Post-Quantum Cryptography Timeline & Mandates: Why the Clock Is Ticking

Part of the Post-Quantum PKI Migration Guide

Executive Summary: Federal mandates require government agencies and contractors to complete post-quantum cryptography (PQC) migration by 2030-2035. NIST finalized quantum-safe algorithm standards in August 2024, making implementation requirements concrete. The "harvest now, decrypt later" threat means adversaries are already collecting encrypted data to decrypt once quantum computers exist—making data with long confidentiality requirements vulnerable today. Starting planning now is mandatory for regulated industries; recommended for everyone else.

For Decision Makers: Why This Matters Now

The Quantum Threat Is Real

Quantum computers capable of breaking current encryption (RSA, ECC) don't exist yet—but that's not the relevant question. The relevant question: Will quantum computers exist before your encrypted data loses value?

For most organizations: Email from 2024 has no value in 2040. Customer transactions from today are irrelevant in 2045. Current encryption (RSA-2048, ECC-256) is sufficient.

For some organizations: Healthcare records must remain confidential for 50+ years. Financial transactions create legal liability decades later. Government secrets have multi-generational confidentiality requirements.

The "Harvest Now, Decrypt Later" threat: Adversaries are collecting encrypted traffic today, storing it, and plan to decrypt it once quantum computers become available (estimated 2035-2045). If your data has value beyond 2035, it's vulnerable today.

Federal Mandates Create Hard Deadlines

NIST SP 800-208 (released 2024) establishes:

2025: Inventory Complete

All federal agencies must complete inventory of cryptographic systems
Identify systems using vulnerable algorithms (RSA, DSA, ECDSA, DH, ECDH)
Assessment of migration complexity and dependencies

2027: Migration Begins

Federal agencies begin deploying post-quantum algorithms
Priority: Systems handling classified or sensitive data
Government contractors must support hybrid certificates

2030: Classified Systems Complete

All systems handling classified information migrated to quantum-safe algorithms
Hybrid mode (classical + quantum-safe) acceptable during transition
Classical-only algorithms prohibited for new deployments

2035: Full Migration

All federal systems fully migrated, including legacy infrastructure
Classical algorithms completely phased out
Quantum-safe becomes default for all government PKI

Impact on private sector:

Government contractors: Must align with federal timeline (2027-2030)
Critical infrastructure (16 sectors): Expected regulation 2026-2028
Financial services: Industry regulations anticipated 2028-2032
Everyone else: No mandates yet, but algorithm transition inevitable

NIST Standards Are Finalized

In August 2024, NIST published final standards for post-quantum cryptography:

ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism)

Replaces: RSA and Diffie-Hellman for key exchange
Use case: TLS handshakes, secure key establishment
Status: Standardized, implementations available

ML-DSA (Module-Lattice-Based Digital Signature Algorithm)

Replaces: RSA and ECDSA for digital signatures
Use case: TLS certificates, code signing, document signatures
Status: Standardized, implementations available

SLH-DSA (Stateless Hash-Based Digital Signature Algorithm)

Replaces: RSA/ECDSA in high-security contexts
Use case: Root CAs, long-term signatures, firmware signing
Status: Standardized, conservative fallback option

What "standardized" means: These are no longer experimental. Commercial PKI vendors are implementing support. Applications can start testing compatibility. Migration planning can proceed with confidence in algorithm stability.

What it doesn't mean: These algorithms are guaranteed permanent. Cryptanalytic advances could weaken them. New quantum computing developments could accelerate threats. This is why crypto-agility matters more than algorithm choice.

Industry-Specific Timelines

Financial Services

Expected regulation: 2028-2030 (following federal lead by 3-5 years)
Driver: Long-term data retention requirements (7-10 years regulatory, 30+ years litigation)
Early movers: Major banks already planning (anticipating competitive advantage)

Healthcare

Expected regulation: 2028-2032
Driver: HIPAA confidentiality requirements (50+ year patient record retention)
Complexity: Medical devices with 10-15 year lifecycles must support PQC

Critical Infrastructure (Energy, Transportation, Communications, etc.)

Expected regulation: 2026-2028 (CISA coordination with NIST)
Driver: National security implications of quantum-vulnerable infrastructure
Challenge: Legacy industrial control systems with 20-30 year operational life

Technology & SaaS

No specific regulation expected
Driver: Customer requirements (especially government/financial services customers)
Competitive positioning: "Quantum-safe" as differentiator by 2026-2027

The Real Deadline: Algorithm Agility Infrastructure

Here's what most organizations miss: The deadline that matters isn't "when must we deploy PQC algorithms"—it's "when must we have infrastructure capable of deploying new algorithms quickly."

Why this matters:

If regulatory deadline is 2030 and you start infrastructure work in 2027:

2027-2029: Build automation, protocol abstraction, trust management (24 months)
2029-2030: Deploy PQC algorithms (12 months)
Result: Deadline met, but just barely, high stress

If you start infrastructure work in 2025:

2025-2027: Build automation at sustainable pace (24 months)
2027: Infrastructure ready, can deploy PQC anytime
2027-2030: Test thoroughly, gradual rollout, learn from early adopters
Result: Deadline met comfortably, low risk

The brutal truth: Organizations that can't renew certificates efficiently today won't be able to migrate to PQC on deadline. The infrastructure work is the long pole, not the algorithm work.

For Engineering Leaders: Planning Your Timeline

Realistic Enterprise Migration Timeline

Based on actual PKI transformations at Fortune 500 organizations:

Phase 1: Assessment & Discovery (6-12 months)

Months 1-3: Certificate Inventory

Network scanning for active TLS certificates
Application inventory for embedded certificates
Code signing and S/MIME certificate discovery
Typical finding: 3-5x more certificates than initially estimated

Months 4-6: Application Compatibility Assessment

Test applications against post-quantum certificates (larger sizes)
Identify legacy systems unable to parse PQC algorithms
Document dependencies (which apps trust which CAs)
Create decommission vs. upgrade decision matrix

Months 7-9: Infrastructure Capability Assessment

Evaluate current certificate enrollment processes (manual vs. automated)
Assess trust store management (embedded vs. centralized)
Review monitoring capabilities (can you see what's deployed?)
Gap analysis: what infrastructure changes needed?

Months 10-12: Strategy & Roadmap Development

Prioritization: which systems migrate first?
Vendor selection: which PQC-capable CAs to use?
Architecture decisions: protocol abstraction vs. vendor-specific
Budget and resource planning for 3-5 year effort

Phase 2: Infrastructure Modernization (12-18 months)

This is the critical phase most organizations underestimate.

Months 13-18: Protocol Abstraction Deployment

Deploy certificate enrollment infrastructure (ACME, SCEP, EST endpoints)
Migrate applications from manual/vendor-specific to protocol-based enrollment
Test rollback procedures and failure modes
Train teams on new operational procedures

Months 19-24: Trust Store Centralization

Build centralized trust store repository
Migrate applications to fetch roots from central source
Test trust store update propagation (how fast can you roll out new roots?)
Implement monitoring: which applications are using which roots?

Months 25-30: Automation & Monitoring

Certificate lifecycle automation (discovery, renewal, revocation)
CMDB integration for continuous inventory
Alerting for non-compliant configurations
Compliance reporting infrastructure

Phase 3: PQC Algorithm Deployment (12-24 months)

Months 31-36: Hybrid Certificate Testing

Deploy hybrid certificates (classical + PQC) in test environments
Application compatibility validation
Performance testing (PQC signatures are computationally heavier)
Identify and address compatibility issues

Months 37-48: Production Rollout (Gradual)

Low-risk systems first (dev/test, internal tools)
Medium-risk systems (employee-facing applications)
High-risk systems (customer-facing, revenue-critical)
Continuous monitoring for issues, quick rollback if needed

Months 49-54: Classical Algorithm Removal

Transition from hybrid to PQC-only certificates
Remove classical algorithms from trust chains
Final compliance validation
Audit evidence collection

Total Timeline: 42-54 months (3.5-4.5 years) for large enterprises

Can it be faster?

Organizations with existing automation: 30-36 months possible
Organizations starting from manual processes: 48-60 months realistic
Cutting corners creates risk: failed migrations cost more than extended timelines

Critical Path: What Determines Timeline

The gating factors aren't algorithms—they're organizational:

1. Application Migration Velocity (12-24 months)

How many applications need certificate enrollment changes?
How quickly can you test and deploy changes?
Change management overhead for each deployment?

Typical velocity: 20-40 applications per month for large organizations with mature DevOps. 5-10/month for organizations with heavyweight change management.

With 500 applications to migrate: 12-25 months at best.

