Skip to main content
Skip table of contents

Tutorial - Create a Post-Quantum PKI

Learn how to create Certificate Authorities (CAs) using a quantum-safe algorithm.

Migration to post-quantum cryptography will be the largest cryptographic migration undertaken, and it will affect all applications using asymmetric encryption today, i.e. everything that used one of the RSA, EC, or Ed algorithms because these can be broken if a cryptographically relevant quantum computer (CRQC) can ever be built. You can already start testing the candidate algorithms to see how they behave and prepare for the migration.

Follow this tutorial to set up a PKI with a Root CA and an Issuing Sub CA using the Dilithium algorithm. Note that this tutorial demonstrates how to set up a Post-Quantum Cryptography (PQC) CA hierarchy using the Dilithium algorithm and that using NIST candidate algorithms is suitable for non-production use only.

In this tutorial, you will learn how to:

  • Create certificate profiles for a Root CA and a Sub CA
  • Create Crypto Tokens with Dilithium 2 and Dilithium 3 keys used for CA signing keys
  • Create a Root CA using the Dilithium 3 signature algorithm
  • Create a Sub CA, signed by the Root CA, using the Dilithium 2 signature algorithms

An end entity certificate can be issued following the tutorial SignServer Post-Quantum signing.

Prerequisites

Before you begin, you need Docker running in the background. To download and install, refer to the Docker documentation.

You also need a running EJBCA (version 8.0 or later) instance where you can create new crypto tokens and CAs. The EJBCA instance must use certificate-based authentication for access to the Admin UI. The same superadmin certificate will be used for SignServer access in the following tutorial. To learn how to configure a certificate profile template and CA-defined default values, see the tutorial Create a PKI Hierarchy in EJBCA.

Step 1 - Create certificate profiles

The first step towards creating a CA hierarchy is to create certificate profiles for the Root CA and Sub CA. The certificate profile defines the constraints of new certificates, for example, what keys it can use, and what the extensions will be. For an introduction to certificate profiles, see the Certificate Profiles Overview.

Create Root CA certificate profile

The following provides steps for creating a simple Root CA certificate profile by cloning the default ROOTCA certificate profile. For tutorials on how to create more production-like profiles, see for example Create your first Root CA using EJBCA.

To create a certificate profile for creating the Root CA in a later step, do the following:

  1. In EJBCA, under CA Functions, click Certificate Profiles.
    The Manage Certificate Profiles page displays a list with default profiles.
  2. Click Clone next to the ROOTCA template to use that as a basis for creating your new Root CA profile.
  3. Specify a Name of new certificate profile, such as MyPQCRootCAProfile, and click Create from template.
  4. To edit the profile values to fit your needs, find the newly created MyPQCRootCAProfile displayed in the list and click Edit.
  5. On the Edit page, update the following to use Dilithium keys:
    • For Available Key Algorithms, select Diithium3.
    • For Signature Algorithm, verify that Inherit from Issuing CA is selected.
    • For Validity or end date of the certificate, specify 30y.
    • Clear LDAP DN Order.
  6. Click Save to store the Root CA certificate profile.

The newly created MyPQCRootCAProfile is displayed in the list of certificate profiles.

Create Sub CA certificate profile

To create a certificate profile for creating the Sub CA in a later step, do the following:

  1. On the EJBCA Manage Certificate Profiles page, click Clone by the SUBCA profile to create a new profile using that template.
  2. Name the new certificate profile MyPQCSubCAProfile, and click Create from template.
  3. To edit the profile values to fit your needs, find the newly created MyPQCSubCAProfile displayed in the list and click Edit.
  4. On the Edit page, update the following to use Dilithium keys:
    • For Available Key Algorithms, select Dilithium2.
    • For Signature Algorithm, verify that Inherit from Issuing CA is selected.
    • For Validity or end date of the certificate, specify 15y.
    • Clear LDAP DN Order.
  5. Click Save to store the Sub CA certificate profile.

The newly created MyPQCSubCAProfile is displayed in the list of certificate profiles.

Step 2 - Create crypto tokens for the Root CA and Sub CA

Next, you will create crypto tokens holding CA signing keys needed for creating the CAs in a later step.

