Learn how to set up a post-quantum PKI with a Root CA and an issuing Sub CA using the NIST candidate algorithm Dilithium.

The migration to post-quantum cryptography will be the largest cryptographic transition undertaken and will affect every application that uses asymmetric encryption today, that is, all applications using one of the RSA, EC, or Ed algorithms since these could all be broken by a cryptographically relevant quantum computer (CRQC), if one can ever be built. NIST has initiated a Post-Quantum Cryptography Standardization process to evaluate and standardize quantum-resistant public-key cryptographic algorithms. Even though the standard for these algorithms has not been finalized yet, you can begin testing the candidate algorithms to see how they behave and prepare for the migration. Note however that these candidate implementations are useful for experimentation and testing but not suitable to be used in production.

Follow this tutorial to create a basic PKI hierarchy with a Root CA, the trust anchor, and a Sub CA that is the issuing CA that will be used to issue a signing certificate for code signing in the follow-up tutorial SignServer Post-Quantum signing.

In this tutorial, you will learn how to:

  • Create certificate profiles for a Root CA and a Sub CA
  • Create Crypto Tokens with Dilithium 2 and Dilithium 3 keys used for CA signing keys
  • Create a Root CA using the Dilithium 3 signature algorithm
  • Create a Sub CA, signed by the Root CA, using the Dilithium 2 signature algorithm

Prerequisites

Before you begin, you need Docker running in the background. To download and install, refer to the Docker documentation.

You also need a running EJBCA 8 instance where you can create new crypto tokens and CAs. The EJBCA instance must use certificate-based authentication for access to the Admin UI, see the guide Start EJBCA Container with Client Certificate Authenticated Access to learn how to start an EJBCA Community container with client certificate authenticated access. The client certificate is also used to access SignServer in the follow-up tutorial SignServer Post-Quantum signing.

Step 1 - Create certificate profiles

The first step towards creating a CA hierarchy is to create certificate profiles for the Root CA and Sub CA. The certificate profile defines the constraints of new certificates, for example, what keys it can use, and what the extensions will be. For an introduction to certificate profiles, see the Certificate Profiles Overview.

Create Root CA certificate profile

The following provides steps for creating a simple Root CA certificate profile by cloning the default ROOTCA certificate profile. For tutorials on how to create more production-like profiles, see for example Create your first Root CA using EJBCA.

To create a certificate profile for creating the Root CA in a later step, do the following:

  1. In EJBCA, under CA Functions, click Certificate Profiles.
    The Manage Certificate Profiles page displays a list with default profiles.
  2. Click Clone next to the ROOTCA template to use that as a basis for creating your new Root CA profile.
  3. Specify a Name of new certificate profile, such as MyPQCRootCAProfile, and click Create from template.
  4. To edit the profile values to fit your needs, find the newly created MyPQCRootCAProfile displayed in the list and click Edit.
  5. On the Edit page, update the following to use Dilithium keys:
    • For Available Key Algorithms, select Diithium3.
    • For Signature Algorithm, verify that Inherit from Issuing CA is selected.
    • For Validity or end date of the certificate, specify 30y.
    • Clear LDAP DN Order.
  6. Click Save to store the Root CA certificate profile.

The newly created MyPQCRootCAProfile is displayed in the list of certificate profiles.

Create Sub CA certificate profile

To create a certificate profile for creating the Sub CA in a later step, do the following:

  1. On the EJBCA Manage Certificate Profiles page, click Clone by the SUBCA profile to create a new profile using that template.
  2. Name the new certificate profile MyPQCSubCAProfile, and click Create from template.
  3. To edit the profile values to fit your needs, find the newly created MyPQCSubCAProfile displayed in the list and click Edit.
  4. On the Edit page, update the following to use Dilithium keys:
    • For Available Key Algorithms, select Dilithium2.
    • For Signature Algorithm, verify that Inherit from Issuing CA is selected.
    • For Validity or end date of the certificate, specify 15y.
    • Clear LDAP DN Order.
  5. Click Save to store the Sub CA certificate profile.

The newly created MyPQCSubCAProfile is displayed in the list of certificate profiles.

Step 2 - Create crypto tokens for the Root CA and Sub CA

Next, you will create crypto tokens holding CA signing keys needed for creating the CAs in a later step.

