FAQ - Sectigo Private PQC
General
Private PQC is an experimental, private only postquantum cryptography (PQC) capability built into Sectigo Certificate Manager (SCM). It allows organizations to issue and manage private PQC SSL/TLS certificates using the same approval workflows, inventory visibility, auditing, and lifecycle controls they already use for traditional certificates.
The intent is simple: enable IT teams learn by doing, under real operational conditions, without forcing premature production decisions or unproven architectural changes.
They serve different stages of the PQC journey:
- Sectigo PQC Labs: A lightweight, web-based environment for early PQC exploration and experimentation. It's ideal for testing and hands‑on evaluation, without requiring Sectigo products.
- Private PQC in SCM: Extends that experimentation into an enterprise PKI environment, where governance, visibility, and lifecycle management matter. Teams can import certificates from Sectigo PQC Labs and manage them alongside other private certificates using familiar SCM workflows.
Together, they provide a clear progression from experimentation to operational readiness, allowing IT teams to start small, then bring what they learn into real certificate operations without switching tools or vendors.
Onboarding & access
- If you’re an existing SCM Private CA customer and hosted outside of EU region:
You can request access directly from within the SCM portal using your MRAO login. Once submitted, access is typically enabled within two business days. - If you’re an SCM customer but don’t yet have a Private CA, or if your account is hosted in an EU regoin:
Reach out to your Sectigo Account Executive. They can help you understand your options and guide you through the access request. - If you’re not an SCM customer yet:
You can start exploring postquantum cryptography today using Sectigo PQC Labs, our lightweight, web-based environment for PQC experimentation. - If you’re interested in learning more about SCM or enabling Private PQC as part of your certificate strategy:
Contact us for a product demo today.
If the request button is not visible, our in-app messaging feature may be disabled for your account due to your organization’s browser security restrictions. Please reach out to your account manager to enable access.
No. Private PQC access is provided at no additional cost for eligible SCM Private CA customers during the experimental phase. To get started, simply submit the request form in SCM. Once submitted, access is typically enabled within two business days.
Private PQC is integrated directly into SCM using the existing Private CA experience.
You can:
- Request and approve PQC certificates
- Track PQC inventory alongside traditional certificates
- Renew, revoke, and audit certificates using familiar workflows
This allows teams to evaluate PQC under real operational conditions, not isolated lab testing.
No. Sectigo hosts and operates the Private PQC CA and provides a fully managed virtual HSM. Customers do not need to deploy, secure, or maintain experimental CA or HSM infrastructure themselves.
No. Sectigo manages and operates the Private PQC CA infrastructure, including the virtual HSM. This allows experimental cryptography to be introduced responsibly without shifting operational or cryptographic risk onto customers.
No. Private PQC should be treated as a learning and readiness capability. Organizations should continue to rely on established, widely trusted cryptographic standards for production environments.
At this stage, Private PQC focuses on hands-on, governed experimentation rather than automated certificate workflows. The intent is to provide early operational insight while avoiding premature assumptions about longterm PQC workflows. Automation capabilities will evolve alongside standards and customer feedback.
Private PQC is an experimental capability, so formal support is currently limited.
To help you get started, we provide:
- A demo video
- Technical documentation
- A feedback form within the SCM portal to share suggestions or interest in future enhancements
Your feedback helps shape the next stages of Private PQC as the product evolves.
There’s no formal deactivation required.
If you decide Private PQC isn’t right for you, you can simply stop requesting or using PQC certificates within SCM. There’s no impact on your existing Private CA or traditional certificates.
We’d genuinely value your feedback. If something didn’t work as expected, or if you have ideas on how Private PQC could be improved, please submit the feedback form within SCM. Your input directly helps shape how Private PQC evolves in future stages and ensures it better supports real-world use cases.
Experimentation scope
No. Private PQC is explicitly experimental. It is designed to help teams learn and prepare, not to replace production PKI or support public trust use cases. Guardrails are intentionally in place to prevent accidental dependency on evolving cryptography.
