PKIaaS customers can test the algorithms listed in the post-quantum (PQ) cryptography standard of the NIST (National Institute of Standards and Technology).
https://www.nist.gov/programs-projects/post-quantum-cryptography
Specifically, Entrust provides a "PQ Lab" sandbox experimental region to create CA hierarchies (root CA + issuing CA). This region has the limitations described in the following table.
Feature | PQ Lab limitations |
|---|---|
Key generation mechanism | liboqs (https://openquantumsafe.org/liboqs) open-source software library for post-quantum keys; Entrust nShield HSMs for RSA and ECDSA keys. In future releases, PKIaaS will support post-quantum key generation using Entrust nShield HSMs. |
PKIaaS Certificate Practice Statement and associated terms | Do not apply. |
CA validity | A maximum of 6 months. |
External CAs onboarding | Not supported. |
Region and Data availability | Not guaranteed. |
Enrollment Gateway | Not supported. The PQ Lab region does not support customer-hosted (on-premises) or Entrust-hosted enrollment gateway features. |
Licensing | CAs and Certificates issued under the PQ Lab region consume the same CA and certificate licenses as in the US and EU regions. |
Entrust might rebuild the PQ Lab region from time to time to reflect the latest changes from the post-quantum standards initiatives. On these occasions, your data in this region might be destroyed. We don't recommend deploying post-quantum CAs and certificates to your production environment.
To test post-quantum algorithms with the PQ Lab region
- Make sure you have unused licenses to issue an online root CA/issuing CA and certificates.
- In the Region list, select PQ Lab (Experimental).
Select a post-quantum algorithm in the Signing Key Details list.
- Fill in the rest of the fields described in Creating an online root CA.
- Follow the steps described in Creating an issuing CA under an online root CA.
Create a certificate request, for example, using the openquantumsafe/oqs-ossl3 tool. Alternatively, you can copy one of the below sample requests.
- Pure post-quantum algorithms
- Dilithium2 (1.3.6.1.4.1.2.267.7.4.4)
- Dilithium3 (1.3.6.1.4.1.2.267.7.6.5)
- Dilithium5 (1.3.6.1.4.1.2.267.7.8.7)
- Falcon-512 (1.3.9999.3.6)
- Falcon-1024 (1.3.9999.3.9)
- SLH-DSA-SHA2-128f-ipd (1.3.9999.6.4.13)
- SLH-DSA-SHA2-128s-ipd (1.3.9999.6.4.16)
- SLH-DSA-SHA2-192f-ipd (1.3.9999.6.5.10)
- SLH-DSA-SHA2-192s-ipd (1.3.9999.6.5.12)
- SLH-DSA-SHA2-256f-ipd (1.3.9999.6.6.10)
- SLH-DSA-SHA2-256s-ipd (1.3.9999.6.6.12)
- Explicit composite algorithms
The Certificate Authorities of the PQ Lab region can also issue RSA and ECDSA certificates; use your existing tools to generate requests for these certificates.
- Pure post-quantum algorithms
Issue end-entity certificates using either:
Entrust Certificate Services Enterprise, as explained in Processing a Certificate Signing Request.
- The API described in Accessing the CA Gateway API.
In the current version, PKIaaS does not support issuing post-quantum certificates in PKCS #12 format.