Skip to main content

Post-quantum cryptography (PQC) support

To help you prepare your environments for the impact of quantum computing in the future, DigiCert supports post-quantum cryptography (PQC) signature algorithms.

Supported PQC signature algorithms

DigiCert supports these PQC algorithms in our private CA resources. PQC isn't supported through DigiCert public CAs.

  • ML-DSA (formerly known as CRYSTALS-Dilithium and Dilithium)

    DigiCert employs the version of this algorithm standardized by the National Institute of Standards and Technology (NIST). All ML-DSA key types are supported:

    • MLDSA-44

    • MLDSA-65

    • MLDSA-87

  • SLH-DSA (formerly known as SPHINCS+)

    DigiCert employs the version of this algorithm defined in the NIST initial public draft. We'll update this with the finalized version soon. All SLH-DSA key types are supported:

    • SLHDSA-128

    • SLHDSA-192

    • SLHDSA-256

Anmerkung

When using these PQC algorithms, be aware of partial or restricted support for:

  • Root and key storage. PQC-derived roots currently require SoftHSM for storage. Hardware support is in development and expected soon.

  • CRL support. ML-DSA and SLH-DSA certificates fully support certificate revocation list (CRL) checking.

  • OCSP support. ML-DSA and SLH-DSA certificates do not yet support online certificate status protocol (OCSP) checking. Full support for OCSP is in development.

Integrating PQC signature algorithms

Applying a PQC signature algorithm varies among the DigiCert portals and their associated tasks. In general, select the template or profile that identifies PQC support for the algorithm. Then specify algorithm type, key size, and other settings as needed.

For example, in CA Services, to generate a PQC-signed root CA:

  1. Go to Roots.

  2. Select Create root CA.

  3. For Template, select the template name that identifies the PQC algorithm you want to use.

  4. Specify other settings as needed and create the new root CA.

  5. Issue intermediate CAs and end-entity certificates signed by the root CA and the selected PQC algorithm.

Emerging PQC signature algorithms

Go to DigiCert's PQC Labs to research and evaluate other PQC algorithms, such as Composite ML-KEM (CRYSTALS-Kyber) and FN-DSA (Falcon).

In diesem Abschnitt: