Post-quantum certificates

The half of the post-quantum migration that hasn't happened yet — and why that's the correct order.

Two migrations, not one

TLS uses public-key cryptography for two jobs: agreeing the session key (key exchange) and proving the server's identity (certificate signatures). Post-quantum key exchange is deployed and mainstream — that story is covered in ML-KEM explained. Post-quantum certificates are not: as of mid-2026, no publicly trusted certificate authority issues ML-DSA certificates that chain to the browser trust stores, and no browser negotiates them.

That asymmetry is deliberate, and it comes down to what an attacker can do retroactively. Recorded traffic can be decrypted years later, so key exchange had to move first (harvest now, decrypt later). A signature, though, only authenticates the moment it is verified — a quantum computer in 2035 cannot travel back and impersonate your server in 2026. Certificate signatures only need to be post-quantum before large quantum computers actually exist, not before they might be imagined.

What's actually holding it up

Hybrid certificates and other transition ideas

Several transition mechanisms are in play. Composite certificates bind a classical and a post-quantum key in one certificate, so validation requires both signatures to verify. Dual-certificate deployments serve a classical or post-quantum chain depending on what the client negotiates. Private PKIs — where you control both ends — can and do issue ML-DSA certificates today; nothing stops an internal CA. The public web will converge on whatever the root programmes bless, so there is little value in guessing the winner now.

What to do today

Further reading


The post-quantum TLS test reads your certificate's signature algorithm as part of its scan — and will tell you, correctly, that a classical one is normal. Decode any certificate in full with the certificate decoder.

Related guides