pqCAlite to Issue Certs ================================================================================ Overview -------------------------------------------------------------------------------- pQCee's pqCAlite is a post-quantum lightweight Certificate Authority (CA) tool. It is a stand-alone tool that can be easily installed by copying into a Linux directory and run immediately to set up the Root CA certificate and private key. pqCAlite can issue certificates that are compatible with existing IT infrastructure and also issue quantum-safe certificates that uses digital signature algorithms at NIST PQC Security Level 5. pqCAlite supports three digital signature algorithms: #. ECDSA P-384 #. ML-DSA-87 #. SLH-DSA-SHA2-256s All private keys generated by pqCAlite are encrypted. Setup Root CA -------------------------------------------------------------------------------- The following steps show how to set up pqCAlite on a new system. #. Create a new directory in Linux and copy pqCAlite files into it. .. code-block:: bash :caption: console cd ~ mkdir pqCAlite #. Run pqCAlite to begin setup. .. code-block:: bash :caption: console cd ~/pqCAlite ./pqCAlite.sh #. pqCAlite will generate a new 256-bit master key and ask for a new passphrase to encrypt the master key. Enter the same passphrase twice to proceed. .. code-block:: text :caption: pqCAlite prompt for passphrase to protect master key pqCAlite: INFO No master key found. Will create a new master key... pqCAlite: INFO New 256-bit key generated pqCAlite: INFO Asking user for a new passphrase to protect master key... Enter new passphrase to protect master key: Confirm passphrase: pqCAlite: INFO Received new passphrase from user pqCAlite: INFO Encrypting new master key... pqCAlite: INFO Successfully encrypted new master key pqCAlite: INFO Encrypted master key saved in /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Master key loaded for current session #. pqCAlite will ask to select a digital signature algorithm for certificates issued by this lightweight CA. Choose one option to proceed. .. code-block:: text :caption: pqCAlite prompt for digital signature algorithm pqCAlite: INFO DSA has not been set. Please select an option (1-3): 1) ECDSA P-384 2) ML-DSA-87 3) SLH-DSA-SHA2-256s Enter your choice: 2 pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO DSA selection saved to /home/pqcee/pqCAlite/source/.algo #. pqCAlite will ask for information to generate the Root CA certificate and private key. Answer the prompts accordingly to proceed. .. code-block:: text :caption: pqCAlite prompt to create Root CA certificate and private key pqCAlite: INFO No Root CA found. Will create a new Root CA. pqCAlite: INFO Asking user to fill in Distinguished Name details for Root CA certificate... Enter organisation name (e.g., pQCee): pQCee Pte Ltd Enter a 2-letter country code (e.g., SG): SG Enter state (e.g., Singapore): Singapore Enter locality (e.g., Singapore): Singapore Enter common name (e.g., QKDLite Root CA): QKDLite Root CA Choose time unit for cert expiry (1 - Years, 2 - Days) :1 Enter expiry in years (e.g., 10): 10 pqCAlite: INFO Certificate expiry set to 3659 days pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA private key saved to /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Root CA public certificate saved to /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT #. pqCAlite has completed initial setup and created a Root CA certificate and private key for this directory. In the main menu, you may choose to perform other actions or exit. .. code-block:: text :caption: pqCAlite main menu MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 4 pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0 Issue server certificate -------------------------------------------------------------------------------- The following steps show you how to issue a server certificate signed by the Root CA. #. Start pqCAlite. .. code-block:: bash :caption: console cd ~/pqCAlite ./pqCAlite.sh #. If pqCAlite has been setup, as described in the steps above, pqCAlite will ask for the passphrase entered previously. Enter the correct passphrase to proceed. .. code-block:: text :caption: pqCAlite prompt for correct passphrase pqCAlite: INFO Found saved master key. Will use saved master key. pqCAlite: INFO Read protected master key from /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Asking user for passphrase to decrypt master key... Enter passphrase to unlock master key: pqCAlite: INFO Received passphrase from user pqCAlite: INFO Decrypting protected master key... pqCAlite: INFO Successfully decrypted protected master key pqCAlite: INFO Master key loaded for current session pqCAlite: INFO DSA has been set for this CA directory. pqCAlite: INFO Read DSA selection from /home/pqcee/pqCAlite/source/.algo pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA public certificate found at /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA private key found at /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Will use existing Root CA certificate and private key. pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT #. Choose option 1 and answer the prompts accordingly to issue a server certificate. .. code-block:: text :caption: pqCAlite prompt to issue server certificate MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 1 pqCAlite: INFO User request to issue new server certificate. pqCAlite: INFO Asking user to fill in Distinguished Name details for server certificate... Enter organisation name (e.g., pQCee): pQCee Pte Ltd Enter a 2-letter country code (e.g., SG): SG Enter state (e.g., Singapore): Singapore Enter locality (e.g., Singapore): Singapore Enter common name (e.g., QKDLite Root CA): QKDLite Alice Choose time unit for cert expiry (1 - Years, 2 - Days) :1 Enter expiry in years (e.g., 10): 5 pqCAlite: INFO Certificate expiry set to 1833 days pqCAlite: INFO Asking user to fill in FQDN details for server certificate... Enter server's domain name (e.g., www.pQCee.com): alice.qkdlite.com pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO New 8-character passphrase generated Passphrase for server certificate's private key: OYVzZdFs pqCAlite: INFO Encrypting new 8-character passphrase... pqCAlite: INFO Successfully encrypted new 8-character passphrase pqCAlite: INFO Encrypted passphrase saved in /home/pqcee/pqCAlite/source/private/2603_pQCee_Pte_Ltd_server_QKDLite_Alice.pass pqCAlite: INFO Server private key saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Server private key filename: 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.key pqCAlite: INFO Server