Tutorial - Create a Post-Quantum PKI
Learn how to create Certificate Authorities (CAs) using a quantum-safe algorithm.
Migration to post-quantum cryptography will be the largest cryptographic migration undertaken, and it will affect all applications using asymmetric encryption today, i.e. everything that used one of the RSA, EC, or Ed algorithms because these can be broken if a cryptographically relevant quantum computer (CRQC) can ever be built. You can already start testing the candidate algorithms to see how they behave and prepare for the migration.
Follow this tutorial to set up a PKI with a Root CA and an Issuing Sub CA using the Dilithium algorithm. Note that this tutorial demonstrates how to set up a Post-Quantum Cryptography (PQC) CA hierarchy using the Dilithium algorithm and that using NIST candidate algorithms is suitable for non-production use only.
In this tutorial, you will learn how to:
Create certificate profiles for a Root CA and a Sub CA
Create Crypto Tokens with Dilithium 2 and Dilithium 3 keys used for CA signing keys
Create a Root CA using the Dilithium 3 signature algorithm
Create a Sub CA, signed by the Root CA, using the Dilithium 2 signature algorithms
An end entity certificate can be issued following the tutorial SignServer Post-Quantum signing.
Prerequisites
For this tutorial, EJBCA Community Docker container version 8.0 was used.
Before you begin, you need:
Docker running in the background. To download and install, refer to the Docker documentation.
A running EJBCA instance, version 8.0 or later.
To have set up the EJBCA instance to use certificate-based authentication for access to the Admin UI. The same superadmin certificate will be used for SignServer access in the following tutorial. To learn how to configure a certificate profile template and CA-defined default values, see the tutorial Create a PKI Hierarchy in EJBCA.
Step 1 - Create certificate profiles
The first step towards creating a CA hierarchy is to create certificate profiles for the Root CA and Sub CA. The certificate profile defines the constraints of new certificates, for example, what keys it can use, and what the extensions will be. For an introduction to certificate profiles, see the Certificate Profiles Overview.
Create Root CA certificate profile
The following provides steps for creating a simple Root CA certificate profile by cloning the default ROOTCA certificate profile. For tutorials on how to create more production-like profiles, see for example Create your first Root CA using EJBCA.
To create a certificate profile for creating the Root CA in a later step, do the following:
In EJBCA, under CA Functions, click Certificate Profiles.
The Manage Certificate Profiles page displays a list with default profiles.Click Clone next to the ROOTCA template to use that as a basis for creating your new Root CA profile.
Specify a Name of new certificate profile, such as MyPQCRootCAProfile, and click Create from template.
To edit the profile values to fit your needs, find the newly created MyPQCRootCAProfile displayed in the list and click Edit.
On the Edit page, update the following to use Dilithium keys:
For Available Key Algorithms, select Diithium3.
For Signature Algorithm, verify that Inherit from Issuing CA is selected.
For Validity or end date of the certificate, specify 30y.
Clear LDAP DN Order.
Click Save to store the Root CA certificate profile.
The newly created MyPQCRootCAProfile is displayed in the list of certificate profiles.
Create Sub CA certificate profile
To create a certificate profile for creating the Sub CA in a later step, do the following:
On the EJBCA Manage Certificate Profiles page, click Clone by the SUBCA profile to create a new profile using that template.
Name the new certificate profile MyPQCSubCAProfile, and click Create from template.
To edit the profile values to fit your needs, find the newly created MyPQCSubCAProfile displayed in the list and click Edit.
On the Edit page, update the following to use Dilithium keys:
For Available Key Algorithms, select Dilithium2.
For Signature Algorithm, verify that Inherit from Issuing CA is selected.
For Validity or end date of the certificate, specify 15y.
Clear LDAP DN Order.
Click Save to store the Sub CA certificate profile.
The newly created MyPQCSubCAProfile is displayed in the list of certificate profiles.
Step 2 - Create crypto tokens for the Root CA and Sub CA
Next, you will create crypto tokens holding CA signing keys needed for creating the CAs in a later step.
Create Root CA crypto token
To create a soft Root CA crypto token and keys, follow these steps:
In the EJBCA menu, under CA Functions, click Crypto Tokens.
Click Create new and specify the following on the New Crypto Token page:
Name: Specify a name for the Root CA crypto token, such as RootCAPQC.
Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. Remember this password.
Click Save to create the Root CA crypto token.
Next, generate three CA keys:
For the signKey, select Dilithium3, and then click Generate new key pair to create the keys.
Repeat to create a test key: name the key testKey, select Dilithium3 as the CA signing key is using, and then click Generate new key pair.
Last, repeat to create an internal encryption key: name the key encryptKey, select RSA2048, and then click Generate new key pair.
You have now created the Root CA crypto token and keys.
Create Sub CA crypto token
To create a soft Sub CA crypto token and keys, follow these steps:
In the EJBCA menu, under CA Functions, click Crypto Tokens.
Click Create new and specify the following on the New Crypto Token page:
Name: Specify a name for the Sub CA crypto token, such as SubCAPQC.
Authentication Code: Enter a password for auto-activation.
Click Save to create the Sub CA crypto token.
Next, generate the same three keys for the Sub CA:
For the signKey, select Dilithium2, and then click Generate new key pair to create the keys.
Repeat to create a test key: name the key testKey, select Dilithium2 as the CA signing key is using, and then click Generate new key pair
Last, repeat to create an internal encryption key: name the key encryptKey, select RSA2048, and then click Generate new key pair.
You have now created the Sub CA crypto token and keys.
Step 3 - Create Root CA
To create the Root CA, follow these steps:
Click Certification Authorities under CA Functions.
In the Add CA field, enter a name such as "PQCRootCA" and click Create.
On the Create CA page, update the following:
Select the Root CA crypto token RootCAPQC (created earlier in Tutorial - Create a Post-Quantum PKI#Step 2 - Create crypto tokens for the Root CA and Sub CA) in the Crypto Token list.
For Signing Algorithm, select Dilithium3.
Note that the keys are mapped for their intended usages and the defaultKey, certSignKey, and testKey are automatically selected with the keys you created.
Under CA Certificate Data, specify the following:
Subject DN: Enter a subject DN,, such as "CN=PQC Root CA, O=PQC Lab, C=SE".
Signed By: Verify that Self Signed is selected.
Certificate Profile: Verify that MyPQCRootCAProfile is selected.
Validity: Specify 30y.
LDAP DN order: Clear Use.
Click Create to create the Root CA.
The created Root CA is displayed in the list of CAs.
Step 4 - Create Sub CA
To create the Sub CA to be signed by the Root CA, follow these steps:
Click Certification Authorities under CA Functions.
In the Add CA field, enter a name such as “PQCSubCA” and click Create.
On the Create CA page, update the following:
Select the Sub CA crypto token SubCAPQC (created earlier in Tutorial - Create a Post-Quantum PKI#Step 2 - Create crypto tokens for the Root CA and Sub CA) in the Crypto Token list.
For Signing Algorithm, select Dilithium2.
Note that the keys are mapped for their intended usages and the defaultKey, certSignKey, and testKey are automatically selected with the keys you created.
Under CA Certificate Data, specify the following:
Subject DN: Enter a subject DN,, such as "CN=PQC Sub CA, O=PQC Lab, C=SE".
Signed By: Select PQCRootCA to have it signed by the local Root CA.
Certificate Profile: Verify that MyPQCSubCAProfile is selected.
Validity: Specify 15y.
LDAP DN order: Clear Use.
Click Create to create the Sub CA.
The created Sub CA is displayed in the list of CAs.
You have now created a two-tier public key infrastructure (PKI) hierarchy with a Root CA and subordinate CA.
Step 5 - View and download CA certificates
To view and download the CA certificates:
Click CA Structure & CRLs under CA Functions.
For the Root CA PQCRootCA, click View Certificate to view the SubCA certificate.
For the Sub CA PQCSubCA, click View Certificate to view the SubCA certificate.
To download the Management CA certificate in PEM format, click Download PEM file for the ManagementCA. You will need this when configuring SignServer.
The ManaggementCA_cacert.pem file is downloaded and ready to be used in the next tutorial using SignServer.
Next steps
In this tutorial, you learned how to create a PKI using the Dilithium algorithm.
Here are some next steps we recommend:
To learn how to get sign data using Dilithium, you can follow the tutorial SignServer Post-Quantum signing.
If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.
If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.
If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the EJBCA Community on GitHub Discussions.