Post-Quantum Cryptography (PQC) Certificate Enrollment Guide

Introduction

SecureW2 now supports post-quantum cryptography (PQC), so you can issue certificates using quantum-resistant algorithms alongside classical ones. Classical algorithms such as RSA and ECDSA are used to issue certificates and authenticate users over RADIUS, but Cryptographically Relevant Quantum Computers (CRQCs) are expected to eventually break these algorithms, leaving your PKI vulnerable.

This guide explains how to configure PQC in the JoinNow Management Portal to issue quantum-safe certificates.

Prerequisites

The following prerequisites are required to configure PQC.

  1. An active subscription with the JoinNow Management Platform.
  2. PQC certificate signing requests (CSRs) are required to issue the certificate.

Creating a Root CA

A Root CA is the trust anchor that signs the intermediate CAs that issue certificates. When you create a Root CA, you can choose a classic key type (RSA or ECDSA) or a post-quantum key type (ML-DSA or SLH-DSA), which is what will be used in this guide. 

To create a root CA, perform the following steps:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Root CA.
  6. For the Common Name field, enter a name.
  7. From the Key Type drop-down list, select the Post-Quantum cryptographic algorithm used to generate the Root CA’s key pair. There are two quantum-safe types: ML-DSA and SLH-DSA. Both are NIST-standardized algorithms designed to resist quantum-computer attacks.
  8. From the Parameter Set drop-down list, select the post-quantum parameter set used to generate the CA certificate key pair. This field appears only when ML-DSA or SLH-DSA is selected as the Key Type. A higher number indicates a stronger security level.
  9. In the Validity Period (in years) field, enter the validity period for the root CA in terms of the number of years.
  10. Click Save.

Creating an Intermediate CA

SecureW2 recommends using a new intermediate CA as a best practice for enrollments. When you create the intermediate CA, choose a classic key type (RSA or ECDSA) or a post-quantum key type (ML-DSA or SLH-DSA) to make it quantum-safe.

To create an intermediate CA, perform the following steps:

  1. Navigate to Dynamic PKI > Certificate Authorities
  2. Click Add Certificate Authority.
  3. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  4. From the Type drop-down list, select Intermediate CA
  5. From the Certificate Authority drop-down list, select the default Root CA included with your organization.
  6. For the Common Name field, enter a name.
  7. From the Key Type drop-down list, select the Post-Quantum cryptographic algorithm used to generate the Intermediate CA’s key pair. There are two quantum-safe types: ML-DSA and SLH-DSA. Both are NIST-standardized algorithms designed to resist quantum-computer attacks.
  8. From the Parameter Set drop-down list, select the post-quantum parameter set used to generate the CA certificate key pair. This field appears only when ML-DSA or SLH-DSA is selected as the Key Type. A higher number indicates a stronger security level.
  9. In the Validity Period (in years) field, enter the validity period for the Intermediate CA in terms of the number of years.
  10. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment checkbox to notify users after a successful enrollment.
  11. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
      1. Since last usage – Select this checkbox to revoke the certificate after a specified number of days if it remains unused.
      2. Since certificate issuance – Select this checkbox to revoke the certificate after a specified number of days after it is issued.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked. 
      1. Certificate Hold
      2. AA Compromise
      3. Privilege Withdrawn
      4. Unspecified
  12. Click Save. This generates the new intermediate CA.

Creating a Certificate Template

A certificate template defines how information is encoded in the certificates issued by a Certificate Authority. It lists the certificate attributes and specifies how each attribute’s value is encoded. For a quantum-safe setup, the template also sets the Signature Algorithm that the CA uses to sign the certificate, including the Auto option for PQC-based CAs.

To create a certificate template, perform the following steps:

  1. Navigate to Dynamic PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, enter the name of the certificate template in the Name field.
  4. In the Subject field, retain the default value CN=${/auth/displayName:/device/identity:/csr/subject/commonname}
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. To override the Validity Period attribute, select the Override Validity Period checkbox and choose an end date from the date picker to set a hard-coded expiry date for a certificate.
  8. From the Signature Algorithm drop-down list, select Auto.
    NOTE: Auto is primarily for Post-Quantum Cryptography (PQC) CAs that don’t have a separate hash algorithm. In that case, selecting Auto applies a default signing algorithm.
  9. In the SAN section, use the default values.
  10. In the Extended Key Usage section, from the Use Certificate For list, select Client Authentication.
  11. Click Save.

Creating a Signing Certificate

On the Create Certificate page, you can create client certificates for end-user devices by specifying the parameters required for each certificate. 

To issue a quantum-safe certificate, use the Upload CSR option. The Create Certificate page currently doesn’t support PQC, so it can’t generate PQC key pairs. Instead, generate the PQC key pair and CSR externally, then upload the CSR to issue the certificate.

