Skip to content
QPKI

QPKI

The post-quantum PKI toolkit in Go.
Deploy quantum-safe certificates today. Single binary, zero dependencies, NIST FIPS 203/204/205 compliant.
Quick Start View Source
Terminal
$ curl -sSL get.qpki.io | sh
Installed qpki v1.0 to /usr/local/bin
$ qpki ca init --algorithm ml-dsa-65 --cn "My PQ Root CA"
Root CA created with ML-DSA-65
$ qpki cert issue --profile server --cn "api.example.com"
Post-quantum certificate issued · valid 365d
$
Standards
FIPS 203 ML-KEM FIPS 204 ML-DSA FIPS 205 SLH-DSA RFC 5280 RFC 6960 RFC 3161 RFC 5652

Prepare for the Quantum Era

NIST has finalized post-quantum standards. Governments target 2030 for migration.

The Deadline

NIST, NSA, and major governments target 2030 for post-quantum migration. RSA-2048 and ECC will be deprecated.

Harvest Now, Decrypt Later

Adversaries are already collecting encrypted data. When quantum computers arrive, they'll decrypt everything.

Standards Are Ready

NIST finalized FIPS 203, 204, 205 in 2024. The algorithms exist. The tools exist. Time to act.

2024 NIST standards finalized
2025 Early adopters migrate
2028 Industry mandates begin
2030 Classical crypto deprecated
2024 NIST standards finalized
2025 Early adopters migrate
2028 Industry mandates begin
2030 Classical crypto deprecated

One binary. Full PKI.

From root CA to OCSP responder — everything ships in a single CLI.

CLI Single binary
CA Root & Sub CAs
Certificates X.509 PQ & Hybrid
Services OCSP · CRL · TSA · CMS · COSE
Algorithms
ML-DSA ML-KEM SLH-DSA RSA ECDSA EdDSA Catalyst Composite

Built for the Quantum Era

Everything you need to deploy post-quantum PKI in production.

Core

Post-Quantum Ready

Native support for NIST post-quantum algorithms. ML-DSA for signatures, ML-KEM for key encapsulation, SLH-DSA for hash-based signatures. Fully FIPS 203/204/205 compliant.

# Generate ML-DSA key pair
$ qpki key generate \
    --algorithm ml-dsa-65 \
    --out root-ca.key

✓ ML-DSA-65 key pair generated
Migration

Hybrid Certificates

Dual-algorithm certificates combine classical with post-quantum algorithms. Backward compatible with existing infrastructure while quantum-safe.

# Issue hybrid certificate
$ qpki cert issue \
    --profile hybrid-server \
    --algorithm ml-dsa-65+ecdsa-p256 \
    --cn "api.example.com"

✓ Hybrid certificate issued
DevOps

CLI-First

Single binary, zero dependencies. Script everything. Works in CI/CD pipelines, containers, and air-gapped environments. Install in seconds.

# One-line install
$ brew install qentriq/tap/qpki

# Or download binary
$ curl -sSL get.qpki.io | sh

✓ qpki v1.0 ready
Quality

Battle-Tested

Cross-validated with OpenSSL and BouncyCastle. Standards-compliant X.509 certificates. Full RFC compliance for OCSP, TSA, CRL, and CMS.

OpenSSL
BouncyCastle
X.509 v3
OCSP / CRL

3 Commands. 1 Post-Quantum CA.

From zero to quantum-safe certificates in under a minute.

~ / my-pki
1
# Initialize a post-quantum Root CA
$ qpki ca init --algorithm ml-dsa-65 --cn "Acme Root CA" --org "Acme Corp"
Root CA initialized · algorithm: ML-DSA-65 · expires: 2035-01-01
2
# Create an issuing sub-CA
$ qpki ca create-sub --cn "Acme Issuing CA" --parent root
Sub-CA created · signed by: Acme Root CA
3
# Issue a server certificate
$ qpki cert issue --profile server --cn "api.acme.com" --san "*.acme.com"
Certificate issued · SAN: *.acme.com · valid: 365 days
Interactive Labs

Learn by Doing

QLAB is a hands-on learning journey through post-quantum cryptography. 11 labs from quantum threat awareness to crypto-agility and migration strategy.

Quantum Threat First Certificate Full PQ Chain Hybrid Mode Revocation +6 more
Start the Labs Read the Docs
Awareness 2 labs
Build 2 labs
Lifecycle 2 labs
Signatures 3 labs
Encryption 1 lab
Migration 2 labs