The quantum era is coming faster than most security teams anticipated. Once large-scale quantum computers arrive, they will be able to break today’s most widely used public-key algorithms (RSA, ECDSA, and DH). That poses a direct risk to PKI, TLS, code signing, and secure communications.
The problem?
- We need quantum-safe algorithms like ML-DSA (FIPS 204).
- But most applications, browsers, and devices still only trust classical algorithms like ECDSA.
The solution? Hybrid certificates.
What Are Hybrid Certificates?
A hybrid certificate is an X.509 certificate that contains both a classical signature algorithm (e.g., ECDSA) and a post-quantum signature algorithm (e.g., ML-DSA).
Think of it as a dual lock system:
- Lock #1: Classical crypto (works everywhere today).
- Lock #2: Post-quantum crypto (future-proof against quantum attacks).
If one breaks, the other still holds.
There are different approaches:
- Composite certificates: A single signature made from multiple algorithms (ECDSA + ML-DSA).
- Concatenated certificates: Two separate certificates bound together.
- Parallel signatures: The same certificate signed independently by two algorithms.
Currently, the composite model is gaining traction in standards (e.g., IETF draft draft-ounsworth-pq-composite-sigs).
Why Hybrid Certificates Matter
- Interoperability: Legacy systems verify the ECDSA part, while PQC-aware systems can verify ML-DSA.
- Migration Path: You don’t have to flip a switch from RSA/ECDSA to PQC overnight.
- Future-Proofing: Data encrypted today might be harvested and broken later (“harvest now, decrypt later”). Hybrid certs reduce this risk.
Example: Creating a Hybrid X.509 Certificate with OQS-OpenSSL
To try this out, you’ll need the OQS-OpenSSL fork (instructions here).
Step 1. Generate Keys
# ECDSA key (classical)
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out ecdsa_priv.pem
# ML-DSA key (post-quantum)
openssl genpkey -algorithm ML-DSA-65 -out mldsa_priv.pem
Step 2. Create a Hybrid Private Key
Using OQS-OpenSSL, you can merge the two:
openssl pkey -compose -inkey ecdsa_priv.pem -inkey mldsa_priv.pem -out hybrid_priv.pem
Step 3. Generate a CSR
openssl req -new -key hybrid_priv.pem -out hybrid.csr \
-subj "/C=US/ST=California/L=San Jose/O=CryptoDecoded/OU=Hybrid/CN=hybrid.example.com"
Step 4. Self-Sign a Hybrid Certificate
openssl x509 -req -in hybrid.csr -signkey hybrid_priv.pem -out hybrid_cert.pem -days 365
Step 5. Inspect the Certificate
openssl x509 -in hybrid_cert.pem -text -noout
Look for a signature algorithm field that includes both ECDSA and ML-DSA.
Deployment Scenarios
- TLS Certificates: Hybrid certs can be used in testbed TLS servers to validate PQC support.
- Code Signing: A binary signed with both ensures it runs on current OSes while being secure against quantum adversaries.
- IoT Devices: Long-lifetime devices can embed hybrid certs to ensure they remain secure in a PQC world.
Challenges to Be Aware Of
- Certificate Size: Hybrid certs are larger, which can impact handshake times.
- Software Support: Not all libraries or browsers can parse hybrid certs yet.
- Standardization in Progress: Expect changes as IETF and NIST finalize guidance.
Conclusion
Hybrid certificates are the bridge strategy for organizations planning their post-quantum migration. They provide backward compatibility with today’s systems while ensuring future resilience.
If you’re experimenting with PQC, hybrid X.509 certificates are one of the most practical tools you can start using today.