Quantum Nexum PKI

Post-quantum certificate authority using ML-DSA (FIPS 204). Click any CA to view details and downloads.

Architecture

Complete 3-tier hierarchy: 1 Root CA + 7 Policy CAs + 15 Issuing CAs = 23 CAs

DN Format: cn=...,ou=PQC,o=Quantum Nexum,dc=quantumnexum,dc=com
Generated: January 2026 | Root Algorithm: ML-DSA-87 | Policy/Issuing: ML-DSA-65
New in v3: Identity Medium Hardware CA (IAL2/AAL2 hardware, FPKI Medium Hardware aligned)

Quantum Nexum Root CA ML-DSA-87 · Level 5 · 20yr Cert CRL
├── TLS Policy CA ML-DSA-65 · 10yr Cert CRL
├── TLS Server Issuing CA 7yr · serverAuth Cert CRL
├── TLS Client Issuing CA 7yr · clientAuth Cert CRL
└── TLS Hybrid Issuing CA 7yr · server+client Cert CRL
├── Code Signing Policy CA ML-DSA-65 · 10yr Cert CRL
├── Code Signing Issuing CA 7yr · codeSigning Cert CRL
└── Timestamping Issuing CA 7yr · timeStamping Cert CRL
├── Document Signing Policy CA ML-DSA-65 · 10yr Cert CRL
└── Document Signing Issuing CA 7yr · Adobe PDF Cert CRL
├── S/MIME Policy CA ML-DSA-65 · 10yr Cert CRL
├── S/MIME Signing Issuing CA 7yr · emailProtection Cert CRL
└── S/MIME Encryption Issuing CA 7yr · emailProtection Cert CRL
├── Device Policy CA ML-DSA-65 · 10yr Cert CRL
├── Constrained Device Issuing CA 7yr · IoT/embedded Cert CRL
└── Standard Device Issuing CA 7yr · full device Cert CRL
├── Identity Policy CA ML-DSA-65 · 10yr Cert CRL
├── Identity Basic Issuing CA 7yr · IAL1/AAL1 basic Cert CRL
├── Identity Medium Issuing CA 7yr · IAL2/AAL2 software Cert CRL
├── Identity Medium HW Issuing CA 7yr · IAL2/AAL2 hardware Cert CRL
└── Identity High Issuing CA 7yr · IAL3/AAL3 high Cert CRL
└── Hybrid Transition Policy CA Experimental · 10yr Cert CRL
└── └── Hybrid Composite Issuing CA 7yr · ML-DSA+ECDSA Cert CRL

Archived: December 2025 release. Superseded by v3 which adds Identity Medium Hardware CA for FPKI alignment.
DN Format: cn=...,ou=PQC,o=Quantum Nexum,dc=quantumnexum,dc=com
Difference from v3: 14 Issuing CAs (no Identity Medium Hardware CA)

Same CA hierarchy as v3, minus the Identity Medium Hardware Issuing CA.
All v2 certificates remain valid. New identity certificates requiring hardware tokens are issued under v3.

Archived: This PKI version is preserved for reference. CRLs are no longer being updated.
DN Format: C=US, ST=Texas, L=Sherman, O=Quantum Nexum, OU=PQC, CN=...
Generated: December 2025 | Root Algorithm: ML-DSA-87 | Policy/Issuing: ML-DSA-65

