castle Kotlin project to create a Hybrid Certificate