Quantum-Safe PKI Project Documentation

1. Introduction

This document provides comprehensive documentation for the Quantum-Safe Public Key Infrastructure (PKI) project. This project implements a set of Go-based microservices demonstrating a modern, extensible PKI capable of handling post-quantum cryptography (PQC) alongside traditional algorithms. It includes an ACMEv2 compliant server, a Certificate Authority (CA), a signing service, a transparency log, a device provisioning service, and a command-line interface (CLI).

2. Project Overview

The goal of this project is to showcase the integration of PQC algorithms, specifically EdDilithium2 for digital signatures and hybrid KEMs (X25519+MLKEM768) for TLS key exchange, into a functional PKI and certificate management ecosystem.

Key Features:

Hybrid Cryptography: Utilizes both classical (ECDSA P-256) and PQC (EdDilithium2) algorithms.
ACME v2 Compliance: The acme-server implements the ACME protocol for automated certificate management.
PQC Signatures:
- The ca-service issues certificates signed with EdDilithium2.
- The acme-server supports account key binding and request signing using EdDilithium2 JWS.
- The signing-service provides hybrid ECDSA+PQC signatures.
PQ Hybrid KEM: TLS endpoints (ACME, CA, Signing Service) prefer X25519+MLKEM768 hybrid key exchange.
Certificate Revocation: Implements CRL distribution and OCSP checking. Client certificate verification includes CRL checks.
Transparency Log: Records issued certificates for auditability (transparency-log-service).
Modular Architecture: Services are designed as independent microservices.
Supply Chain Security: CI pipeline generates SBOMs and SLSA provenance attestations.

3. Architecture

The project consists of the following microservices:

CA Service

Issues X.509 certificates.
Signs issued certificates using an EdDilithium2 private key.
Provides endpoints for signing CSRs (/sign), CRL distribution (/crl), and OCSP (/ocsp).
Uses an ECDSA P-256 key for its own root CA certificate and TLS identity.
Supports mTLS for client authentication and performs CRL checks on client certs.
Supports key storage via filesystem (fs) or PKCS#11 (pkcs11).

Interactions:

acme-server calls ca-service /sign endpoint to get certificates for ACME clients.
acme-server calls ca-service /revoke-cert endpoint.
acme-server (optionally) calls ca-service /crl endpoint for client certificate validation.
device-service calls ca-service /sign endpoint.
cli calls signing-service /v1/signatures endpoint.
TLS clients connecting to services may undergo mTLS verification including CRL checks against the ca-service CRL.
Services fetch OCSP staples for their own certificates from the ca-service /ocsp endpoint.

Continue Reading

This is just the beginning of the documentation. Continue exploring the sidebar to learn more about:

Prerequisites and building instructions
Configuration details for each service
API endpoints and authentication methods
Running the services and certificate revocation