5. pqCAlite to Issue Certs¶
5.1. Overview¶
pQCee’s pqCAlite is a post-quantum lightweight Certificate Authority (CA) tool. It is a stand-alone tool that can be easily installed by copying into a Linux directory and run immediately to set up the Root CA certificate and private key.
pqCAlite can issue certificates that are compatible with existing IT infrastructure and also issue quantum-safe certificates that uses digital signature algorithms at NIST PQC Security Level 5.
pqCAlite supports three digital signature algorithms:
ECDSA P-384
ML-DSA-87
SLH-DSA-SHA2-256s
All private keys generated by pqCAlite are encrypted.
5.2. Setup Root CA¶
The following steps show how to set up pqCAlite on a new system.
Create a new directory in Linux and copy pqCAlite files into it.
cd ~ mkdir pqCAlite
Run pqCAlite to begin setup.
cd ~/pqCAlite ./pqCAlite.sh
pqCAlite will generate a new 256-bit master key and ask for a new passphrase to encrypt the master key. Enter the same passphrase twice to proceed.
pqCAlite: INFO No master key found. Will create a new master key... pqCAlite: INFO New 256-bit key generated pqCAlite: INFO Asking user for a new passphrase to protect master key... Enter new passphrase to protect master key: Confirm passphrase: pqCAlite: INFO Received new passphrase from user pqCAlite: INFO Encrypting new master key... pqCAlite: INFO Successfully encrypted new master key pqCAlite: INFO Encrypted master key saved in /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Master key loaded for current session
pqCAlite will ask to select a digital signature algorithm for certificates issued by this lightweight CA. Choose one option to proceed.
pqCAlite: INFO DSA has not been set. Please select an option (1-3): 1) ECDSA P-384 2) ML-DSA-87 3) SLH-DSA-SHA2-256s Enter your choice: 2 pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO DSA selection saved to /home/pqcee/pqCAlite/source/.algo
pqCAlite will ask for information to generate the Root CA certificate and private key. Answer the prompts accordingly to proceed.
pqCAlite: INFO No Root CA found. Will create a new Root CA. pqCAlite: INFO Asking user to fill in Distinguished Name details for Root CA certificate... Enter organisation name (e.g., pQCee): pQCee Pte Ltd Enter a 2-letter country code (e.g., SG): SG Enter state (e.g., Singapore): Singapore Enter locality (e.g., Singapore): Singapore Enter common name (e.g., QKDLite Root CA): QKDLite Root CA Choose time unit for cert expiry (1 - Years, 2 - Days) :1 Enter expiry in years (e.g., 10): 10 pqCAlite: INFO Certificate expiry set to 3659 days pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA private key saved to /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Root CA public certificate saved to /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT
pqCAlite has completed initial setup and created a Root CA certificate and private key for this directory. In the main menu, you may choose to perform other actions or exit.
MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 4 pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0
5.3. Issue server certificate¶
The following steps show you how to issue a server certificate signed by the Root CA.
Start pqCAlite.
cd ~/pqCAlite ./pqCAlite.sh
If pqCAlite has been setup, as described in the steps above, pqCAlite will ask for the passphrase entered previously. Enter the correct passphrase to proceed.
pqCAlite: INFO Found saved master key. Will use saved master key. pqCAlite: INFO Read protected master key from /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Asking user for passphrase to decrypt master key... Enter passphrase to unlock master key: pqCAlite: INFO Received passphrase from user pqCAlite: INFO Decrypting protected master key... pqCAlite: INFO Successfully decrypted protected master key pqCAlite: INFO Master key loaded for current session pqCAlite: INFO DSA has been set for this CA directory. pqCAlite: INFO Read DSA selection from /home/pqcee/pqCAlite/source/.algo pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA public certificate found at /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA private key found at /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Will use existing Root CA certificate and private key. pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT
Choose option 1 and answer the prompts accordingly to issue a server certificate.
MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 1 pqCAlite: INFO User request to issue new server certificate. pqCAlite: INFO Asking user to fill in Distinguished Name details for server certificate... Enter organisation name (e.g., pQCee): pQCee Pte Ltd Enter a 2-letter country code (e.g., SG): SG Enter state (e.g., Singapore): Singapore Enter locality (e.g., Singapore): Singapore Enter common name (e.g., QKDLite Root CA): QKDLite Alice Choose time unit for cert expiry (1 - Years, 2 - Days) :1 Enter expiry in years (e.g., 10): 5 pqCAlite: INFO Certificate expiry set to 1833 days pqCAlite: INFO Asking user to fill in FQDN details for server certificate... Enter server's domain name (e.g., www.pQCee.com): alice.qkdlite.com pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO New 8-character passphrase generated Passphrase for server certificate's private key: OYVzZdFs pqCAlite: INFO Encrypting new 8-character passphrase... pqCAlite: INFO Successfully encrypted new 8-character passphrase pqCAlite: INFO Encrypted passphrase saved in /home/pqcee/pqCAlite/source/private/2603_pQCee_Pte_Ltd_server_QKDLite_Alice.pass pqCAlite: INFO Server private key saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Server private key filename: 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.key pqCAlite: INFO Server private key passphrase saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Server private key passphrase filename: 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.pass pqCAlite: INFO Server CSR saved to /home/pqcee/pqCAlite/source/csr pqCAlite: INFO Server CSR filename 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.csr pqCAlite: INFO Server public certificate saved to /home/pqcee/pqCAlite/source/certs pqCAlite: INFO Server public certificate filename: 2603_pQCee_Pte_Ltd_server_QKDLite_Alice.crt pqCAlite: INFO Server certificate expiry date: Mar 19 15:25:06 2031 GMT pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0
pqCAlite successfully issued a server certificate and generated a random passphrase to encrypt the associated private key. The random passphrase will be shown on screen for user to reference.
