Contact us
Quantum Security PKI

Preparing PKI for the post-quantum transition

Priyanka Gahilot
Placeholder for PriyankaPriyanka

Priyanka Gahilot , Managed Services Engineer , Nomios Netherlands

4 min. read
Placeholder for Adobe Stock 1278998477Adobe Stock 1278998477

Share

Post-quantum cryptography (PQC) is often discussed in terms of new algorithms, but the harder question is what those algorithms depend on. In many environments, that leads straight to PKI: the certificate infrastructure that underpins trust across users, devices, applications, and services. That makes it a natural next step after looking at the real-world impact of PQC.

PKI deserves attention in its own right. It is not a single product or protocol. It is the framework behind certificate issuance, validation, revocation, and trust distribution. As organisations start preparing for the quantum era, PKI becomes one of the areas that will take the most planning, the most testing, and the most time to update.

Public Key Infrastructure supports a large share of modern digital security. It sits behind TLS certificates, machine identity, VPN authentication, secure email, code signing, document signing, and a range of internal trust relationships that most users never notice. Since those foundations still rely heavily on RSA and elliptic-curve cryptography, the move to Post-Quantum Cryptography has direct consequences for how trust is established and maintained.

Why PKI is such a difficult part of the transition

Some parts of a PQC migration can be tackled as contained technical changes. PKI is different because it is embedded across the environment. Certificates are stored in browsers, operating systems, network appliances, identity platforms, applications, cloud services, and endpoint devices. They are tied to renewal cycles, trust stores, validation logic, and third-party interoperability.

That means PKI is not something most organisations can replace quickly. A change to certificate algorithms affects not just the issuer, but every system that generates, stores, presents, parses, validates, or relies on a certificate. The scale of that dependency is what makes PKI one of the longest-running parts of the post-quantum transition.

What changes in a post-quantum PKI model

At the centre of PKI is the digital certificate. Every certificate contains a public key and a signature from a trusted issuer. Today, those are generally based on RSA or ECC. In a post-quantum model, both eventually need to move to quantum-resistant alternatives.

That sounds straightforward, but it brings real operational consequences. New certificate algorithms mean new formats, different key and signature sizes, and new requirements for software and hardware that process certificates. This affects public-facing certificates, internal PKI, device certificates, code-signing certificates, and any other system built on certificate trust.

For many teams, the challenge is less about the theory of PQC and more about compatibility. Existing systems still need to work while new cryptographic models are introduced. That is where hybrid approaches come in.

Why hybrid certificates are likely to be the norm for some time

A full cutover from classical cryptography to PQC is not realistic in one step. Support will arrive at different speeds across platforms, products, and vendors. For that reason, hybrid certificates are likely to play a central role during the transition.

A hybrid certificate can combine classical and post-quantum elements so that different systems can use the parts they support. Older systems can continue relying on RSA or ECC for compatibility, while newer systems can begin using post-quantum keys or signatures. That allows organisations to start moving without forcing immediate replacement across the whole estate.

The trade-off is that hybrid support extends the migration window. Instead of a single change, organisations will have to manage a period where classical and post-quantum trust models coexist. Certificate policies, issuance workflows, validation behaviour, and interoperability all need to hold together during that period.

Placeholder for Daily impact of PQC on cybersecurityDaily impact of PQC on cybersecurity

Certificate authorities also need to evolve

The transition does not stop at end-entity certificates. Certificate authorities (CA) have to adapt as well.

CAs are responsible for issuing certificates, managing trust chains, and anchoring the hierarchies that systems depend on. In a post-quantum model, they need to support new algorithms, updated certificate profiles, and new approaches to trust distribution. During the transition, many are likely to operate in hybrid mode, maintaining compatibility with existing environments while preparing for quantum-safe trust chains.

This is where PKI becomes more than a cryptographic update. It is a change to the trust infrastructure. Roots, intermediates, enrolment workflows, lifecycle management, and validation behaviour may all need to evolve together. That makes PKI migration a strategic issue as much as a technical one.

Why this will take years, not months

PKI changes are rarely fast. Certificate lifetimes are long, trust anchors are widely distributed, and dependencies are often deeper than expected. Some systems can be updated quickly. Others depend on hardware, embedded software, legacy platforms, or third-party vendors that move far more slowly.

That is why PKI is likely to set the pace for the wider PQC journey. If the certificate infrastructure cannot move quickly, the services that depend on it cannot move quickly either. For many organisations, this makes PKI the main sequencing challenge in the transition to post-quantum security.

What organisations should focus on now

The first priority is visibility. Teams need to understand where certificates are used, which systems depend on them, how trust is distributed, and where RSA or ECC still sit at the core of identity or authentication processes.

That usually means looking beyond public web certificates. Internal PKI often supports Wi-Fi access, VPNs, machine identity, user authentication, administrative access, software signing, and onboarding workflows. In many cases, those internal dependencies are harder to untangle than the internet-facing ones.

The next step is testing. Organisations need to assess where hybrid certificate support exists, which platforms can handle new certificate formats, and where operational processes will need to change. Starting that work early creates room to plan a phased migration instead of reacting under pressure later.

Trust infrastructure becomes the real challenge

As the conversation around PQC becomes more practical, PKI stands out as one of the areas where the real complexity sits. Replacing algorithms is only part of the job. Updating the trust layer beneath certificates, identities, and signed systems is what will take sustained effort.

That is why PKI is likely to be one of the hardest parts of the post-quantum transition. It is deeply embedded, operationally sensitive, and slow to change. Which is also why it needs attention now.

Get in touch

Do you want to know more about this topic?

Our experts and sales teams are at your service. Leave your contact information and we will get back to you shortly.

Call now
Placeholder for Portrait of french manPortrait of french man
Updates

More updates

Placeholder for Hetportretbureau HR T1 A0887Hetportretbureau HR T1 A0887
Infoblox

DDI

Nomios achieves Infoblox's highest partner status — as the only European integrator

Nomios Group has achieved Diamond partner status with Infoblox, the highest tier within the Infoblox partner network.

2 min. read
Placeholder for Palo alto networks cortex xdrPalo alto networks cortex xdr
Palo Alto Networks

SIEM MDR

Cortex XDR as SIEM light: powerful detection and compliance without the complexity

Many organisations face the same dilemma: they know they need better visibility into what is happening across their environment, but a full SIEM platform feels like a significant undertaking — expensive, complex to manage, and heavy to implement.

Richard Landman
Placeholder for Richard landman 1024x1024Richard landman 1024x1024

Richard Landman

3 min. read
Placeholder for HPE Juniper SRX400HPE Juniper SRX400
HPE

NGFW

Security from Core to Edge: HPE Juniper Networks Introduces the SRX400 Series

One of the most concrete announcements is the HPE Juniper Networking SRX400 series: a compact next-generation firewall that brings carrier-grade security to the edge of the network.

Richard Landman
Placeholder for Richard landman 1024x1024Richard landman 1024x1024

Richard Landman

3 min. read
 See all updates