Private PQC currently supports:
- Private only certificates
- SSL/TLS certificate use cases only
- Experimental PQC algorithms (ML-DSA44, ML-DSA65, ML-DSA87)
- Maximum one year certificate validity
These constraints reduce longterm risk while enabling meaningful evaluation.
Sectigo selected ML‑DSA because it is one of the first NIST-standardized post-quantum signature algorithm with IETF draft specifications defining its use in X.509 certificates, including OIDs and encoding guidance.
RFC 9881 defines how ML‑DSA (as specified in NIST FIPS 204) is represented and used within Internet PKI, including certificate signatures, subject public keys, and Certificate Revocation Lists (CRLs), making it the most clearly specified and interoperable PQC signature option available today for certificate‑based experimentation.
ML-DSA certificates last one year to keep post-quantum testing safe.
Because postquantum cryptography is still evolving, shorter certificate lifetimes help keep experimentation safe and flexible.
A one-year validity helps:
- Avoid certificates becoming stranded as algorithms evolve
- Reduce longterm cryptographic exposure
- Prevent accidental reliance on experimental cryptography
This ensures learning happens safely while standards and best practices continue to mature.
No. Private PQC is designed for learning, not permanence. Sectigo does not assume that today's algorithms, parameters, or certificate formats represent the final postquantum end state.
Sectigo actively follows:
- IETF standards work, including postquantum PKI specifications
- Browser root program guidance
- NIST standardized cryptographic algorithms
Private PQC is intentionally built to evolve alongside this guidance, allowing customers to retain their workflows and learning even as algorithms, certificate models, or trust architectures change. The philosophy is simple: start learning early, remain adaptable, and avoid premature production commitments.
No. Sectigo's Private PQC certificates are:
- Private only
- Not trusted by browsers
- Not intended for public HTTPS deployment
Browser vendors, including Google, have stated that they have no immediate plans to include traditional postquantum X.509 certificates in browser root stores, reinforcing the importance of keeping PQC experimentation separate from public trust environments at this stage.
Private PQC aligns with that guidance by keeping experimentation contained, private, and governed.
Experimenting with ML‑DSA now helps teams understand post-quantum operational trade-offs early.
Google's work on MTCs highlights an important reality: postquantum cryptography introduces real operational tradeoffs, not just cryptographic ones.
Private PQC is intentionally designed to help organizations understand those tradeoffs early, including:
- Larger key and signature sizes
- Impacts on certificate lifecycles and inventories
- Governance, approvals, and audit implications
By experimenting now, teams can build operational awareness and readiness, while the broader ecosystem continues to evolve.
Future readiness
Private PQC helps organizations prepare for postquantum cryptography by turning learning into real operational experience.
It enables teams to:
- Gain hands-on experience with PQC certificates
- Understand operational impacts such as approvals, audits, and inventory tracking
- Identify readiness gaps before largescale adoption
This reinforces an important reality: PQC readiness is as much an operational challenge as it is a cryptographic one.
Yes. Private PQC is designed for change, not permanence. As RFCs, CA/B Forum guidance, and cryptographic recommendations evolve, Sectigo intends to adapt PQC capabilities without forcing customers to switch platforms or rebuild workflows. Early customer feedback will directly inform that evolution.
Sectigo actively follows and participates in:
- IETF standards work, including postquantum PKI specifications
- Browser root program guidance, including Chrome's Moving Forward, Together initiatives
- NIST standardized cryptographic algorithms
Private PQC is intentionally built to evolve alongside this guidance, allowing customers to retain their workflows and learning even as algorithms, certificate models, or trust architectures change.
To stay up to date on postquantum cryptography and how Sectigo is approaching PQC readiness, you can:
- Follow Sectigo for product updates, announcements, and industry perspectives
- Subscribe to the Root Causes Podcast to get the latest insights from industry PKI experts on cryptographic change and the evolution of postquantum security.
- Explore our Post-Quantum Cryptography (PQC) resources, where we share research, guidance, and educational content to help organizations prepare
These resources are updated as standards, browser guidance, and industry best practices continue to evolve.