What is this:

A post-quantum PKI for certificate issuing composed by the three finalist signature algorithms of the NIST Post-Quantum Cryptography Standardization:

• Dilithium
• Falcon
• SPHINCS+

The purpose of this application is to test and prototype a post-quantum PKI.
The certificates we issue are meant to be used for post-quantum web server authentication.

WE DO NOT RECOMMEND RELYING ON THESE CERTIFICATES IN A PRODUCTION ENVIRONMENT.
This application is at an experimental stage.

How to use it:

It generates post-quantum certificate of the selected algorithm and makes available for download:

• - PKCS#12 (password protected) file
• - Zip (password protected) file

Both of them come with the certificate itself and the corresponding private key.
The certificate purpose is server authentication for quantum-aware servers.
You can download the certificate of every entity of a certification path by clicking in it's box.

PKCS#12 Data Extraction

For data extraction out of this file, you'll need the OQS-OpenSSL_1_1_1.
Then you can run the following commands:

• Export private key:
  /oqs-openssl_executable_path pkcs12 -in bundle.pfx -nodes -nocerts -out 'your_key'.pem
• Export certificate:
  /oqs-openssl_executable_path pkcs12 -in bundle.pfx -clcerts -nokeys -out 'your_cert'.pem

How it works:

OQS-Openssl plays a huge role in our project, it's where the certificate generation itself happens.
The end-user certificate is signed by the Issuer CA with the corresponding post-quantum algorithm.
Each certificate path has it's own algorithm, and each entity of this path has a specific version of that algorithm according to it's security level needs.

No certificate nor user data is kept at our server.

All of our scripts are based on the Open Quantum Safe organization repositories: https://github.com/open-quantum-safe.