Create Root CA crypto token

To create a soft Root CA crypto token and keys, follow these steps:  

  1. In the EJBCA menu, under CA Functions, click Crypto Tokens.

  2. Click Create new and specify the following on the New Crypto Token page:
    • Name: Specify a name for the Root CA crypto token, such as RootCAPQC.
    • Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. Remember this password.
  3. Click Save to create the Root CA crypto token.
  4. Next, generate three CA keys:
    • For the signKey, select Dilithium3, and then click Generate new key pair to create the keys.
    • Repeat to create a test key: name the key testKey, select Dilithium3 as the CA signing key is using, and then click Generate new key pair.
    • Last, repeat to create an internal encryption key: name the key encryptKey, select RSA2048, and then click Generate new key pair.

You have now created the Root CA crypto token and keys.

Create Sub CA crypto token

To create a soft Sub CA crypto token and keys, follow these steps:  

  1. In the EJBCA menu, under CA Functions, click Crypto Tokens.

  2. Click Create new and specify the following on the New Crypto Token page:
    • Name: Specify a name for the Sub CA crypto token, such as SubCAPQC.
    • Authentication Code: Enter a password for auto-activation.
  3. Click Save to create the Sub CA crypto token.
  4. Next, generate the same three keys for the Sub CA:
    • For the signKey, select Dilithium2, and then click Generate new key pair to create the keys.
    • Repeat to create a test key: name the key testKey, select Dilithium2 as the CA signing key is using, and then click Generate new key pair
    • Last, repeat to create an internal encryption key: name the key encryptKey, select RSA2048, and then click Generate new key pair. 

You have now created the Sub CA crypto token and keys.

Step 3 - Create Root CA

To create the Root CA, follow these steps:

  1. Click Certification Authorities under CA Functions.
  2. In the Add CA field, enter a name such as "PQCRootCA" and click Create.
  3. On the Create CA page, update the following:
    • Select the Root CA crypto token RootCAPQC (created earlier in Tutorial - Create a Post-Quantum PKI#Step 2 - Create crypto tokens for the Root CA and Sub CA) in the Crypto Token list.
    • For Signing Algorithm, select Dilithium3.
    • Note that the keys are mapped for their intended usages and the defaultKey, certSignKey, and testKey are automatically selected with the keys you created.
    • Under CA Certificate Data, specify the following:
      • Subject DN: Enter a subject DN,, such as "CN=PQC Root CA, O=PQC Lab, C=SE".
      • Signed By: Verify that Self Signed is selected.
      • Certificate Profile: Verify that MyPQCRootCAProfile is selected.
      • Validity: Specify 30y.
      • LDAP DN order: Clear Use.
  4. Click Create to create the Root CA.

The created Root CA is displayed in the list of CAs.

Step 4 - Create Sub CA

To create the Sub CA to be signed by the Root CA, follow these steps:

  1. Click Certification Authorities under CA Functions.
  2. In the Add CA field, enter a name such as “PQCSubCA” and click Create.
  3. On the Create CA page, update the following:
    • Select the Sub CA crypto token SubCAPQC (created earlier in Tutorial - Create a Post-Quantum PKI#Step 2 - Create crypto tokens for the Root CA and Sub CA) in the Crypto Token list.
    • For Signing Algorithm, select Dilithium2.
    • Note that the keys are mapped for their intended usages and the defaultKey, certSignKey, and testKey are automatically selected with the keys you created.
    • Under CA Certificate Data, specify the following:
      • Subject DN: Enter a subject DN,, such as "CN=PQC Sub CA, O=PQC Lab, C=SE".
      • Signed By: Select PQCRootCA to have it signed by the local Root CA.
      • Certificate Profile: Verify that MyPQCSubCAProfile is selected.
      • Validity: Specify 15y.
      • LDAP DN order: Clear Use.
  4. Click Create to create the Sub CA.

The created Sub CA is displayed in the list of CAs.

You have now created a two-tier public key infrastructure (PKI) hierarchy with a Root CA and subordinate CA.

Step 5 - View and download CA certificates

To view and download the CA certificates:

  1. Click CA Structure & CRLs under CA Functions.
  2. For the Root CA PQCRootCA, click View Certificate to view the SubCA certificate.
  3. For the Sub CA PQCSubCA, click View Certificate to view the SubCA certificate.
  4. To download the Management CA certificate in PEM format, click Download PEM file for the ManagementCA. You will need this when configuring SignServer.

The ManaggementCA_cacert.pem file is downloaded and ready to be used in the next tutorial using SignServer.

Next steps

In this tutorial, you learned how to create a PKI using the Dilithium algorithm.

To learn how to get sign data using Dilithium, you can follow the tutorial SignServer Post-Quantum signing.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.