2. Legacy System Handling (6-18 months)

Some systems can't support post-quantum (too old, vendor out of business)
Options: Upgrade, replace, isolate, or accept classical-only risk
Each decision requires business case, approval, implementation

Financial impact: $500K-$5M in unexpected legacy system upgrades/replacements.

3. Team Training & Expertise (6-12 months)

Current teams skilled in manual certificate processes
Need expertise in: ACME protocol, API-based automation, trust store management
Learning curve for new operational patterns

Underestimating this leads to failed automation attempts and reverting to manual processes.

4. Vendor Dependencies (3-12 months)

PKI vendor release cycles for PQC support
Application vendor updates for PQC compatibility
Hardware vendor firmware updates (load balancers, HSMs, network appliances)

You don't control vendor timelines—plan accordingly.

Milestone Planning

Realistic milestones for 2025-2030 timeline:

2025: Foundation Year

Q1: Complete inventory, identify scope
Q2: Infrastructure strategy finalized, vendor selection complete
Q3: Begin protocol abstraction deployment
Q4: First applications migrated to automated enrollment

2026: Infrastructure Year

Q1: 25% of applications using protocol-based enrollment
Q2: 50% migration complete
Q3: 75% migration complete, centralized trust stores operational
Q4: Infrastructure modernization complete, ready for algorithm deployment

2027: Testing Year

Q1: Hybrid certificates deployed to test environments
Q2: Non-production systems running hybrid certificates
Q3: Low-risk production systems migrated
Q4: Medium-risk production systems migrated

2028: Production Year

Q1: High-risk production systems begin hybrid migration
Q2: 50% production coverage with hybrid certificates
Q3: 75% production coverage
Q4: 90%+ coverage, final holdouts identified

2029: Optimization Year

Q1: Begin transition from hybrid to PQC-only
Q2: Performance optimization, cost reduction
Q3: Classical algorithm deprecation planning
Q4: PQC-only deployment to non-critical systems

2030: Completion Year

Q1: Critical systems migrated to PQC-only
Q2: Classical algorithms removed from all but isolated legacy
Q3: Compliance validation, audit evidence collection
Q4: Federal deadline met, migration complete

Technical Deep Dive: Standards & Implementation Status

For teams implementing PQC support

NIST PQC Algorithm Specifications

ML-KEM-768 (Key Encapsulation Mechanism - Recommended Parameter Set)

``` Public Key Size: 1,184 bytes Ciphertext Size: 1,088 bytes Shared Secret Size: 32 bytes Security Level: NIST Level 3 (equivalent to AES-192) Performance (modern CPU): - Key Generation: ~30 microseconds - Encapsulation: ~40 microseconds - Decapsulation: ~50 microseconds Comparison to RSA-2048: - Public key: 3.5x larger - Operations: 50-100x faster ```

Use in TLS: Replaces DHE/ECDHE in TLS 1.3 key exchange. Client and server establish shared secret for symmetric encryption.

Deployment consideration: Larger public keys may exceed MTU in some networks, requiring fragmentation. Test with network middleboxes (firewalls, proxies) to ensure compatibility.

ML-DSA-65 (Digital Signature Algorithm - Recommended Parameter Set)

``` Public Key Size: 1,952 bytes Signature Size: 3,309 bytes Security Level: NIST Level 3 (equivalent to AES-192) Performance (modern CPU): - Key Generation: ~100 microseconds - Signing: ~200 microseconds - Verification: ~100 microseconds Comparison to RSA-2048: - Public key: 6x larger - Signature: 10x larger - Verification: 2x faster ```

Use in certificates: This is what impacts your PKI. X.509 certificates use ML-DSA for CA signatures and TLS server certificates.

Deployment consideration: Certificate chains with 3 levels (root → intermediate → leaf) using ML-DSA-65 will be ~12KB instead of ~4KB with RSA. This affects:

TLS handshake size (more packets, slower on high-latency links)
Certificate storage (browsers, applications cache certificates)
OCSP responses (include certificate chain, will be larger)

