Replies: 2 comments
-
|
Hey there, Starwal Soooooo....that's a good question. Do you have hybrid CSR that you're enrolling with? It might not be super clear from the docs, but server-generated keys don't work with hybrids, because there's no standardized format to pack hybrid keys into a P12 (yet, anyway). There's also no huge support for creating hybrid CSRs, but we've included a nifty tool in our CLI for it. On the second question, that's a design constraint we chose to do. We figured that while you still might want to be able to produce legacy EE-certificates (due to limited client support for creating hybrid CSRs or PQ keys in general), producing a legacy CA (which you control after all) with its associated lifetime under a hybrid root is kind of a foot-gun. A legacy root would indeed not be able to sign a hybrid sub-ca, nor would doing so make any sense from a security standpoint =) On reading – we do have the PQC Lab our our website , but recommended reading is of course the IETF's PQC for Engineers. In general I'd say it's good to keep an open mind about catalyst – personally I think it's the best PQC format just for its simplicity (which is kind of why we threw it into EJBCA), and while it has its uses (code signing comes to mind), the NSA's current recommendation is to focus on standing up new PQ-roots rather than one of the hybrid schemes, so we'll see where that rolls. Cheers, |
Beta Was this translation helpful? Give feedback.
-
|
We have also put up some nice tutorial videos at the Keyfactor Community YouTube channel. Most of them still say Dilithium instead of ML-DSA, but it works the same, and updates are on the way. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
I'm pretty new in EJBCA and I wanted to do some tests with PQC certificates.
I created a full PQC PKI hierarchy thanks to Keyfactor tutorial and I wanted to create a hybrid hierachy with RSA 4098 and DILITHIUM5.
I also follow the keyfactor tutorial and it seems to works well but I have some questions about some PQC stuff.
I dont really understand why because the Root CA and the Sub CA have it.
I read the doc a lot of time but I dont understand... https://docs.keyfactor.com/ejbca/9.0/hybrid-ca
I watch again the video tutorial an there is the same result (the TLS cert doesn't have this extension) so I imagine that it's normal but I dont understant why?
I talk here about something in the same doc that I don't understand well.
"
It is not possible to create a "normal" Sub CA (that is, a Sub CA with only one classic public key and one classic signing algorithm) under a hybrid Root CA.
It is not possible to create a hybrid Sub CA under a normal Root CA.
"
If the hybrid Root CA as both (traditionnal algo and PQC), why is it unable to issue a traditionnal Sub CA? It is besause of the 3 new extensions used in the catalyst format?
Also, the sentence just talk about classic algo, does it mean that an hybrid Root CA CAN issue a full PQC Sub CA. If yes, WHY it can do that for a full PQC Sub CA but not for a tradionnal Sub CA?
Strange thing is that I found logic the second sentence (It is not possible to create a hybrid Sub CA under a normal Root CA.) I imagine that it's because the traditionnal Root CA is not able to provide a PQC signature to the hybrid Sub CA?
So I imagine that a hybrid Sub CA cannot issue a traditionnal end-entity certificate and that we can only issue hybrid/full PQC certificates?
If someone has some explanations about that :)
Also, do you know some ressouces to read about PQC PKI?
Thank you vey much,
Beta Was this translation helpful? Give feedback.
All reactions