Post-quantum cryptography (PQC) is becoming a critical focus as NIST finalizes standards like ML-DSA (Module-Lattice–based Digital Signature Algorithm, FIPS 204). If you’re curious about experimenting with quantum-safe X.509 certificates using ML-DSA on a Windows machine, this guide walks you through:
- Installing prerequisites on Windows
- Generating ML-DSA keys
- Creating a CSR (certificate signing request)
- Issuing self-signed and CA-signed ML-DSA X.509 certificates
1. Prerequisites Setup on Windows
The standard OpenSSL release does not support ML-DSA yet. You’ll need the Open Quantum Safe (OQS) OpenSSL fork, which integrates PQC algorithms.
Step 1. Install Git and CMake
- Download Git for Windows: https://git-scm.com/download/win
- Download CMake: https://cmake.org/download/
(Add both to PATH during installation.)
Step 2. Install Visual Studio Build Tools
- Get the Build Tools for Visual Studio.
- During installation, check Desktop development with C++.
Step 3. Clone the OQS-OpenSSL repository
Open x64 Native Tools Command Prompt for VS 2022 and run:
git clone https://github.com/open-quantum-safe/openssl.git oqs-openssl
cd oqs-openssl
This fork is patched to include PQC algorithms like ML-DSA.
Step 4. Clone and Build liboqs
git clone https://github.com/open-quantum-safe/liboqs.git
cd liboqs
cmake -G "Visual Studio 17 2022" -A x64 -DCMAKE_INSTALL_PREFIX=C:\oqs .
cmake --build . --config Release --target INSTALL
This installs liboqs into C:\oqs.
Step 5. Build OQS-OpenSSL
Back in the oqs-openssl directory:
perl Configure VC-WIN64A no-shared --prefix=C:\oqs-openssl --with-oqs=C:\oqs
nmake
nmake install
After installation, ensure that:
C:\oqs-openssl\binis in your PATH.- Running
openssl versionshows the OQS-OpenSSL fork.
✅ You’re now ready to use ML-DSA with OpenSSL on Windows.
2. Generate an ML-DSA Key Pair
To generate a private key using ML-DSA-65:
openssl genpkey -algorithm ML-DSA-65 -out mldsa_priv.pem
Export the public key:
openssl pkey -in mldsa_priv.pem -pubout -out mldsa_pub.pem
3. Create a Certificate Signing Request (CSR)
With the ML-DSA private key:
openssl req -new -key mldsa_priv.pem -out mldsa.csr ^
-subj "/C=US/ST=California/L=San Jose/O=CryptoDecoded/OU=Security/CN=mldsa.example.com"
4. Create a Self-Signed ML-DSA Certificate
For testing, self-sign with ML-DSA:
openssl x509 -req -in mldsa.csr -signkey mldsa_priv.pem -out mldsa_cert.pem -days 365
5. Inspect the Certificate
Check that ML-DSA is listed as the signature algorithm:
openssl x509 -in mldsa_cert.pem -text -noout
6. Create an ML-DSA Root CA and Sign a Leaf Certificate
Step 1. Root key
openssl genpkey -algorithm ML-DSA-87 -out mldsa_root.pem
Step 2. Root certificate
openssl req -x509 -new -key mldsa_root.pem -out mldsa_root_cert.pem -days 730 ^
-subj "/C=US/O=CryptoDecoded/OU=RootCA/CN=ML-DSA Root CA"
Step 3. Sign the leaf CSR
openssl x509 -req -in mldsa.csr -CA mldsa_root_cert.pem -CAkey mldsa_root.pem ^
-CAcreateserial -out mldsa_leaf_cert.pem -days 365
7. Notes and Best Practices
- ML-DSA variants:
ML-DSA-44: ~128-bit classical securityML-DSA-65: ~192-bit securityML-DSA-87: ~256-bit security
- Windows file paths: Make sure to use escaped backslashes in scripts (
C:\\oqs). - Hybrid certificates: OQS-OpenSSL can also generate composite certificates (ECDSA + ML-DSA). These are often recommended for real-world pilots.
- Use cases: These certificates are mostly for testing and research until PQC becomes mainstream in TLS and PKI stacks.
Conclusion
You now have a working setup on Windows to generate ML-DSA based X.509 certificates using OpenSSL (OQS fork). This workflow lets you start experimenting with PQC today and prepare your infrastructure for the post-quantum era.