SLH-DSA-128f (Stateless Hash-Based Signature - Fast Variant)

``` Public Key Size: 32 bytes Signature Size: 17,088 bytes Security Level: NIST Level 1 (equivalent to AES-128) Performance (modern CPU): - Key Generation: ~1 millisecond - Signing: ~2 milliseconds - Verification: ~500 microseconds Comparison to ML-DSA-65: - Public key: 60x smaller - Signature: 5x larger - Signing: 10x slower ```

Use case: Root CAs and long-term signatures where signing performance doesn't matter but conservatism does. SLH-DSA is based on hash functions (SHA-256), which are extremely well-understood. If lattice-based cryptography (ML-DSA) is broken by cryptanalytic advance, SLH-DSA provides fallback.

Deployment consideration: 17KB signatures are impractical for TLS (would break many systems). Use for offline signatures only: root CA certificates, code signing, document signing.

Hybrid Certificate Formats

During transition, organizations deploy hybrid certificates containing both classical and post-quantum algorithms. This ensures compatibility with legacy systems while providing quantum-safe protection.

X.509 Hybrid Certificate Extension:

``` Certificate: Signature Algorithm: hybrid-rsa2048-ml-dsa-65 Public Key Algorithm: hybrid-rsa2048-ml-kem-768 Subject Public Key Info: Classical Component: Algorithm: RSA-2048 Public Key: [256 bytes] Post-Quantum Component: Algorithm: ML-KEM-768 Public Key: [1,184 bytes] Signature: Classical Signature (RSA-PSS): [256 bytes] Post-Quantum Signature (ML-DSA-65): [3,309 bytes] ```

Total hybrid certificate size: ~8-10KB (vs. ~2KB for RSA-only)

Verification process: Application must verify BOTH signatures. Certificate is valid only if:

Classical signature validates correctly
Post-quantum signature validates correctly
Both signatures cover same certificate content

Compatibility strategy:

Legacy applications: Verify classical signature only, ignore PQC (graceful degradation)
Modern applications: Verify both signatures, reject if either fails
Quantum-safe only: Some applications may choose to reject if PQC signature missing

Deployment timeline:

2025-2027: Deploy hybrid certificate capability
2027-2030: Transition applications to hybrid certificates
2030-2033: Remove classical signatures, PQC-only
2033+: Classical algorithms fully deprecated

Commercial PKI Vendor Support

Status as of December 2024:

DigiCert

ML-KEM/ML-DSA support: Beta (Q1 2025 GA expected)
Hybrid certificates: Supported
API access: Available for testing
Timeline: Production-ready Q2 2025

Sectigo

ML-KEM/ML-DSA support: Preview
Hybrid certificates: Development
Timeline: GA expected Q3 2025

GlobalSign

ML-KEM/ML-DSA support: Planned Q2 2025
Hybrid certificates: Roadmap item
Timeline: GA expected Q4 2025

Microsoft AD CS

PQC support: No official timeline announced
Hybrid certificates: No public roadmap
Community speculation: 2026-2027 based on federal requirements

AWS Private CA

ML-DSA support: Preview program (December 2024)
API support: boto3 updates in progress
Timeline: GA expected Q1-Q2 2025

Google Certificate Authority Service

PQC support: No official announcement
Hybrid certificates: Under development
Timeline: Unknown

Open source (OpenSSL, BoringSSL)

ML-KEM support: Experimental branches available
ML-DSA support: Patches available, not yet mainline
Production readiness: 12-18 months minimum

Reality check: Even when vendors announce "support," expect:

6-12 months of stability improvements
Client library updates lagging server support
Documentation gaps requiring trial-and-error
Early adopter debugging and issue reporting

Don't plan production deployment immediately after vendor GA announcement. Allow 6-month stabilization period.

Performance Impact Assessment

Certificate chain size impact (TLS handshake):

``` RSA-2048 certificate chain: - Root CA cert: ~1.5 KB - Intermediate CA cert: ~1.5 KB - Leaf cert: ~1.5 KB - Total: ~4.5 KB ML-DSA-65 hybrid certificate chain: - Root CA cert: ~5 KB (hybrid) - Intermediate CA cert: ~5 KB (hybrid) - Leaf cert: ~5 KB (hybrid) - Total: ~15 KB PQC-only (future) certificate chain: - Root CA cert: ~4 KB (ML-DSA-65 only) - Intermediate CA cert: ~4 KB - Leaf cert: ~4 KB - Total: ~12 KB ```

Impact on TLS handshake:

``` Network: 100 Mbps connection (typical enterprise) RSA-2048 cert transmission: ~0.36 milliseconds ML-DSA hybrid cert transmission: ~1.2 milliseconds Added latency: ~0.84 ms per handshake Network: 4G mobile (20 Mbps typical) RSA-2048 cert transmission: ~1.8 milliseconds ML-DSA hybrid cert transmission: ~6 milliseconds Added latency: ~4.2 ms per handshake Impact: Negligible on modern networks, noticeable on slow mobile connections ```

