When transitioning between different cryptographic algorithms, using hybrid certificates can be one option.
When transitioning from classic cryptography to post-quantum cryptography (PQC), there will be a period where different endpoints support different algorithms. Some endpoints will have been updated, while others may not. To ensure secure communication during this phase, a method for negotiating capabilities between endpoints is essential. Hybrid certificates offer an effective solution for this migration, allowing seamless transitions between cryptographic algorithms. For instance, if one endpoint is not yet PQC-capable, it can fall back to classic encryption, ensuring compatibility and security throughout the transition.
EJBCA supports Hybrid certificates, also known as Catalyst or X.509 Alternative. They are standardized as X.509 Alternative Keys and are further being discussed in the ITU-T X.509, X9.146 (20240122), and in a non-quantum context in ISO 15118-20.
In this tutorial, you will learn how to create a post-quantum cryptography (PQC) hybrid Certificate Authority(CA) chain that uses RSA for the traditional key and ML-DSA, also known as Dilithium, for the PQC key.
The tutorial covers these steps:
A running EJBCA instance with an active certificate authority (CA), certificate profiles, end entity profiles, and roles configured. To get started, see the playlist: Get started with EJBCA and TLS certificates.
Check out the supplementary documentation that goes hand-in-hand with our tutorial videos.
Get your hands on the EJBCA Docker container by downloading it now from Docker Hub. Find the Helm chart on GitHub
Take a peek at our video on YouTube, and browse through some of our other videos as well.
You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.
On Keyfactor.com we have created PQC Lab, a place for IT leaders, security pros, and developers to learn, explore, and prepare for the quantum-safe world.