Create Root CA crypto token

To create a soft Root CA crypto token and keys, follow these steps:  

  1. In the EJBCA menu, under CA Functions, click Crypto Tokens.

  2. Click Create new and specify the following on the New Crypto Token page:
    • Name: Specify a name for the Root CA crypto token, such as RootCAPQC.
    • Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. Remember this password.
  3. Click Save to create the Root CA crypto token.
  4. Next, generate three CA keys:
    • For the signKey, select Dilithium3, and then click Generate new key pair to create the keys.
    • Repeat to create a test key: name the key testKey, select Dilithium3 as the CA signing key is using, and then click Generate new key pair.
    • Last, repeat to create an internal encryption key: name the key encryptKey, select RSA2048, and then click Generate new key pair.

You have now created the Root CA crypto token and keys.

Create Sub CA crypto token

To create a soft Sub CA crypto token and keys, follow these steps:  

  1. In the EJBCA menu, under CA Functions, click Crypto Tokens.

  2. Click Create new and specify the following on the New Crypto Token page:
    • Name: Specify a name for the Sub CA crypto token, such as SubCAPQC.
    • Authentication Code: Enter a password for auto-activation.
  3. Click Save to create the Sub CA crypto token.
  4. Next, generate the same three keys for the Sub CA:
    • For the signKey, select Dilithium2, and then click Generate new key pair to create the keys.
    • Repeat to create a test key: name the key testKey, select Dilithium2 as the CA signing key is using, and then click Generate new key pair
    • Last, repeat to create an internal encryption key: name the key encryptKey, select RSA2048, and then click Generate new key pair. 

You have now created the Sub CA crypto token and keys.

Step 3 - Create Root CA

To create the Root CA, follow these steps:

  1. Click Certification Authorities under CA Functions.
  2. In the Add CA field, enter a name such as "PQCRootCA" and click Create.
  3. On the Create CA page, update the following:
    • Select the Root CA crypto token RootCAPQC (created earlier in Step 1 - Create Crypto Tokens for the Root CA and Sub CA) in the Crypto Token list.
    • For Signing Algorithm, select Dilithium3.
    • Note that the keys are mapped for their intended usages and the defaultKey, certSignKey, and testKey are automatically selected with the keys you created.
    • Under CA Certificate Data, specify the following:
      • Subject DN: Enter a subject DN,, such as "CN=PQC Root CA, O=PQC Lab, C=SE".
      • Signed By: Verify that Self Signed is selected.
      • Certificate Profile: Verify that MyPQCRootCAProfile is selected.
      • Validity: Specify 30y.
      • LDAP DN order: Clear Use.
  4. Click Create to create the Root CA.

The created Root CA is displayed in the list of CAs.

Step 4 - Create Sub CA

To create the Sub CA to be signed by the Root CA, follow these steps:

  1. Click Certification Authorities under CA Functions.
  2. In the Add CA field, enter a name such as “PQCSubCA” and click Create.
  3. On the Create CA page, update the following:
    • Select the Sub CA crypto token SubCAPQC (created earlier in Step 1 - Create Crypto Tokens for the Root CA and Sub CA) in the Crypto Token list.
    • For Signing Algorithm, select Dilithium2.
    • Note that the keys are mapped for their intended usages and the defaultKey, certSignKey, and testKey are automatically selected with the keys you created.
    • Under CA Certificate Data, specify the following:
      • Subject DN: Enter a subject DN,, such as "CN=PQC Sub CA, O=PQC Lab, C=SE".
      • Signed By: Select PQCRootCA to have it signed by the local Root CA.
      • Certificate Profile: Verify that MyPQCSubCAProfile is selected.
      • Validity: Specify 15y.
      • LDAP DN order: Clear Use.
  4. Click Create to create the Sub CA.

The created Sub CA is displayed in the list of CAs.

You have now created a two-tier public key infrastructure (PKI) hierarchy with a Root CA and subordinate CA.

Step 5 - View and download CA certificates

To view and download the CA certificates:

  1. Click CA Structure & CRLs under CA Functions.
  2. For the Root CA PQCRootCA, click View Certificate to view the SubCA certificate.
  3. For the Sub CA PQCSubCA, click View Certificate to view the SubCA certificate.
  4. To download the Management CA certificate in PEM format, click Download PEM file for the ManagementCA. You will need this when configuring SignServer.

The ManagementCA_cacert.pem file is downloaded and ready to be used in the next tutorial using SignServer.

Next steps

In this tutorial, you learned how to set up a PKI with a Root CA and an issuing Sub CA using the NIST Post-Quantum Cryptography (PQC) candidate algorithm Dilithium.

To learn how to sign data using the quantum-safe algorithm Dilithium, you can follow the tutorial SignServer Post-Quantum signing.

To find out more about post-quantum cryptography, see Post-Quantum Readiness.

Related Content