Our products

Stream
001

PKI

Sovereign Certificate Authority for enterprise-grade certificate issuance & management

ISSUE
Horizon
002

CLM

Certificate Lifecycle Management, discovery, governance & automation

MANAGE
003

DCV Automation

DNS-agnostic Domain Control Validation, ready for 47-day TLS certificates

VALIDATE
Talk to an expert View all integrations

Use Cases

TLS Server Certificates

Secure web traffic at scale

Certificate Inventory

Discover and track all certificates

DevOps Certificates

Automate for CI/CD pipelines

Email Encryption

S/MIME for enterprise email
View all use cases

Industries

Banking & Finance

Public Sector

Healthcare

Energy & Utilities

Aerospace & Defense
View all industries

Compliance

NIS2 Directive

EU cybersecurity obligations

DORA

Digital operational resilience

eIDAS 2.0

Electronic identification & trust

GDPR

Data protection & privacy

Cyber Resilience Act

EU product security regulation
View all regulations
Talk to an expert

Learn

Guide

50 articles

In-depth PKI guides and tutorials

Glossary

50+ terms

PKI & cryptography terminology

Education Center

Videos and learning resources

Whitepapers

In-depth technical resources

Tools & Insights

Crypto Decoder

Free

Decode and validate certificates

Blog & Insights

Cybersecurity trends and analysis

Newsroom

Company news and updates

Events & Community

Webinars

Expert-led sessions on PKI

Events & Conferences

Meet us worldwide

Media Kit

Logos and brand assets
Contact Sales Explore all resources
Blog Article

Post-Quantum Cryptography: Let's Encrypt implements Merkle Tree Certificates

June 26, 2026
6 min read
Expert Content

Published on

June 26, 2026

On 3 June 2026, Let's Encrypt announced how it will make the web's authentication layer quantum-safe. The plan centers on a new design called Merkle Tree Certificates. The technical details are interesting, but the practical message for anyone running certificates is simpler: the certificate layer is about to change underneath you, and how much that hurts depends on choices you make now.

Here is what happened and what it means.

The quantum threat just moved to authenticating identities

For years, post-quantum work focused on encryption. The logic: an attacker records your encrypted traffic today and decrypts it later once quantum computers are ready. Harvest now, decrypt later.

Authentication, the part of TLS that proves a server is who it claims to be, was treated as less urgent, because forging a signature requires a quantum computer to exist at the moment of attack, not years later.

That changed fast in 2026. In March, Google committed to migrating all its infrastructure to post-quantum cryptography by 2029, a year earlier than planned, citing research that lowered the estimated cost of breaking today's algorithms. New estimates put the cost of breaking the P-256 curve at around 10,000 qubits, far lower than the field assumed. Within two weeks, Cloudflare matched the 2029 target and put authentication first. Their framing was blunt: a data leak is bad, but a forged identity is catastrophic, because one quantum-vulnerable key becomes a way in.

When the two companies that handle a large share of internet traffic pick the same year, that year is a deadline.

Why the web can't just swap algorithms

The post-quantum signature schemes NIST standardized are secure but large. That is a real problem for TLS.

A typical TLS handshake carries five signatures and two public keys. Swap those for post-quantum equivalents and the handshake blows past 10 KB. Cloudflare's research shows that at that size, a meaningful share of connections fail outright on real networks, and the rest slow down.

The cost hits every connection, not the failures alone. More data, slower negotiation, worse experience, in exchange for protection against a threat that hasn't arrived. And defaults decide security at scale: a change that degrades every connection is one the web resists. This is why post-quantum authentication is so much harder to ship than post-quantum encryption.

Take control of your PKI infrastructure

See how Evertrust simplifies certificate lifecycle management.

Get Started

What Merkle Tree Certificates do

Merkle Tree Certificates solve the size problem by changing how certificates are signed.

Today a CA signs each certificate individually. An MTC authority signs certificates in batches, one signature per batch. Browsers track those batch signatures (called landmarks) separately from the handshake. The result: in the common case, the authentication inside a handshake shrinks to one signature, one public key, and one short proof. That is smaller than what the web carries today, even with post-quantum algorithms. When a browser's landmark is stale, it falls back to a slightly larger form.

