Quantum computers will eventually break the cryptographic algorithms that protect today's digital certificates. The organizations that survive this transition will be those that built crypto agility into their infrastructure before the deadline arrived.
The cryptographic algorithms that underpin today's digital certificates (RSA, ECDSA, ECDH) derive their security from mathematical problems that classical computers cannot solve efficiently. Factoring large integers and computing discrete logarithms would take billions of years on the fastest supercomputers we have today.
Quantum computers change this equation. A sufficiently powerful quantum computer running the right algorithm could break RSA and elliptic curve cryptography in hours or even minutes. This is not science fiction: governments and technology companies are investing billions in quantum computing research, and steady progress is being made year after year.
The question is not whether quantum computers will threaten current cryptography, but when. And because migrating an entire PKI infrastructure to new algorithms takes years, organizations need to start preparing now. The ability to swap cryptographic algorithms quickly and smoothly is called crypto agility, and it is rapidly becoming a strategic priority for every organization that depends on digital trust.
Published by Peter Shor in 1994, this algorithm can factor large integers and compute discrete logarithms in polynomial time on a quantum computer. This directly breaks RSA (which relies on integer factoring) and elliptic curve cryptography (which relies on the discrete logarithm problem). A sufficiently large quantum computer running Shor's algorithm would render every RSA and ECC key pair in existence completely insecure.
Grover's algorithm provides a quadratic speedup for searching unstructured data, which effectively halves the security of symmetric encryption algorithms like AES. An AES-128 key, which offers 128 bits of security against classical attacks, would offer only 64 bits of security against a quantum attacker. The practical mitigation is straightforward: double the key size. AES-256, which is already widely deployed, provides 128 bits of post-quantum security, which remains more than adequate.
You cannot migrate what you cannot find. The first step is building a comprehensive inventory of every certificate, key, and cryptographic dependency in your environment. This includes certificates on servers, in cloud services, embedded in applications, and used by IoT devices. For each asset, record the algorithm, key size, issuing CA, and expiration date. This inventory becomes your migration planning baseline.
Design your systems so that cryptographic choices are made in configuration, not in code. Use cryptographic libraries and frameworks that support algorithm negotiation and make it possible to change the algorithm a service uses by updating a configuration file rather than rewriting application logic. In PKI terms, this means using certificate management platforms that are algorithm-agnostic and can issue, deploy, and renew certificates regardless of whether they use RSA, ECDSA, ML-DSA, or a future algorithm not yet standardized.
During the transition period, hybrid certificates offer a pragmatic path forward. A hybrid certificate contains both a classical signature (RSA or ECDSA) and a post-quantum signature (ML-DSA or SLH-DSA). Clients that support post-quantum algorithms verify the PQ signature; legacy clients fall back to the classical signature. This approach enables gradual migration without breaking backward compatibility. Multiple browser vendors and CA/Browser Forum working groups are actively developing standards for hybrid certificate issuance.
Formerly known as CRYSTALS-Kyber, ML-KEM is a lattice-based key encapsulation mechanism used for key exchange. It replaces the key agreement step in TLS and other protocols where two parties need to establish a shared secret. ML-KEM is fast and produces relatively compact keys and ciphertexts.
Formerly CRYSTALS-Dilithium, ML-DSA is a lattice-based digital signature algorithm. This is the primary replacement for RSA and ECDSA signatures in digital certificates. It will be used by Certificate Authorities to sign certificates and by end entities to prove identity. ML-DSA signatures are larger than their classical counterparts, which has implications for certificate size and network performance.
Formerly SPHINCS+, SLH-DSA is a hash-based digital signature algorithm. Unlike lattice-based schemes, its security relies solely on the well-understood properties of hash functions, making it a conservative backup option. The trade-off is larger signature sizes and slower performance compared to ML-DSA. SLH-DSA is recommended for scenarios where long-term security confidence is paramount and performance constraints are less critical.
Cryptographic inventory — Evertrust CLM discovers and catalogs every certificate in your environment along with its algorithm, key size, and issuing CA. This gives you the migration planning baseline you need to understand the scope of your post-quantum transition.
Algorithm-agnostic platform — Evertrust's architecture is designed to be algorithm-agnostic. As post-quantum algorithms are adopted by CAs and integrated into standards, Evertrust will support their issuance, deployment, and lifecycle management without requiring a platform overhaul.
Policy-driven migration — Define policies that flag certificates using deprecated algorithms and automatically route renewals toward approved post-quantum or hybrid configurations. Build a CLM strategy that includes crypto agility as a core requirement from day one.
Migration dashboards — Track your post-quantum migration progress with real-time visibility into which certificates have been migrated, which are in progress, and which still use vulnerable classical algorithms. Report on readiness to auditors and leadership with confidence.
