AWS Private CA now supports post-quantum digital certificates

AWS Private CA ML-DSA Support

AWS Private Certificate Authority (AWS Private CA) now enables you to create certificate authorities (CAs) and issue certificates that use Module Lattice-based Digital Signature Algorithm (ML-DSA). This feature enables you to begin transitioning your public key infrastructure (PKI) towards post-quantum cryptography, allowing you to put protections in place now to protect the security of your data against future quantum computing threats.

ML-DSA is a post-quantum digital signature algorithm standardized by National Institute of Standards and Technology (NIST) as Federal Information Processing Standards (FIPS) 204. With this feature, you can now test ML-DSA in your environment for certificate issuance, identity verification, and code signing. You can create CAs, issue certificates, create certificate revocation lists (CRLs) and configure online certificate status protocol (OCSP) responders using ML-DSA.

Cryptographic relevant quantum computer (CRQC) will be able to break current digital signature algorithms, like Rivest–Shamir–Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA), which are expected to be phased out over the next decade.

What to do

• Create CAs and issue certificates using ML-DSA
• Configure OCSP responders and CRLs with ML-DSA
• Test ML-DSA in your environment for certificate issuance, identity verification, and code signing

Source: AWS release notes

If you need further guidance on AWS, our experts are available at AWS@westloop.io. You may also reach us by submitting the Contact Us form.