There is a second benefit. Because every MTC certificate must belong to a published Merkle tree to exist, Certificate Transparency stops being bolted on afterward and becomes part of issuance itself.

This is not theoretical. Let's Encrypt has run the same append-only Merkle tree structure for its transparency logs since 2019. Cloudflare and Chrome are testing MTCs on live traffic, the IETF's PLANTS group is standardizing them, and Chrome has named them its preferred path. Let's Encrypt targets a staging environment in late 2026 and production in 2027.

The line in the announcement that matters most

The most important sentence in the Let's Encrypt post is almost a throwaway. Supporting MTCs, they note, means changes across their whole stack: issuance, the ACME protocol subscribers use, revocation, operational tooling, and transparency logs.

Want to master certificate management?

Browse our resources on PKI best practices.

Education Center

That is the real lesson. The new algorithm is the visible part. The plumbing that delivers it is the bigger part, and it is where the transition is won or lost.

So the question that matters for your organization is not which post-quantum algorithm your certificates will use. It is this: when the algorithms and formats change underneath you, how much manual work will it cost to keep up?

  • If certificates are obtained and renewed automatically over ACME, the change is mostly absorbed by machinery that already runs.
  • If they live in spreadsheets and get renewed by hand, you inherit the full weight of the change, one certificate at a time, while the industry moves at its fastest.

Commentary on the Google and Cloudflare news keeps making the same point: most organizations lack visibility into where cryptography lives, haven't identified their long-lived sensitive data, and have no crypto-agility built in. Without those basics, no deadline is reachable.

What to actually do now

Two things, in order.

Turn on post-quantum encryption today. Unlike authentication, it's ready. Any TLS connection without it is potentially being harvested right now. Enable hybrid post-quantum key exchange (X25519MLKEM768) at the server. Modern browsers and operating systems already support it. It needs no one else's cooperation.

Get your certificate estate automated and visible. Everything about the MTC transition rewards an estate that is already discovered, automated, and agile, and punishes one that isn't.

This is where Evertrust CLM fits. It runs as an ACME proxy (the same RFC 8555 protocol Let's Encrypt uses) and already connects to public authorities including Let's Encrypt, so it speaks the channel post-quantum certificates will arrive through. It discovers certificates across your estate, including ones no network scan finds. It already issues the post-quantum algorithms at the center of this shift, having added ML-DSA and SLH-DSA support in 2025, plus hybrid certificates. And it renews and reinstalls automatically, without the manual work that makes deep cryptographic change painful. As a European platform with EU data residency and ANSSI CSPN certification, it keeps that estate under European control through the transition.

The takeaway

The headline is a new certificate format. The real story is how a generational security change actually happens: years of quiet work beneath a surface that barely seems to move. The CAs are doing their part. Whether the shift reaches you as a smooth update or a scramble is mostly decided now, by how much of your certificate estate is automated, visible, and agile, long before the first post-quantum certificate is issued.

Was this helpful?
Back to blog

Table of Contents

Stay Updated

Get the latest PKI insights delivered to your inbox.

By subscribing you accept to receive our communications. You can unsubscribe at any moment.

Related Articles

Evertrust PQC

Are European enterprises ready for Post-Quantum Cryptography (PQC) migration? The gaps and the path forward

September 10, 2025
1 min

Explore why PQC adoption lags in Europe, the real blockers, and how to achieve quantum-safe security.

Read more
Evertrust PQC

NIST Releases New Post-Quantum Cryptography Standards

September 10, 2025
1 min

Discover NIST’s new Post-Quantum Cryptography standards (FIPS 203, 204, 205) and how Evertrust is preparing to integrate them for enhanced cybersecurity.

Read more
Evertrust ACME

ACME Clients on Linux

February 12, 2024
1 min

The ACME protocol is a network protocol designed to automate the process of domain validation, deliverance and renewal of X.509 certificates. The process is set up between an ACME server and an ACME client.

Read more
Get started

Ready to take back control over your certificates?

Talk to our experts and discover how Evertrust can help you implement best practices in PKI and certificate lifecycle management.

Talk to an expert