Quantum Nexum Root CA ML-DSA-87 · Level 5 · 20yr Cert CRL
├── TLS Policy CA ML-DSA-65 · 10yr Cert CRL
├── TLS Server Issuing CA ML-DSA-65 · 7yr Cert CRL
├── TLS Client Issuing CA ML-DSA-65 · 7yr Cert CRL
└── TLS Hybrid Issuing CA ML-DSA-65 · 7yr Cert CRL
├── Code Signing Policy CA ML-DSA-65 · 10yr Cert CRL
├── Code Signing Issuing CA ML-DSA-65 · 7yr Cert CRL
└── Timestamping Issuing CA ML-DSA-65 · 7yr Cert CRL
├── Document Signing Policy CA ML-DSA-65 · 10yr Cert CRL
└── Document Signing Issuing CA ML-DSA-65 · 7yr Cert CRL
├── S/MIME Policy CA ML-DSA-65 · 10yr Cert CRL
├── S/MIME Signing Issuing CA ML-DSA-65 · 7yr Cert CRL
└── S/MIME Encryption Issuing CA ML-DSA-65 · 7yr Cert CRL
├── Device Policy CA ML-DSA-65 · 10yr Cert CRL
├── Device Standard Issuing CA ML-DSA-65 · 7yr Cert CRL
└── Device Constrained Issuing CA ML-DSA-44 · 7yr Cert CRL
├── Identity Policy CA ML-DSA-65 · 10yr Cert CRL
├── Identity Basic Issuing CA ML-DSA-44 · 7yr Cert CRL
├── Identity Medium Issuing CA ML-DSA-65 · 7yr Cert CRL
└── Identity High Issuing CA ML-DSA-65 · 7yr Cert CRL
└── Hybrid Transition Policy CA ML-DSA-65 · 10yr Cert CRL
└── └── Hybrid Composite Issuing CA ML-DSA-65 · 7yr Cert CRL

v1 certificates available at pki.quantumnexum.com/v1/aia/ · CRLs at pki.quantumnexum.com/v1/crl/
These CRLs are archived and no longer being refreshed.

Repositories

Policy Documents

Algorithms

Downloads

All downloads include SHA3-384 checksums for post-quantum integrity verification.

FileSHA3-384
qn-root-ca.crt 53de238ff9cfdfb3430a0a0d23f34249af9ab0744ea348b78f27ce6cd9f073b4210a912e15516e1f086a8bc824529a0c
qn-ca-bundle.crt 3d95e7792aa8b426110c225f17df274369686e580806251b38a9be34374a468c87d5140f96f6480ea5bbe60376e543fd
qn-ca-bundle.p7b 7230f4ea8e0ae28fa343c733b9b666a477d9c3aa8ab596f03096dac64fc8b45f18d38fc3848c19e4a6c330fa0fe635ab

SHA3-384SUMS | All CRLs

Verify Downloads

Verify file integrity using SHA3-384 (post-quantum secure hash):

# Download and verify
curl -O https://pki.quantumnexum.com/aia/qn-root-ca.crt
openssl dgst -sha3-384 qn-root-ca.crt

# Expected output:
SHA3-384(qn-root-ca.crt)= 53de238f...24529a0c

Inspect Certificate

Requires OpenSSL 3.5+ (native) or OpenSSL 3.x with OQS provider:

openssl x509 -provider oqsprovider -provider default \
  -in qn-root-ca.crt -text -noout

OID Reference

Quantum Nexum PKI uses the following Object Identifiers:

OIDDescription
1.3.6.1.4.1.56266Ogjos Enterprise Arc (Base OID)
1.3.6.1.4.1.56266.1Quantum Nexum PKI
1.3.6.1.4.1.56266.1.1Root CA Policy
1.3.6.1.4.1.56266.1.2TLS Policy
1.3.6.1.4.1.56266.1.3Code Signing Policy
1.3.6.1.4.1.56266.1.4Document Signing Policy
1.3.6.1.4.1.56266.1.5S/MIME Policy
1.3.6.1.4.1.56266.1.6Device Policy
1.3.6.1.4.1.56266.1.7Identity Policy
1.3.6.1.4.1.56266.1.8Hybrid Transition Policy

Certificate Profiles

ProfileAlgorithmValidityKey Usage
Root CAML-DSA-87 (Level 5)20 yearskeyCertSign, cRLSign
Policy CAML-DSA-65 (Level 3)10 yearskeyCertSign, cRLSign
Issuing CAML-DSA-65 (Level 3)7 yearskeyCertSign, cRLSign
TLS ServerML-DSA-653 yearsdigitalSignature, keyEncipherment
TLS ClientML-DSA-653 yearsdigitalSignature
Code SigningML-DSA-653 yearsdigitalSignature
S/MIMEML-DSA-653 yearsdigitalSignature, keyEncipherment