1. Home
  2. /
  3. ML-DSA (Dilithium) signing certificate and code signing in SignServer

ML-DSA (Dilithium) signing certificate and code signing in SignServer

Set up your first quantum-ready PKI. Create your ML-DSA (Dilithium) Root CAs, Issuing CAs, and end entities for code signing. Then sign data in SignServer.

dilithium logo

The standards will be finalized in early 2024 - we should start testing today

The ML-DSA (Dilithium) algorithm offers strong security and efficiency by leveraging lattice-based cryptography. It ensures reliable protection against both classical and quantum adversaries, making it suitable for various real-world applications.

NIST selected ML-DSA (Dilithium) as one of four algorithms for digital signatures, used when identities need to be verified or documents or code need to be signed. ML-KEM (Kyber), NL-DSA (Falcon) and SLH-DSA (SPHINCS+) are the other three algorithms. Despite the fact that the standards for these algorithms are not yet finalized, they will be in early 2024, we can begin testing candidates to see how they behave and prepare for the migration.

How to get started

Learn how to create a PKI and Certificate Authorities (CAs) using a quantum-safe algorithm

Follow this tutorial to set up a PKI with a Root CA and an Issuing Sub CA using the ML-DSA (Dilithium) algorithms. In this tutorial, you will learn how to:

  • Create certificate profiles for a Root CA and a Sub CA
  • Create Crypto Tokens with ML-DSA 2 and 3 keys used for CA signing keys
  • Create a Root CA using the ML-DSA 3 signature algorithm
  • Create a Sub CA, signed by the Root CA, using the ML-DSA 2 signature algorithms

An end entity certificate will be issued as part of this SignServer tutorial, more information is below.


An EJBCA instance running where you can create new crypto tokens and CAs. The EJBCA instance must use certificate-based authentication for access to the Admin UI. The same superadmin certificate will be used for SignServer access in the SignServer tutorial that demonstrates quantum-safe signing. 

To learn how to configure a certificate profile template and CA-defined default values, see the tutorial Create a PKI Hierarchy in EJBCA.



Learn how to configure SignServer for signing using the ML-DSA (Dilithium) quantum-safe algorithm

After using EJBCA as a PKI to issue quantum-safe certificates for signing, you can then use SignServer for quantum-ready signing.

The following tutorial demonstrates how you can use SignServer to sign generic data. In this tutorial, you will learn how to:

  • Create signing key and CSR in SignServer
  • Issue signing certificate
  • Activate signing worker in SignServer
  • Sign data with SignServer


SignServer is installed and running. To learn how to get started with SignServer Community as a Docker container, you can follow the Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access

EJBCA running with a quantum-safe PKI setup. To learn how to set up quantum-safe PKI with EJBCA Community as a Docker container.





Check out the supplementary documentation that goes hand-in-hand with our tutorial videos. 

Docker Hub

Get your hands on the EJBCA and SignServer Docker containers by downloading it now from Docker Hub.


Take a peek at our playlist on YouTube, and browse through some of our other videos as well.


You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.

Would you like to gain more knowledge on the subject?

Keyfactor has created PQC Lab, a place for IT leaders, security pros, and developers to learn, explore, and prepare for the quantum-safe world.

Related open-source projects