5.4. Issue client certificate¶
The following steps show you how to issue a client certificate signed by the Root CA.
Start pqCAlite.
cd ~/pqCAlite ./pqCAlite.sh
If pqCAlite has been setup, as described in the steps above, pqCAlite will ask for the passphrase entered previously. Enter the correct passphrase to proceed.
pqCAlite: INFO Found saved master key. Will use saved master key. pqCAlite: INFO Read protected master key from /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Asking user for passphrase to decrypt master key... Enter passphrase to unlock master key: pqCAlite: INFO Received passphrase from user pqCAlite: INFO Decrypting protected master key... pqCAlite: INFO Successfully decrypted protected master key pqCAlite: INFO Master key loaded for current session pqCAlite: INFO DSA has been set for this CA directory. pqCAlite: INFO Read DSA selection from /home/pqcee/pqCAlite/source/.algo pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA public certificate found at /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA private key found at /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Will use existing Root CA certificate and private key. pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT
Choose option 2 and answer the prompts accordingly to issue a client certificate.
MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 2 pqCAlite: INFO User request to issue new client certificate. pqCAlite: INFO Asking user to fill in Distinguished Name details for client certificate... Enter organisation name (e.g., pQCee): ACME Enter a 2-letter country code (e.g., SG): SG Enter state (e.g., Singapore): Singapore Enter locality (e.g., Singapore): Singapore Enter common name (e.g., QKDLite Root CA): ACME Client Choose time unit for cert expiry (1 - Years, 2 - Days) :2 Enter expiry in days (e.g., 90): 90 pqCAlite: INFO Certificate expiry set to 97 days pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO New 8-character passphrase generated Passphrase for client certificate's private key: +pk28zs3 pqCAlite: INFO Encrypting new 8-character passphrase... pqCAlite: INFO Successfully encrypted new 8-character passphrase pqCAlite: INFO Encrypted passphrase saved in /home/pqcee/pqCAlite/source/private/2603_ACME_client_ACME_Client.pass pqCAlite: INFO Client private key saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Client private key filename: 2603_ACME_client_ACME_Client.key pqCAlite: INFO Client private key passphrase saved to /home/pqcee/pqCAlite/source/private pqCAlite: INFO Client private key passphrase filename: 2603_ACME_client_ACME_Client.pass pqCAlite: INFO Client CSR saved to /home/pqcee/pqCAlite/source/csr pqCAlite: INFO Client CSR filename 2603_ACME_client_ACME_Client.csr pqCAlite: INFO Client public certificate saved to /home/pqcee/pqCAlite/source/certs pqCAlite: INFO Client public certificate filename: 2603_ACME_client_ACME_Client.crt pqCAlite: INFO Client certificate expiry date: Jun 17 15:39:30 2026 GMT pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0
pqCAlite successfully issued a client certificate and generated a random passphrase to encrypt the associated private key. The random passphrase will be shown on screen for user to reference.
5.5. Retrieve passphrase of private key¶
The following steps show how to retrieve the passphrase that was used to encrypt a private key (belonging to a server certificate or client certificate).
Start pqCAlite.
cd ~/pqCAlite ./pqCAlite.sh
If pqCAlite has been setup, as described in the steps above, pqCAlite will ask for the passphrase entered previously. Enter the correct passphrase to proceed.
pqCAlite: INFO Found saved master key. Will use saved master key. pqCAlite: INFO Read protected master key from /home/pqcee/pqCAlite/source/.mkey pqCAlite: INFO Asking user for passphrase to decrypt master key... Enter passphrase to unlock master key: pqCAlite: INFO Received passphrase from user pqCAlite: INFO Decrypting protected master key... pqCAlite: INFO Successfully decrypted protected master key pqCAlite: INFO Master key loaded for current session pqCAlite: INFO DSA has been set for this CA directory. pqCAlite: INFO Read DSA selection from /home/pqcee/pqCAlite/source/.algo pqCAlite: INFO Using DSA selection "ML-DSA-87" pqCAlite: INFO Root CA public certificate found at /home/pqcee/pqCAlite/source/certs/CA.crt pqCAlite: INFO Root CA private key found at /home/pqcee/pqCAlite/source/private/CA.key pqCAlite: INFO Will use existing Root CA certificate and private key. pqCAlite: INFO Root CA expiry date: Mar 18 15:01:55 2036 GMT
Choose option 3 and enter the filename of the private key to retrieve its passphrase.
MAIN MENU Please select an option (1-3): 1) Issue server certificate 2) Issue client certificate 3) Retrieve key passphrase 4) Exit Enter your choice: 3 Enter private key filename to retrieve its passphrase (e.g., 2603_pQCee_client_Test): 2603_ACME_client_ACME_Client pqCAlite: INFO Decrypting protected passphrase... pqCAlite: INFO Successfully decrypted protected passphrase ======================== | Passphrase: +pk28zs3 | ======================== pqCAlite: INFO User retrieved passphrase from /home/pqcee/pqCAlite/source/private/2603_ACME_client_ACME_Client.pass pqCAlite: INFO pqCAlite 1.0.1 exited successfully with code 0
pqCAlite successfully retrieved the passphrase and printed the passphrase to screen for user.