Free Trial
Contact Us
Sectigo Blog

Operationalize your post-quantum computing (PQC) readiness: Private PQC certificate management, built into Sectigo Certificate Manager

RSS Feed

Post-quantum cryptography (PQC) readiness requires a gradual, practical approach not a sudden shift. Sectigo Private PQC, built into Sectigo Certificate Manager (SCM), enables enterprises to safely experiment with PQC certificates using existing workflows, governance, and lifecycle management. With built-in guardrails and support for ML-DSA algorithms, organizations can test real-world operational impacts, build crypto agility, and prepare for post-quantum security without introducing risk or complexity.

Emily Cao
By Emily Cao, Product Marketing Manager
April 14, 2026

Table of Contents

When post‑quantum cryptography (PQC) hits, it won’t be a “flip the switch” moment. It requires a journey of learning, testing, and discovering to figure out what works, where your organization is positioned, and how to manage adaptations. Standards are evolving, teams are learning, and enterprises need a way to prepare without gambling on unproven architectures or creating long‑lived risk.

Sectigo Private PQC brings PQC testing directly into Sectigo Certificate Manager (SCM) so you can issue and manage private, PQC SSL certificates using the same approval workflows, inventory visibility, auditing, renewals, and revocations your teams already rely on. It’s the practical, governed path to hands‑on PQC readiness, without switching platforms or spinning up risky infrastructure.

Why now: From PQC hype to practical readiness

Most organizations know PQC is coming. What’s been missing is a safe way to experiment with real certificates under real certificate lifecycle controls. Not just on paper, but in a real sandbox environment.

For years, the conversation around post‑quantum cryptography has been dominated by urgency headlines and academic breakthroughs. But while the inevitability of PQC is widely accepted, most organizations still lack a practical way to begin preparing today. Security and PKI teams are caught in a tension: they understand the long‑term cryptographic risk, but they can’t justify investing in architectures, tools, or processes that may change as standards finalize.

This gap exists because much of the PQC dialogue lives in the world of algorithm design, cryptanalysis, and research, far removed from the operational realities that enterprises face. It's one thing to debate lattice-based versus hash-based signatures, or parameter sets such as ML-DSA-44 versus ML-DSA-65 on paper; it’s another thing entirely to understand how PQC certificates impact downstream systems,approval workflows, renewal patterns, and dependency mapping. Enterprises don’t experience PQC as a mathematical exercise, they experience it as a lifecycle challenge.

That’s why responsible organizations are looking for a way to take measured, low‑risk first steps without over‑committing to architectures that may shift. Experimentation becomes a form of preparation. Rather than treating PQC as a future cliff, the most forward‑looking teams treat it as a gradual ramp. This is exactly what Private PQC in SCM enables: not hype, not fear, but practical readiness grounded in real data and operational experience.

Private PQC in SCM:

  • Brings PQC into real operations: Evaluate operational impact, approvals, auditing, and inventory, not just crypto theory.
  • Allows your teams to start without over‑committing: Experiment privately with guardrails designed to prevent stranded certificates or unintended production reliance.
  • Gives your organization the opportunity to learn early, and evolve over time: Adapt as RFCs, CA/B Forum guidance, and best practices mature, without replatforming.

What’s new: Experimental, governed PQC built into SCM

Private PQC is a fully managed, hosted capability in SCM that lets teams safely issue and manage private PQC SSL certificates with no extra tools or separate platform.

PQC readiness shouldn’t create accidental production exposure or years of cryptographic debt. That’s why Private PQC has been designed with clear, deliberate guardrails:

  • Private‑only issuance
  • Sectigo-managed PQC CA and HSMs
  • Support for defined ML‑DSA algorithms (ML‑DSA‑44, ML‑DSA‑65, ML‑DSA‑87)
  • One‑year maximum certificate validity

These safeguards ensure organizations can learn meaningfully from real certificates without creating stranded assets or long‑lived experimental certs that persist beyond their intended purpose. It’s readiness with responsibility built in.

Key advantages:

  • Hands‑on, in‑platform experimentation.
  • Lifecycle parity with existing certificate management.
  • Hosted by Sectigo, with no experimental CA/HSM required.
  • Guardrails by design including ML‑DSA‑44/65/87 and 1‑year max validity.
  • Built to evolve with PQC standards.

How it fits: Sectigo PQC Labs → SCM Private PQC

Sectigo PQC Labs provides low‑friction experimentation. SCM Private PQC extends that experimentation into enterprise‑grade, governed lifecycle management.

Who is this for?

  • Existing SCM Private CA MRAOs.

Use cases

  • Pilot PQC in controlled environments.
  • Train teams using real workflows.
  • Develop internal operational playbooks.

Why Sectigo: A practical, responsible path to PQC

Sectigo offers a unified PQC progression across PQC Labs and SCM, backed by deep PKI expertise and a fully managed PQC CA infrastructure.

FAQs

How is Private PQC different from Sectigo PQC Labs?

They serve different stages of the PQC journey:

  • Sectigo PQC Labs: A lightweight, web based environment for early PQC exploration and experimentation. It’s ideal for testing and hands-on evaluation, without requiring Sectigo products.
  • Private PQC in SCM: Extends that experimentation into an enterprise PKI environment, where governance, visibility, and lifecycle management matter. Teams can import PQC certificates from PQC Labs and manage them alongside other private certificates using familiar SCM workflows.

Together, they provide a clear progression from experimentation to operational readiness, allowing IT teams to start small, then bring what they learn into real certificate operations without switching tools or vendors.

Why does Sectigo’s Private PQC choose to support ML-DSA algorithms?

Sectigo selected ML-DSA because it is one of the first NIST-standardized post-quantum signature algorithm with IETF draft specifications defining its use in X.509 certificates, including OIDs and encoding guidance.

RFC 9881 defines how ML-DSA (as specified in NIST FIPS 204) is represented and used within Internet PKI, including certificate signatures, subject public keys, and Certificate Revocation Lists (CRLs), making it the most clearly specified and interoperable PQC signature option available today for certificate

If Google is exploring new certificate models like Merkle Tree Certificates (MTCs), why experiment with ML-DSA now?

Google’s work on MTCs highlights an important reality: postquantum cryptography introduces real operational tradeoffs, not just cryptographic ones.

Private PQC is intentionally designed to help organizations understand those tradeoffs early, including:

  • Larger key and signature sizes
  • Impacts on certificate lifecycles and inventories
  • Governance, approvals, and audit implications

By experimenting now, teams can build operational awareness and readiness, while the broader ecosystem continues to evolve.

Find more FAQs here.

  • Current SCM Private CA customers: Request access in‑product or via your AE
  • Prospects: Contact Sectigo to explore Sectigo Private PQC and Sectigo PQC Labs.

Related posts:

What is the purpose of post-quantum cryptography?

The 2025 State of Crypto Agility Report: How organizations are preparing for post-quantum cryptography

Harvest now, decrypt later attacks & how they relate to the quantum threat