Applied Post Quantum Cryptography: A Practical Approach for Generating Certificates in Industrial Environments
Nino Ricchizzi, Christian Schwinne, Jan Pelzl
TL;DR
The paper addresses the difficulty of migrating certificate-based identity management in industrial environments to post-quantum cryptography (PQC) by analyzing X.509 certificate structures and toolchains for classical, hybrid, composite, and chameleon formats. It identifies critical gaps in open-source CLI support and standardization, and presents a Bouncy Castle–based PoC that can generate and verify PQC-enabled certificates across multiple formats, aiming for headless operation on constrained industrial devices. The PoC demonstrates interoperability with standard X.509 workflows and provides a practical, extensible foundation for PQC migration research and industrial adoption, while comparing capabilities with OpenSSL-based approaches. Overall, the work offers a concrete reference implementation to spur standardization discussions and practical experimentation in PQC-enabled PKI for industrial onboarding.
Abstract
The transition to post-quantum cryptography (PQC) presents significant challenges for certificate-based identity management in industrial environments, where secure onboarding of devices relies on long-lived and interoperable credentials. This work analyzes the integration of PQC into X.509 certificate structures and compares existing tool support for classical, hybrid, composite, and chameleon certificates. A gap is identified in available open-source solutions, particularly for the generation and validation of hybrid and composite certificates via command-line interfaces. To address this, a proof-of-concept implementation based on the Bouncy Castle library is developed. The tool supports the creation of classical, hybrid (Catalyst), composite, and partially chameleon certificates using PQC algorithms such as ML-DSA and SLH-DSA. It demonstrates compatibility with standard X.509 workflows and aims to support headless operation and constrained platforms typical of industrial systems. The implementation is modular, publicly available, and intended to facilitate further research and testing of PQC migration strategies in practice. A comparison with OpenSSL-based solutions highlights current limitations in standardization, toolchain support, and algorithm coverage.
