PKI migration to post-quantum

PKI migration to post-quantum cryptography is the replacement of quantum-vulnerable signature algorithms, chiefly RSA and ECDSA, throughout public key infrastructure: root and intermediate certificates, end-entity certificates, hardware security modules, revocation systems, and certificate transparency logs. It is widely considered the slowest and most complex phase of the post-quantum transition, harder than the key exchange upgrades already deployed.

Why certificates are the hard part

Unlike key exchange, certificate signatures are not exposed to harvest now, decrypt later: a digital signature scheme only needs to be unforgeable at the moment it is verified. What makes PKI slow is coordination and inertia. Root certificates are embedded in operating systems, browsers, and devices that live for a decade or more, and every relying party must be able to validate a new algorithm before certificate authorities can issue with it.

Size compounds the problem. An ML-DSA-44 key under FIPS 204 occupies 1312 bytes and its signature 2420 bytes, against roughly 32 and 64 bytes for Ed25519. A TLS certificate chain typically carries several signatures and public keys plus certificate transparency timestamps, so a fully post-quantum chain grows by many kilobytes, straining handshake latency budgets, embedded TLS stacks, and log infrastructure. The stateless hash-based SLH-DSA is more conservative but has even larger signatures, which is why it is discussed mainly for roots and firmware signing rather than end-entity certificates.

NIST IR 8547 and the deprecation timeline

The primary US government roadmap is NIST IR 8547, Transition to Post-Quantum Cryptography Standards, released as an initial public draft in November 2024. It proposes deprecating quantum-vulnerable algorithms at the 112-bit classical security level (such as RSA-2048 and ECDSA P-224) after 2030 and disallowing quantum-vulnerable public-key algorithms entirely after 2035, replacing them with the algorithms standardized through the NIST Post-Quantum Cryptography Standardization process. The NSA's CNSA 2.0 suite sets a comparable schedule for national security systems, with exclusive use of post-quantum algorithms targeted by the early 2030s. These dates function as planning anchors for the private sector even where they are not binding.

Inventory first: the CBOM

Nearly all official guidance makes discovery the first step. Organizations rarely know where certificates, keys, and algorithms actually live across applications, appliances, and vendor firmware. The Cryptography Bill of Materials (CBOM), standardized in OWASP CycloneDX 1.6, gives that inventory a machine-readable form, recording algorithms, key sizes, protocols, and dependencies so that quantum-vulnerable usage can be tracked and prioritized. US federal guidance collected under CISA's post-quantum initiative likewise directs agencies to inventory cryptographic systems and prioritize by data lifetime and system longevity. Inventory work also exposes how little cryptographic agility most systems have, which is itself a finding: hard-coded algorithms must be refactored before any algorithm swap is possible.

Hybrid and composite certificates

Because post-quantum signature schemes are young, researchers have explored certificates that carry both a classical and a post-quantum binding, mirroring hybrid cryptography for key exchange. The most developed approach is composite signatures, in which one certificate contains a combined key and a combined signature covering both algorithms; the IETF LAMPS working group maintains a draft for composite ML-DSA. Alternatives include parallel certificate hierarchies and certificates with alternative-algorithm extensions. Opinion is divided: hybrid signatures add size and validation complexity without the harvest-time urgency that justified hybrid KEMs, so many practitioners expect the web PKI to migrate directly to single-algorithm ML-DSA certificates once profiles are final.

Web PKI, CT logs, and HSMs

For the public web, the CA/Browser Forum and the browser root programs control the pace, and as of early 2026 no public certificate authority issues post-quantum certificates in production; profiles, root program policies, and test hierarchies are still being worked out. The forum's 2025 decision to shorten maximum TLS certificate lifetimes stepwise to 47 days by 2029 pushes the ecosystem toward the automated issuance that a future algorithm swap will require. Certificate transparency logs must absorb much larger entries, and proposals such as Merkle Tree Certificates restructure issuance around Merkle tree proofs partly to claw back the size that post-quantum signatures add. Behind the CAs sit hardware security modules: root key ceremonies need HSM firmware that implements ML-DSA and SLH-DSA, and vendor support has been arriving gradually as of early 2026. The end state feeds directly into post-quantum TLS, which cannot complete its second phase until this infrastructure moves.

Frequently asked questions

When do RSA and ECDSA certificates stop being acceptable?

The NIST IR 8547 draft proposes deprecating 112-bit classical algorithms after 2030 and disallowing quantum-vulnerable public-key algorithms after 2035 for US federal use; browsers and CAs will set their own schedules.

What is the first practical step for an organization?

A cryptographic inventory: discover where certificates, keys, and algorithms are used, record them in a machine-readable form such as a CBOM, and prioritize systems by data lifetime and trust anchor longevity.

Sources

  1. NIST IR 8547 (Initial Public Draft), Transition to Post-Quantum Cryptography Standards (NIST, 2024)
  2. FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
  3. Composite ML-DSA signatures for X.509 (draft-ietf-lamps-pq-composite-sigs) (IETF, 2025)
  4. Merkle Tree Certificates for TLS (draft-davidben-tls-merkle-tree-certs) (IETF, 2025)
  5. CA/Browser Forum (CA/Browser Forum, 2025)
  6. Cryptography Bill of Materials (CBOM) (OWASP CycloneDX, 2024)
  7. Post-Quantum Cryptography Initiative (CISA, 2023)
  8. Announcing the Commercial National Security Algorithm Suite 2.0 (NSA, 2022)
Cite this entry
"PKI migration to post-quantum." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/pki-migration@misc{pqwiki-pki-migration, title = {PKI migration to post-quantum}, howpublished = {\url{https://postquantum.wiki/pki-migration}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }