Applied Post Quantum Cryptography: A Practical Approach for Generating Certificates in Industrial Environments

TL;DR

This paper presents a practical implementation for integrating post-quantum cryptography into X.509 certificates, addressing current tool limitations and supporting industrial environment requirements.

Contribution

It develops a modular, open-source tool for generating various PQC-enabled certificates compatible with standard workflows, filling a gap in existing solutions.

Findings

Supports classical, hybrid, composite, and chameleon certificates with PQC algorithms

Demonstrates compatibility with standard X.509 workflows

Highlights limitations in current standardization and tool support

Abstract

The transition to post-quantum cryptography (PQC) presents significant challenges for certificate-based identity management in industrial environments, where secure onboarding of devices relies on long-lived and interoperable credentials. This work analyzes the integration of PQC into X.509 certificate structures and compares existing tool support for classical, hybrid, composite, and chameleon certificates. A gap is identified in available open-source solutions, particularly for the generation and validation of hybrid and composite certificates via command-line interfaces. To address this, a proof-of-concept implementation based on the Bouncy Castle library is developed. The tool supports the creation of classical, hybrid (Catalyst), composite, and partially chameleon certificates using PQC algorithms such as ML-DSA and SLH-DSA. It demonstrates compatibility with standard X.509 workflows and aims to support headless operation and constrained platforms typical of industrial systems. The implementation is modular, publicly available, and intended to facilitate further research and testing of PQC migration strategies in practice. A comparison with OpenSSL-based solutions highlights current limitations in standardization, toolchain support, and algorithm coverage.