As of right now, SignServer supports ML_DSA (Dilithium) and SLH-DSA (SPHINCS+) algorithms for CMS and raw signing.
Challenge
Migrating to new quantum-ready cryptography algorithms requires careful evaluation of existing solutions and properly optimizing the environment. As a developer, you must take into consideration:
You can also read more here:
Solution
The reality is that there are still many unanswered questions, and it will take some time before all the pieces fall into place. SignServer and EJBCA offer a seamless solution for quantum-safe signing and signing certificates alongside the existing PKI and signing environment. This ensures a smooth experience with minimal disruption to your current infrastructure. You can begin experimenting with the technology and gradually understand its relevance to your specific environment over time.
Currently, ML-DSA (Dilithium) and SHL-DSA (SPHINCS+) are supported in SignServer for CMS and raw signing.
EJBCA supports ML-DSA (Dilithium) and NL-DSA (Falcon) algorithms for Root CAs, Issuing CAs, and End entities.
Check out our how-tos and video on:
Please note, the final standards for ML-KEM, ML-DSA and SLH-DSA were finalized in August 2024. We recommend only using standardized quantum-safe algorithms in production environments.
Stay up-to-date on the latest SignServer news and updates through our news feed. From product releases to the newest tutorial videos and guides, our feed provides the latest information on all things related to SignServer. Don't miss out on our upcoming events, live or online, designed to provide valuable knowledge and hands-on experiences. Join our community and stay in the know with SignServer.