It’s a major change, but when you break it into manageable steps, it becomes far more achievable.
Step 1: Observe and inventory your PKI
Goal: Understand what cryptographic assets you have and where they live.
- Use automated tools to discover certificates and crypto dependencies
- Catalog certificates by algorithm used, expiration date, and associated systems or apps
- Identify cryptographic libraries in cloud and on-prem applications, IoT devices, and root CAs
- Document and visualize PKI dependencies
Step 2: Assess and triage asset risk
Goal: Prioritize migration based on risk and sensitivity.
- Classify assets:
- High priority: identity systems, financial systems, government data
- Medium priority: VPNs, web auth, secure email
- Low priority: Internal apps with short-lived encryption
- Plan for full PQC protection of all assets by 2035
Step 3: Deploy hybrid PKI
Goal: Begin the secure transition to PQC with backward compatibility.
- Introduce hybrid certificates (RSA/ECC + PQC)
- Use CAs that support quantum-safe algorithms
- Start testing quantum-resistant TLS for secure data-in-transit
- Phase out non-quantum-capable CAs and systems
Step 4: Define migration milestones
Goal: Break migration into manageable, time-bound phases.
2025-2027
- Complete PKI inventory
- Begin hybrid PKI development
- Upgrade highest-risk assets
- Form a cross-functional PKI governance team
2028-2030
- Replace critical RSA/ECC encryption
- Audit cryptographic usage regularly
2031-2035
- Finish migrating all assets to PQC
- Establish crypto agility practices for ongoing adaptability
To stay secure in a quantum future, start now. Inventory, assess, deploy hybrid PKI, and set clear milestones.
Questions? Talk to the experts at Keyfactor to begin your PQC journey.