private key passphrase saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Server private key passphrase filename: 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.pass pqCAlite: INFO Server CSR saved to /home/pqcee/pqCAlite/source/csr pqCAlite: INFO Server CSR filename 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.csr pqCAlite: INFO Server public certificate saved to /home/pqcee/pqCAlite/source/certs pqCAlite: INFO Server public certificate filename: 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.crt pqCAlite: INFO Server certificate expiry date: Mar 19 15:25:06 2031 GMT pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0 #. pqCAlite successfully issued a server certificate and generated a random passphrase to encrypt the associated private key. The random passphrase will be shown on screen for user to reference. Issue client certificate -------------------------------------------------------------------------------- The following steps show you how to issue a client certificate signed by the Root CA. #. Start pqCAlite. .. code-block:: bash :caption: console cd ~/pqCAlite ./pqCAlite.sh #. If pqCAlite has been setup, as described in the steps above, pqCAlite will ask for the passphrase entered previously. Enter the correct passphrase to proceed. .. code-block:: text :caption: pqCAlite prompt for correct passphrase pqCAlite: INFO Found saved master key. Will use saved master key. pqCAlite: INFO Read protected master key from /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Asking user for passphrase to decrypt master key... Enter passphrase to unlock master key: pqCAlite: INFO Received passphrase from user pqCAlite: INFO Decrypting protected master key... pqCAlite: INFO Successfully decrypted protected master key pqCAlite: INFO Master key loaded for current session pqCAlite: INFO DSA has been set for this CA directory. pqCAlite: INFO Read DSA selection from /home/pqcee/pqCAlite/source/.algo pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA public certificate found at /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA private key found at /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Will use existing Root CA certificate and private key. pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT #. Choose option 2 and answer the prompts accordingly to issue a client certificate. .. code-block:: text :caption: pqCAlite prompt to issue client certificate MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 2 pqCAlite: INFO User request to issue new client certificate. pqCAlite: INFO Asking user to fill in Distinguished Name details for client certificate... Enter organisation name (e.g., pQCee): ACME Enter a 2-letter country code (e.g., SG): SG Enter state (e.g., Singapore): Singapore Enter locality (e.g., Singapore): Singapore Enter common name (e.g., QKDLite Root CA): ACME Client Choose time unit for cert expiry (1 - Years, 2 - Days) :2 Enter expiry in days (e.g., 90): 90 pqCAlite: INFO Certificate expiry set to 97 days pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO New 8-character passphrase generated Passphrase for client certificate's private key: +pk28zs3 pqCAlite: INFO Encrypting new 8-character passphrase... pqCAlite: INFO Successfully encrypted new 8-character passphrase pqCAlite: INFO Encrypted passphrase saved in /home/pqcee/pqCAlite/source/private/2603_ACME_client_ACME_Client.pass pqCAlite: INFO Client private key saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Client private key filename: 2603_ACME_client_ACME_Client.key pqCAlite: INFO Client private key passphrase saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Client private key passphrase filename: 2603_ACME_client_ACME_Client.pass pqCAlite: INFO Client CSR saved to /home/pqcee/pqCAlite/source/csr pqCAlite: INFO Client CSR filename 2603_ACME_client_ACME_Client.csr pqCAlite: INFO Client public certificate saved to /home/pqcee/pqCAlite/source/certs pqCAlite: INFO Client public certificate filename: 2603_ACME_client_ACME_Client.crt pqCAlite: INFO Client certificate expiry date: Jun 17 15:39:30 2026 GMT pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0 #. pqCAlite successfully issued a client certificate and generated a random passphrase to encrypt the associated private key. The random passphrase will be shown on screen for user to reference. Retrieve passphrase of private key -------------------------------------------------------------------------------- The following steps show how to retrieve the passphrase that was used to encrypt a private key (belonging to a server certificate or client certificate). #. Start pqCAlite. .. code-block:: bash :caption: console cd ~/pqCAlite ./pqCAlite.sh #. If pqCAlite has been setup, as described in the steps above, pqCAlite will ask for the passphrase entered previously. Enter the correct passphrase to proceed. .. code-block:: text :caption: pqCAlite prompt for correct passphrase pqCAlite: INFO Found saved master key. Will use saved master key. pqCAlite: INFO Read protected master key from /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Asking user for passphrase to decrypt master key... Enter passphrase to unlock master key: pqCAlite: INFO Received passphrase from user pqCAlite: INFO Decrypting protected master key... pqCAlite: INFO Successfully decrypted protected master key pqCAlite: INFO Master key loaded for current session pqCAlite: INFO DSA has been set for this CA directory. pqCAlite: INFO Read DSA selection from /home/pqcee/pqCAlite/source/.algo pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA public certificate found at /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA private key found at /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Will use existing Root CA certificate and private key. pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT #. Choose option 3 and enter the filename of the private key to retrieve its passphrase. .. code-block:: text :caption: pqCAlite prompt to retrieve passphrase of private key MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 3 Enter private key filename to retrieve its passphrase (e.g., 2603_pQCee_client_Test): 2603_ACME_client_ACME_Client pqCAlite: INFO Decrypting protected passphrase... pqCAlite: INFO Successfully decrypted protected passphrase ======================== | Passphrase: +pk28zs3 | ======================== pqCAlite: INFO User retrieved passphrase from /home/pqcee/pqCAlite/source/private/2603_ACME_client_ACME_Client.pass pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0 #. pqCAlite successfully retrieved the passphrase and printed the passphrase to screen for user.