Tutorial – Issue a PQC Hybrid End Entity Certificate with ML-KEM

In this tutorial, you will learn how to use a post-quantum hybrid PKI to issue an ML-KEM end entity certificate. Since the CA is hybrid, the end entity certificate will also be hybrid, in this case this means being signed using both the classic signature algorithm and the post-quantum ML-DSA algorithm.

The tutorial covers these steps:

Create an End Entity
Create a CMP Alias
Create a CRMF Request and Issue a Certificate using CMP
View the Issued Certificate using OpenSSL

Prerequisites

For this tutorial, EJBCA Enterprise container version 9.2 was used.

This tutorial is also valid for the EJBCA Community container version 9.1 or higher. However, the EJBCA cmpclient is only delivered with EJBCA Enterprise, so if you are a Community user, you need to use your own CMP client instead.

Before you begin, you need:

A running EJBCA instance - Click to learn more

If you don’t already have EJBCA installed, here are some options for you:

Download EJBCA - Free and open-source EJBCA Community version
- There are tutorials to help you, for example, see this one on how to run the EJBCA Docker container: Quick Start Guide - Start EJBCA Container with Client Certificate Authenticated Access.
Try on AWS - Free 30-day trial EJBCA Cloud on AWS
Try on Azure - Free 30-day trial EJBCA Cloud on Azure

A Post-Quantum PKI set up, see Tutorial - Create Post-Quantum Cryptography Hybrid CA Chain
A CMP Client available:
- For Enterprise users: You can use the EJBCA cmpclient, see CMP Interoperability
- For Community users: See the example code in https://github.com/Keyfactor/ejbca-ce/blob/main/modules/systemtests/src-test/org/ejbca/core/protocol/cmp/CrmfRequestSystemTest.java
OpenSSL installed, to view the certificate.

Step 1 - Create an End Entity

To create an end entity, follow these steps:

In EJBCA, under RA Functions, click Add End Entity.
In the End Entity Profile list, select EMPTY.

The EMPTY End Entity Profile should only be used for testing purposes. In a production environment, you would first create a new End Entity Profile. For more information, see https://docs.keyfactor.com/ejbca/latest/end-entity-profile-operations.

In the Username field, add a name for the new end entity, in this example cmpencert.
In the Password field, enter a one-time enrollment code. Repeat the code in Confirm Password.
In the Common Name field, enter a name, in this example the same as the Username, that is, cmpencert.
In the CA list, select the issuing CA, in this example PQCSub.
Click Add to create the end entity.

You have now created an end entity and can continue with creating a CMP Alias.

Step 2 - Create a CMP Alias

A CMP endpoint also needs to be configured. In EJBCA, this is done by creating a CMP Alias.

To create a CMP Alias, follow these steps:

In EJBCA, under System Configuration, click CMP Configuration.
Under List of CMP Aliases, click Add.
In the Name field, enter a name, in this example cmp.
In CMP Operational Mode, click Client Mode.
In CMP Authentication Module, select HMAC.
In the Extract Username Component list, select CN.
In CMP Response Additional CA Certificates, clear Use.
Click Save.

You have now created a CMP endpoint and can now go on to issue an end entity certificate.

Step 3 - Create a CRMF Request and Issue a Certificate using CMP

When issuing an end entity certificate from a hybrid CA, the certificate will also be hybrid, meaning that it is signed by both CA keys. The certificate request will include indirect Proof-of-Possession, meaning that the certificate is sent back encrypted to the client. For more information, see RFC 4211.

In this example, the EJBCA cmpclient is used. If you run EJBCA Community, you can request a certificate in a similar way with your own CMP client.

To create a Certificate Request Message Format (CRMF) and issue a certificate using the EJBCA cmpclient, follow these steps:

In your terminal, navigate to the cmpclient tool, in this example to /Dev/git/ejbca/dist/cmpclient.
Create a CRMF, using the CMP Alias URL, the End Entity Common Name and Password for the HMAC authentication, the requested key pair for the key encapsulation mechanism to ML-KEM-512, and the includedpopo flag to include proof of possession:
CODE
```
$cmpclient.sh crmf --url http://localhost/ejbca/publicweb/cmp/cmp --dn "CN=cmpencert" --authparam foo234 --reqnewkeyspec ML-KEM-512 --includepopo --v
```

The output is similar to the following. Note that the certificate is decrypted with the ML-KEM-512 private key:

CODE

Creating CRMF request with: SubjectDN=CN=cmpencert
Creating CRMF request with: IssuerDN=null
Creating CRMF request with: AuthenticationModule=null
Creating CRMF request with: EndEntityPassword=
Creating CRMF request with: SubjectAltName=null
Creating CRMF request with: CustomCertSerno=
Creating CRMF request with: IncludePopo=true
Creating CRMF request with: requestValidity=null
Creating CRMF request with: keyID=null
Added POP of type: 2 - encrCert
Using default authentication module: HMAC
Creating protected PKIMessage using: authentication module=HMAC, authentication parameter=foo234
Using CMP URL: http://localhost/ejbca/publicweb/cmp/cmp
Using default destination directory: ./dest/
Decrypting returned certificate with private key of type ML-KEM-512
CRMF request successful. Received certificate stored in dest/cmpencert.pem
Generated private key stored in dest/cmpencert-key.pem

You have now issued an end entity certificate and can view it using OpenSSL.

Step 4 - View the Issued Certificate

In the video tutorial, the open quantum-safe provider is used with OpenSSL. However, this provider is no longer updated for OpenSSL version 3.5 or later. Code examples are given both with and without the oqsprovider. OpenSSL from version 3.5 includes native support for ML-DSA and ML-KEM.

To view the stored certificate, follow these steps:

View the certificate using OpenSSL with the open quantum-safe provider:
CODE
```
$ openssl x509 -in dest/cmpencert.pem -text -provider oqsprovider -provider legacy --noout
```
View the certificate using OpenSSL without the open quantum-safe provider:
CODE
```
$ openssl x509 -in dest/cmpencert.pem -text --noout
```

In the output, you can note the following:

Issuer is PQCSub and the certificate has the subject DN that was configured earlier.
Public Key Algorithm shows the official NIST OID for ML-KEM-512. At the moment, OpenSSL is not able to parse this.

There are some Extensions for the hybrid end entity certificate.

CODE

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:63:64:c6:24:4e:39:0d:32:70:6a:76:01:c5:a2:59:c2:14:f2:e2
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN=PQCSub
        Validity
            Not Before: Sep 24 09:53:32 2024 GMT
            Not After : Sep 24 09:53:31 2025 GMT
        Subject: CN=cmpencert
        Subject Public Key Info:
            Public Key Algorithm: 2.16.840.1.101.3.4.4.1
            Unable to load Public Key
40173D1DF37D0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:            
40173D1DF37D0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:../crypto/x509/x_pubkey.c:458:            
        X509v3 extensions:
            ...

Next steps

In this tutorial, you learned how to issue a hybrid post-quantum certificate using CMP and ML-KEM algorithm.

Here are some next steps we recommend:

To learn more about practical aspects of building hybrid PKIs and seamlessly integrating quantum-safe cryptography into TLS, refer to our Quantum-Ready Workshop: Building Hybrid PKIs and Demonstrating Interoperability.
Stay up to date with the PQC Lab.
For more details, answers to common questions, and Java and C# code examples, see the Bouncy Castle PQC Almanac.

If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.

If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.
If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the EJBCA Community on GitHub Discussions.