Post-Quantum Cryptography Testing

This section outlines the product configurations and specific testing steps needed to configure AD CS for post-quantum key creation and certificate signing.

Product Configurations

Entrust has successfully tested integrating nShield HSM integration with Microsoft Windows Server 2025 to create a post-quantum Certification Authority, capable of signing certificates with a ML-DSA signing key.

Microsoft Windows Server nShield HSM nShield Security World Software nShield Security World Firmware

2025

Connect XC

13.9.5

13.8.3

2025

nShield 5c

13.9.5

13.8.4

Supported nShield functionality

Feature Support

Module-only key

Yes

Softcards

Yes

K-of-N card set

Yes

Key management

Yes

Mixed Estate

Yes

Testing Procedures

This section of the guide assumes the environment is set up using the procedures outlined earlier in this document within the Environment setup procedures and AD CS Procedures sections. The steps below only highlight the variations required for post-quantum testing; all other aspects follow the standard process.

The post-quantum environment setup process follows the standard procedure with the following differences:

  • During AD CS configuration (after AD CS installation), in the Cryptography for CA screen, select post-quantum cryptographic providers such as ML-DSA:87#nCipher Security World Key Storage Provider.

    • The key length should default to 4096, however this value may vary depending on your selected provider.

    • The hash algorithm for signing certificates issued by this CA should be set to NoHash by default.

    • Ensure the Allow administrator interaction when the private key is accessed by CA option is enabled.

      You will be able to verify your choices on the Confirmation screen of the AD CS Configuration window.

  • Certificate template creation for post-quantum environments largely follows the standard procedure, except for the following changes:

    • To access your template’s properties, run certtmpl.msc and then select your template. The Administrator template was used during testing.

    • You must ensure Key Storage Provider is selected in the Provider Category field.

    • In the Algorithm Name field, you need to select a post-quantum algorithm. For example, ML-DSA:87.

    • You must ensure that Requests must use one of the following providers is selected, and, in Providers, only nCipher Security World Key Storage Provider is selected.

  • After AD CS is configured and the post-quantum certificate is requested and enrolled, you can view the signed certificate and verify use of the post-quantum signing key as follows.

    1. Open certsrv.msc or the Certification Authority application.

    2. Navigate to Issued Certificates.

    3. Select the required certificate to display its information.

    4. Select Details and view the Signature algorithm field. It should display your PQC signing algorithm.