CPU impact (signature verification):

``` Modern server CPU (Intel Xeon, AMD EPYC): RSA-2048 verify: ~0.5 ms ML-DSA-65 verify: ~0.1 ms Impact: 5x faster (PQC wins) Mobile device (ARM-based smartphone): RSA-2048 verify: ~2 ms ML-DSA-65 verify: ~0.5 ms Impact: 4x faster (PQC wins) IoT device (Cortex-M microcontroller): RSA-2048 verify: ~50 ms ML-DSA-65 verify: ~5 ms (with optimized implementation) Impact: 10x faster (PQC wins significantly) ```

Counterintuitive result: Post-quantum signatures verify FASTER than RSA on most hardware. The larger certificate size is offset by faster verification.

Real bottleneck: Network transmission, not CPU. Organizations with high-latency connections (satellite, remote offices) should test hybrid certificates early.

Compatibility Testing Checklist

Before production deployment, test PQC certificates against:

TLS Clients:

[ ] Web browsers (Chrome, Firefox, Safari, Edge)
[ ] Mobile browsers (iOS Safari, Android Chrome)
[ ] CLI tools (curl, wget, openssl s_client)
[ ] Programming language libraries (Python requests, Java HttpClient, Go net/http)
[ ] Legacy clients (IE11, old Android/iOS versions)

Network Middleboxes:

[ ] Firewalls (inspect-and-decrypt TLS)
[ ] Proxies (corporate web filtering)
[ ] Load balancers (TLS termination)
[ ] WAF (Web Application Firewalls)
[ ] DDoS mitigation (Cloudflare, Akamai)

Certificate Validation:

[ ] OCSP responders (can they sign responses with PQC?)
[ ] CRL distribution (do PQC CRLs exceed size limits?)
[ ] Certificate Transparency logs (do they support PQC?)
[ ] Trust store management (can systems load larger certificates?)

Application-Specific:

[ ] Email clients (S/MIME with PQC)
[ ] Code signing tools (can they verify PQC signatures?)
[ ] VPN clients (certificate-based authentication)
[ ] IoT devices (can they parse larger certificates?)

Common failure modes discovered during testing:

Network appliances with hardcoded 4KB certificate buffer (crash on 15KB hybrid cert)
OCSP responders exceeding HTTP header size limits with large signatures
Mobile apps with aggressive timeouts failing on slower PQC handshakes
Legacy Java applications unable to parse unknown signature algorithms

Testing strategy: Start with non-critical systems (internal tools, dev environments) and gradually expand. Maintain classical-only fallback for quick rollback.

Common Questions

"When will quantum computers actually break RSA?"

Honest answer: We don't know. Estimates range from 2035 to "never."

NIST's working assumption: 10-15 years (2035-2040) for quantum computers capable of breaking RSA-2048 in practical timeframes (hours to days). But:

Optimistic scenario: Breakthrough in quantum error correction could accelerate timeline to 2030-2032.

Pessimistic scenario: Fundamental physics limitations may prevent large-scale quantum computers from ever being practical.

Risk management perspective: If there's 20% chance of 2035 and 80% chance of "never," is that acceptable risk? Depends on:

Value of data being protected
Cost of migration vs. cost of breach
Regulatory requirements

For most organizations: PQC migration is driven by mandates, not imminent quantum threat.

"Can we just wait for better algorithms?"

What "better" means:

Smaller signatures (ML-DSA-65 at 3.3KB is large)
Faster operations (ML-DSA is already fast enough)
Higher security levels (ML-DSA-87 exists for extra paranoia)
Different security assumptions (alternatives to lattice-based crypto)

Will better algorithms appear? Probably yes, over next 10-20 years.

Does waiting make sense? No, because:

Federal/industry mandates don't wait for perfect algorithms
Building crypto-agility infrastructure takes 2-3 years regardless
With crypto-agility, switching to "better" algorithms is easy later

Strategy: Build infrastructure now (protocol abstraction, automation, monitoring). Deploy NIST algorithms to meet compliance. Switch to "better" algorithms when available—which will be trivial if you built crypto-agility.

"What about quantum key distribution (QKD)?"

What it is: Use quantum mechanics properties to establish encryption keys with provable security against quantum computers.

Why it's not relevant for most organizations:

Requires specialized fiber optic infrastructure (can't go over internet)
Range limited to ~100km without quantum repeaters (which don't exist yet)
Extremely expensive ($500K+ per link)
Doesn't solve authentication problem (still need digital signatures)

Where it might be used:

Government/military secure facilities
High-security data centers
Bank-to-bank private connections

For everyone else: PQC algorithms (ML-KEM for key exchange, ML-DSA for signatures) are the practical solution.

