Breadcrumbs

SignServer Composite Certificates

Composite certificates are advanced digital certificates (X.509) that combine multiple cryptographic keys and signatures, typically a traditional algorithm (like RSA) and a quantum-safe cryptographic algorithm, into a single, secure entity. This dual-algorithm design enables defense in depth during the transition to quantum-safe cryptography, ensuring security remains intact even if one algorithm is compromised.

For a step-by-step guide to time-stamping using a composite certificate, see Set up Composite Time-stamping.

Components

A composite key is composed of the combination of a classic and a quantum-safe algorithm. The composite keys are used to produce composite signatures or composite key exchange.

A composite key in SignServer consists of three key objects in its respective Crypto Token:

  • A quantum safe algorithm key object:

    • Suffix: -COMPQ

  • A classical algorithm key object.

    • Suffix: -COMPC

  • A virtual key that connects the two key objects in the composite.

    • Suffix -COMPOSITE

For a list of supported quantum-safe cryptographic algorithms, see Interoperability.

Composite-supporting Crypto Workers

In SignServer, a composite key is created from a Crypto Worker.

The following Crypto Workers support composite keys:

Create a Composite Key Object

To create composite keys in the Crypto Worker:

  1. Navigate to the Workers page in the Admin Web.

  2. Select the Crypto Worker, and go to the Crypto Token tab.

  3. Click Generate Key.

  4. Enter the suffix -COMPOSITE under New Key Alias, for example: MyKey-COMPOSITE

  5. Under Key Algorithm, select Composite.

  6. Under Key Specification, select MLDSA87-RSA3072-PSS-SHA512.

  7. Click Generate.

Ensure that 3 key objects were added to the list in the Crypto Token tab:

  • MyKey-COMPOSITE

  • MyKey-COMPQ (quantum-safe algorithm part of the composite)

  • MyKey-COMPC (classical algorithm part of the composite)

Generate a Certificate Signing Request (CSR) for a Composite Key

To generate a CSR for a composite key, either generate it from the Crypto Token tab or do it directly from the Status Summary view by clicking Generate CSR button.

To generate a CSR for the composite key:

  1. Navigate to the Workers page in the Admin Web.

  2. Select the Crypto Worker to be used, such as CryptoTokenP12 or CryptoTokenP11NG1.

  3. In the worker view, click Generate CSR.

  4. Enter the key alias under Key.

  5. Select MLDSA87-RSA3072-PSS-SHA512 from the drop down under Signature Algorithm.

Selecting the Signature Algorithm

Ensure that the selected Signature Algorithm matches the Key Specification when the composite key was generated. This example uses MLDSA87-RSA3072-PSS-SHA512 as an example. For troubleshooting purposes, it is recommend to use the same Key Specification and Signature Algorithm when trying composite time-stamping for the first time.

  1. Enter a common name under DN, such as CN=MyOrg.

  2. Click Generate.

  3. Click the Download button under the Result label to download the .p10 CSR file.