To create a signing certificate, perform the following steps:

  1. Navigate to Dynamic PKI > Create Certificate.
  2. In the Device Info section, from the Operating System drop-down list, select an operating system.
  3. In the User Description description, enter a description to identify the device associated with the certificate.
  4. In the MAC Address field, enter the device’s unique MAC address. 
  5. In the Certificate Signing Request section, select the Upload CSR option to create the client certificate by using an existing .csr file.
  6. In the CSR File field, click Choose file to upload the .csr file.
  7. In the Subject field, enter the common name of the certificate.
  8. In the Other Name field, enter the same value you entered in the Subject field.
  9. In the Certificate Issuance Policy section, from the Certificate Authority drop-down list, select the PQC intermediate CA you created earlier (see Creating an Intermediate CA).
  10. From the Use Certificate Template drop-down list, select the PQC certificate template you created earlier (see Creating a Certificate Template).
  11. Select the Include Entire Certificate Chain checkbox to include the entire certificate chain with the issued certificate. This is mandatory. 
  12. In the Distribution section, from the Format field, select the format for the issued certificate: PKCS7 or PEM.
  13. In the Receive via field, select how to receive the certificate:
    1. Download: Download the certificate directly.
    2. E-Mail: Send the certificate to the specified email address.
  14. After configuring the fields, click Create to issue the certificate.

Creating a Device Management Platform

The REST API Certificate Management Token authenticates and authorizes external systems that call the certificate management REST API. It provides access to all endpoints, enabling actions such as retrieving device, user, and MAC details, performing enrollments, and revoking certificates. To control the level of access, you can assign each token either Read-Only or Read-Write access.

To create a REST API Certificate Management Token, perform the following steps:

  1. Navigate to Integration Hub > Device Management Platforms.
  2. Click Add.
  3. In the Basic section, enter the device management platform name in the Name field.
  4. In the Description field, enter the description for the device management platform.
  5. From the Type drop-down list, select REST API Certificate Management Token to enroll a certificate using the REST API.
  6. In the Access field, select the access level for the token:
    1. Read-Only – The token can view items but cannot make changes.
    2. Read-Write – The token has full control, including viewing and modifying items.

      NOTE: Read-Only is the default for new tokens, and Read-Write is the default for existing tokens. You can change the access level at any time.
  7. Click Save. A .csv file containing the API secret and Enrollment URL is downloaded.

NOTE: Save the .csv file securely. This file is downloaded only once during token creation. If the file is lost, you cannot retrieve the token and secret.

Policy Management

This section describes how to configure the policies for certificate enrollment. In Policy Management, you define rules for each policy. You also choose the intermediate CA and certificate template used to issue certificates to users.

  1. Policy Workflow
  2. Enrollment policy

Creating a Policy Workflow

A Policy Workflow segments users and devices based on predefined criteria or their associated attributes and groups, with each segment defined as a distinct Policy Workflow. For each Policy Workflow, you can configure how PQC certificates are issued through the Enrollment Policy.

To create a policy workflow, perform the following steps: 

  1. Navigate to Policy Management > Policy Workflows.
  2. Click Add Policy Workflow.
  3. In the Basic section, enter the name of the policy workflow in the Name field.
  4. In the Display Description field, enter a description for the policy workflow.
  5. Click Save. The page refreshes, and the Conditions tab is displayed.
  6. Select the Conditions tab.
  7. From the Core Provider drop-down list, select the API token you created in the Creating a Device Management Platform section.
  8. Click Update.

Creating an Enrollment Policy

An Enrollment Policy defines the client certificate template and the Certificate Issuer to be used for each Policy Workflow. It leverages the segmentation established in the Policy Workflow to ensure that the appropriate client certificate template is issued for each workflow.

To create an enrollment policy, perform the following steps:

  1. Navigate to Policy Management > Enrollment.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save. The page refreshes, and the Conditions and Settings tabs are displayed.
  6. Select the Conditions tab.
    1. From the Policy Workflow list, select the policy workflow you created earlier (see Creating a Policy Workflow).
    2. From the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.
  7. Select the Settings tab.
    1. In the Settings section, from the Use Certificate Authority drop-down list, select the intermediate CA you created earlier (see Creating an Intermediate CA​).
    2. From the Use Certificate Template drop-down list, select the template you created earlier (see Creating a Certificate Template).
    3. In the other settings, retain the default values.
  8. Click Update.

NOTE: PQC CAs must be mapped only with the Auto Signature Algorithm. In the certificate template, set the Signature Algorithm to Auto; otherwise, a signature algorithm mismatch error occurs.

Deployment and Certificate Issuance

SecureW2 administrators can verify successful PQC certificate enrollment by navigating to Data and Monitoring > Enhanced Events in the JoinNow Management Portal.