Proof of Concept — This PKI is experimental. CA hierarchies may be regenerated as standards evolve. Best-effort availability for certificate lifetime.
Quantum Nexum PKI
Post-quantum certificate authority using ML-DSA (FIPS 204).
Architecture
Complete 3-tier hierarchy: 1 Root CA + 7 Policy CAs + 14 Issuing CAs = 22 CAs
Quantum Nexum Root CA ML-DSA-87 · Level 5 · 20yr
│
├── TLS Policy CA ML-DSA-65 · 10yr
│ ├── TLS Server Issuing CA 7yr · serverAuth
│ ├── TLS Client Issuing CA 7yr · clientAuth
│ └── TLS Hybrid Issuing CA 7yr · server+client
│
├── Code Signing Policy CA ML-DSA-65 · 10yr
│ ├── Code Signing Issuing CA 7yr · codeSigning
│ └── Timestamping Issuing CA 7yr · timeStamping
│
├── Document Signing Policy CA ML-DSA-65 · 10yr
│ └── Document Signing Issuing CA 7yr · Adobe PDF
│
├── S/MIME Policy CA ML-DSA-65 · 10yr
│ ├── S/MIME Signing Issuing CA 7yr · emailProtection
│ └── S/MIME Encryption Issuing CA 7yr · emailProtection
│
├── Device Policy CA ML-DSA-65 · 10yr
│ ├── Constrained Device Issuing CA 7yr · IoT/embedded
│ └── Standard Device Issuing CA 7yr · full device
│
├── Identity Policy CA ML-DSA-65 · 10yr
│ ├── Identity Basic Issuing CA 7yr · email verified
│ ├── Identity Medium Issuing CA 7yr · ID verified
│ └── Identity High Issuing CA 7yr · in-person + hardware
│
└── Hybrid Transition Policy CA Experimental · 10yr
└── Hybrid Composite Issuing CA 7yr · ML-DSA+ECDSA
Repositories
Algorithms
- Signatures: ML-DSA-87 (root), ML-DSA-65 (subordinate/EE)
- Key Exchange: X25519MLKEM768 (hybrid), ML-KEM-768/1024 (pure PQ)
- Hash: SHA-384
Downloads
All downloads include SHA3-384 checksums for post-quantum integrity verification.
| File | SHA3-384 |
|---|
| qn-root-ca.crt |
f3a7e52e2f69433fdc80505705b5f5c11c9a804a670fa14f8164e9eb56aecac07461057e35740c4d77c920cf82436f7d |
| qn-ca-bundle.crt |
a550a1d437a6bee5bc16d81dd8a3b971b86bf94d98dd428bd9dd07067f1b8ba3d21c20b03f784396e29f0784506497c8 |
| qn-ca-bundle.p7b |
b9062287b231ad93df16f357393902bcf790a9abedb663c45a970ae5ed9517b578be67fc83a6926b5641e9582c524394 |
SHA3-384SUMS | All CRLs
Verify Downloads
Verify file integrity using SHA3-384 (post-quantum secure hash):
# Download and verify
curl -O https://pki.quantumnexum.com/aia/qn-root-ca.crt
openssl dgst -sha3-384 qn-root-ca.crt
# Expected output:
SHA3-384(qn-root-ca.crt)= f3a7e52e...82436f7d
Inspect Certificate
Requires OpenSSL 3.5+ with OQS provider:
openssl x509 -provider oqsprovider -provider default \
-in qn-root-ca.crt -text -noout