Post-quantum Lab experimental region

PKIaaS customers can test the algorithms listed in the post-quantum (PQ) cryptography standard of the NIST (National Institute of Standards and Technology).

https://www.nist.gov/programs-projects/post-quantum-cryptography

Specifically, Entrust provides a "PQ Lab" sandbox experimental region to create CA hierarchies (root CA + issuing CA). This region has the limitations described in the following table.

Feature

PQ Lab limitations

​Key generation mechanism

liboqs (https://openquantumsafe.org/liboqs) open-source software library for post-quantum keys; Entrust nShield HSMs for RSA and ECDSA keys. In future releases, PKIaaS will support post-quantum key generation using Entrust nShield HSMs.

PKIaaS Certificate Practice Statement and associated terms

Do not apply.

CA validity

A maximum of 6 months.

External CAs onboarding

Not supported.

Region and Data availability

Not guaranteed.

Enrollment Gateway

Not supported. The PQ Lab region does not support customer-hosted (on-premises) or Entrust-hosted enrollment gateway features.

Licensing

CAs and Certificates issued under the PQ Lab region consume the same CA and certificate licenses as in the US and EU regions.

Entrust might rebuild the PQ Lab region from time to time to reflect the latest changes from the post-quantum standards initiatives. On these occasions, your data in this region might be destroyed. We don't recommend deploying post-quantum CAs and certificates to your production environment.

To test post-quantum algorithms with the PQ Lab region

  1. Make sure you have unused licenses to issue an online root CA/issuing CA and certificates.

  2. In the Region list, select PQ Lab (Experimental).

    images/download/attachments/217352859/image-2023-9-12_17-37-21-version-1-modificationdate-1694518641966-api-v2.png

  3. Select a post-quantum algorithm in the Signing Key Details list.

  4. Fill in the rest of the fields described in Creating an online root CA.

  5. Follow the steps described in Creating an issuing CA under an online root CA.

  6. Create a certificate request, for example, using the openquantumsafe/oqs-ossl3 tool. Alternatively, you can copy one of the below sample requests.

    The Certificate Authorities of the PQ Lab region can also issue RSA and ECDSA certificates; use your existing tools to generate requests for these certificates.

  7. Issue end-entity certificates using either:

    In the current version, PKIaaS does not support issuing post-quantum certificates in PKCS #12 format.