In 2024 NIST finalized the first post-quantum cryptography (PQC) standards. Here's what they are, what they replace, and how to start using post-quantum signatures in certificates today.
Classical public-key algorithms (RSA, ECDSA) fall to Shor's algorithm on a large quantum computer. To get ahead of "harvest now, decrypt later," NIST ran a multi-year competition and standardized replacements built on quantum-hard math (lattices and hashes).
| Standard | Name | Basis | Notes |
|---|---|---|---|
| FIPS 204 | ML-DSA (was CRYSTALS-Dilithium) | Lattice | The primary, general-purpose choice. Sets: ML-DSA-44/65/87. |
| FIPS 205 | SLH-DSA (was SPHINCS+) | Hash | Conservative, stateless, larger/slower signatures. Great when you distrust lattices. |
| Draft | Falcon (FN-DSA) | Lattice (NTRU) | Very compact signatures; more complex to implement safely. |
(For key encapsulation — the other half of TLS — the standard is ML-KEM, FIPS 203. This guide focuses on signatures, which is what CSRs and certificates use.)
PQC signatures are standardized, but public CAs and browsers don't broadly issue or trust PQC certificates yet, and signatures are kilobytes (vs bytes classically), which affects handshake size. So today PQC shines for:
Generate a hybrid pair: a classical CSR (RSA/ECDSA) that today's CA will sign, plus an ML-DSA CSR for the same identity to exercise your PQC path. PQCert does this in one click, so you migrate incrementally with zero downside.
Generate a post-quantum or hybrid CSR →