1. Home
  2. /
  3. Use cases
  4. /
  5. Quantum-ready code signing

Quantum-ready code signing

As of right now, SignServer supports ML_DSA (Dilithium) and SLH-DSA (SPHINCS+) algorithms for CMS and raw signing.

hero-sub-2-white

Challenge

Considerations for Migrating to New Algorithms and Ensuring Compatibility

Migrating to new quantum-ready cryptography algorithms requires careful evaluation of existing solutions and properly optimizing the environment. As a developer, you must take into consideration:

  • Which algorithms have broad compatibility
  • Use case-specific requirements
  • The benefits and complexities of hybrid certificates
  • How to operationalize (i.e system architecture, infrastructure needs, HSM support, and protocol compatibility
  • Which legacy systems may need “isolation” and be front-ended with enhanced security

You can also read more here:

Get ready for Quantum-ready Cryptography

arrow

Solution

Seamless support for Quantum-ready PKI and signing

The reality is that there are still many unanswered questions, and it will take some time before all the pieces fall into place. SignServer and EJBCA offer a seamless solution for quantum-safe signing and signing certificates alongside the existing PKI and signing environment. This ensures a smooth experience with minimal disruption to your current infrastructure. You can begin experimenting with the technology and gradually understand its relevance to your specific environment over time.

Currently, ML-DSA (Dilithium) and SHL-DSA (SPHINCS+) are supported in SignServer for CMS and raw signing.

EJBCA supports ML-DSA (Dilithium) and NL-DSA (Falcon) algorithms for Root CAs, Issuing CAs, and End entities. 

Check out our how-tos and video on:

  • Issue ML-DSA code signing certificate with EJBCA and sign code in SignServer
  • Create a hybrid certificate using the Bouncy Castle Kotlin project

Please note, the final standards for ML-KEM, ML-DSA and SLH-DSA were finalized in August 2024. We recommend only using standardized quantum-safe algorithms in production environments. 

Tutorials

SignServer logo thumbnail
Code signing
Post-quantum
2023-07-04

ML-DSA (Dilithium) Signing Certificate and Signing in SignServer

Set up your first quantum-ready PKI. Create your ML-DSA (Dilithium) Root CAs, Issuing CAs, and end entities for code signing. Then sign data in SignServer. The ML-DSA (Dilithium) algorithm offers strong security and efficiency by l...
ML-DSA

Get inspired

Stay up-to-date on the latest SignServer news and updates through our news feed. From product releases to the newest tutorial videos and guides, our feed provides the latest information on all things related to SignServer. Don't miss out on our upcoming events, live or online, designed to provide valuable knowledge and hands-on experiences. Join our community and stay in the know with SignServer.

Keyfactor Release
Implementing Cryptography
Post-Quantum Cryptography
Release
Ejbca
Signserver
4 December, 2024

NIST PQC Support and more – Bouncy Castle C# .NET 2.5.0

New release: Bouncy Castle C# .NET 2.5.0
PKI hierarchies - 1, 2, 3 tiers ?
DevOps
Signing
Tech Update
Ejbca
Signserver
3 December, 2024

#KEYMASTER: The Emerging Practices around Attestations and SBOMs

Building policy-driven and compliant software supply chains   Join Sven...
PKI hierarchies - 1, 2, 3 tiers ?
Post-Quantum Cryptography
Tech Update
Ejbca
Signserver
26 November, 2024

#KEYMASTERS – Understanding Key Encapsulation Mechanisms (KEM)

In this Keymaster episode, Sven Rajala, International PKI Man of Mystery, has...

Related open-source projects