"Do we need PQC for internal certificates?"

Depends on threat model:

Public-facing TLS certificates: Yes, because:

Adversaries can intercept traffic and store it
"Harvest now, decrypt later" threat applies
Compliance requirements will mandate it

Internal certificates (intranet, private networks): Maybe, because:

If adversary has network access to intercept internal traffic, you have bigger problems
But: insider threat exists, contractors/vendors may have access
Regulatory requirements may not distinguish internal vs. external

Device certificates (IoT, client authentication): Depends, because:

Long-lived devices (10+ year lifecycle) should use PQC
Short-lived devices (<5 years) may not need immediate PQC

Code signing certificates: Yes, because:

Signed code may be used for decades
Breaking signature allows malware insertion
High value target for sophisticated adversaries

S/MIME email certificates: Depends, because:

Email archives may be stored indefinitely
But most email has short-term confidentiality requirements
High-security organizations should use PQC

Risk-based approach: Prioritize PQC for certificates protecting long-term confidentiality or high-value targets. Internal, short-lived certificates can wait.

Getting Started

Immediate Actions (Next 30 Days)

Determine regulatory applicability
- Are you subject to federal mandates? (Government contractor, critical infrastructure)
- What's your industry's expected timeline? (Financial 2028-2030, Healthcare 2028-2032)
- Do you handle data with long confidentiality requirements?
Complete initial inventory
- Scan public-facing TLS certificates (use SSL Labs, crt.sh, or network scanners)
- Identify certificate-issuing authorities (how many CAs are you using?)
- Estimate certificate count (start with low-hanging fruit: TLS, code signing)
Assess current automation level
- How are certificates requested today? (Manual web forms, API, or protocols)
- How are trust stores managed? (Embedded in apps, OS-level, or centralized)
- Do you have certificate monitoring? (Expiration alerts, compliance checks)

90-Day Planning Objectives

Complete crypto-agility assessment
Develop 3-5 year roadmap with realistic milestones
Build business case for infrastructure investment ($800K-$2.5M for large enterprises)
Begin vendor discussions about PQC support timelines

Long-Term Success Criteria

2025-2026: Infrastructure foundation

Protocol-based enrollment operational (ACME, SCEP, EST)
Certificate discovery and monitoring implemented
Team trained on automation procedures

2027-2028: Algorithm deployment capability

Hybrid certificates tested and validated
Application compatibility issues identified and resolved
Compliance reporting infrastructure operational

2029-2030: Production migration

Federal deadline met (if applicable)
Industry regulations satisfied
Classical algorithms deprecated

Post-2030: Crypto-agility proven

Next algorithm change takes weeks, not years
Infrastructure investment paid off
Organization ready for ongoing cryptographic evolution

Want Expert Assessment?

We've helped Fortune 500 enterprises and major financial institutions plan PQC migration while building crypto-agile infrastructure that eliminates vendor lock-in.

What we provide:

Regulatory timeline assessment (which mandates apply to you?)
Crypto-agility readiness evaluation (can you migrate on deadline?)
Realistic timeline and budget planning (3-5 year roadmap)
Infrastructure-first strategy (build automation, then deploy algorithms)

What makes us different:

Experience from actual implementations (not theoretical)
Infrastructure focus (algorithm choice is secondary)
Customer owns everything (CertBridge deployed in your AWS account)
Post-quantum ready (hybrid certificate support operational)

We'll tell you honestly whether you need to start now, or if you have time to plan more deliberately.

Related Resources

PQC Migration Guide

Complete overview

PKI Implementation Guide

Crypto-agility evaluation

References

National Institute of Standards and Technology. (2024). FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard.
National Institute of Standards and Technology. (2024). FIPS 204: Module-Lattice-Based Digital Signature Standard.
National Institute of Standards and Technology. (2024). FIPS 205: Stateless Hash-Based Digital Signature Standard.
NIST. (2024). SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes.
National Security Agency. (2022). Quantum Computing Cybersecurity Preparedness.
Mosca, M. (2018). Cybersecurity in an Era with Quantum Computers. Institute for Quantum Computing.