Public key infrastructure and digital certificates have long served as the backbone of online trust. But with the rise of quantum computing, organizations face unprecedented pressure to rethink how they issue, manage and transition certificates to protect against future threats.
With hybrid certificates proffered as the solution to combat modern threats, how can companies distinguish between pure and hybrid certificates? And how do they undergo the task of maintaining trust as quantum takes hold?
“Typically when we think of a pure certificate, it’s something that has a single signature element within it,” said Jim Goodman (pictured, right), co-founder and chief technology officer of Crypto4A Technologies Inc. “And that signature might actually consist of multiple signatures and notion of a composite signature, or it might be something just a single algorithm. So, you might just have an ML-DSA signature within that certificate.”
Goodman and Taher Elgamal (center), cryptographer and the “Father of SSL,” spoke with Tim Hollebeek (left), vice president of industry standards at DigiCert Inc., for the DigiCert World Quantum Readiness Day event, during an encore broadcast on theCUBE, News Media’s livestreaming studio. They unpacked the technical, operational and strategic dimensions of the transformation in digital certificates. (* Disclosure below.)
Hybrid digital certificates serve a new crop of use cases
Pure certificates rely on a single algorithm or composite signature, requiring verifiers to recognize and process the chosen cryptography. Hybrid certificates, by contrast, embed multiple signatures in a way that legacy systems can still parse and validate. The business implications are that hybrid certificates can give customers flexibility and resilience by supporting both classical and post-quantum algorithms simultaneously, according to Elgamal. This duality ensures interoperability during the transition but also complicates deployment models.
“If the business is a service provider, they actually do have to accommodate probably all of them,” Elgamal said. “Whatever gets standardized, they probably do need to accommodate many things because that’s how the world is. If they’re implementing things for internal purposes, then the migration from the existing algorithms to the PQC becomes the main thing. But if you’re a service provider, you’re going to maintain the two for a long time to come because you have to support your customers regardless of what they do.”
Of course, Not all PKI environments are created equal. Internal deployments — such as code signing or firmware validation — can move quickly to pure post-quantum certificates since the ecosystem is controlled. External use cases, such as transport layer security, however, must prioritize compatibility, Elgamal added.
Enterprises are weighing whether to run parallel PKIs — one classical, one post-quantum — or adopt hybrid structures that bridge both. Heterogeneous chains, with conservative roots and more experimental algorithms at lower levels, are becoming common design considerations. The tough part, however, isn’t the cryptography itself, but managing the transition without breaking trust, according to Hollebeek.
“I think if we could convince everybody that, hey, next year we’re just going to shut down the internet for a year and fix everything and upgrade it — that would be pretty easy because the end state and the starting state are pretty simple,” he said. “But, of course, people aren’t going to really tolerate us shutting down the internet for a year. So, we have to have this operating correctly with both algorithms in the middle while the transition happens. I think that’s actually going to be the biggest challenge for organizations.”
Stay tuned for the complete video interview, part of News’s and theCUBE’s coverage of the DigiCert World Quantum Readiness Day event.
(* Disclosure: TheCUBE is a paid media partner for the DigiCert World Quantum Readiness Day event. Neither DigiCert Inc., the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or News.)
Photo: News
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About News Media
Founded by tech visionaries John Furrier and Dave Vellante, News Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
