| title | description |
|---|---|
Learning Path |
Post-Quantum PKI Lab - Hands-on learning for PQC migration |
Post-Quantum PKI Lab
QLAB is an educational resource to help teams understand PKI and Post-Quantum Cryptography (PQC) migration through hands-on practice.
"The PKI is the tool for transition — post-quantum is an engineering problem, not magic."
What you'll learn:
- Understand the quantum threats to current cryptography (SNDL, TNFL)
- Assess your PQC migration urgency using Mosca's theorem
- Issue classical and post-quantum certificates with the same workflow
- Build complete PQC hierarchies (Root CA → Issuing CA → End-Entity)
- Deploy hybrid certificates for backward-compatible migration
- Manage full lifecycle: revocation, OCSP, CRL
- Sign code, timestamp documents, and create LTV signatures
- Encrypt with ML-KEM key encapsulation (the new pattern)
- Practice crypto-agile CA migration
QLAB uses Qpki for all PKI operations.
Prerequisites:
- Git — for cloning the repository
- Bash — for running demos (Git Bash or WSL on Windows)
- OpenSSL 3.x — optional, for cross-verification commands
git clone https://github.com/remiblancher/qlab.git
cd qlab
./tooling/install.sh# 1. Install QPKI (PowerShell)
git clone https://github.com/remiblancher/qlab.git
cd qlab
.\tooling\install.ps1
# 2. Run demos (requires Git Bash or WSL)
./journey/00-revelation/demo.shNote: The install script works in PowerShell, but the demos require Git Bash or WSL.
./journey/00-revelation/demo.shTotal time: ~2h | Quick path: 20 min (Revelation + Quick Start)
┌───────────────────────────────────────────────────────────────────────┐
│ AWARENESS BUILD LIFECYCLE │
│ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ │
│ │Lab-00│→│Lab-01│ → │Lab-02│→│Lab-03│ → │Lab-04│→│Lab-05│ │
│ │Why? │ │How? │ │Chain │ │Hybrid│ │CRL │ │OCSP │ │
│ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘ │
│ ↓ │
│ MIGRATION ENCRYPTION LONG-TERM SIGS │
│ ┌──────┐ ┌──────┐ ┌──────┬──────┬──────┐ │
│ │Lab-10│ ← │Lab-09│ ← │Lab-06│Lab-07│Lab-08│ │
│ │Agile │ │KEM │ │Sign │Time │LTV │ │
│ └──────┘ └──────┘ └──────┴──────┴──────┘ │
└───────────────────────────────────────────────────────────────────────┘
| # | Lab | Time | Takeaway |
|---|---|---|---|
| 0 | The Quantum Threat | 10 min | Your data is already being recorded |
| 1 | Classical vs Post-Quantum | 10 min | Same workflow, just different algorithms |
↓ Let's build!
| # | Lab | Time | Takeaway |
|---|---|---|---|
| 2 | Full PQC Chain | 10 min | Build a 100% PQC chain |
| 3 | Hybrid | 10 min | Or hybrid to coexist with legacy |
↓ PKI operations stay identical
| # | Lab | Time | Takeaway |
|---|---|---|---|
| 4 | Revocation | 10 min | Revoke = same command |
| 5 | OCSP | 10 min | Verify = same protocol |
↓ Sign, timestamp, archive for decades
| # | Lab | Time | Takeaway |
|---|---|---|---|
| 6 | Code Signing | 10 min | Signatures that outlive the threat |
| 7 | Timestamping | 15 min | Prove WHEN, forever |
| 8 | LTV | 15 min | Bundle proofs for offline verification |
↓ Except for encryption...
| # | Lab | Time | Takeaway |
|---|---|---|---|
| 9 | Encryption | 15 min | KEM keys require a new pattern: attestation |
↓ And for production migration?
| # | Lab | Time | Takeaway |
|---|---|---|---|
| 10 | Crypto-Agility | 15 min | CA versioning + trust bundles |
- ML-DSA (FIPS 204) — Lattice-based signatures → replaces ECDSA
- SLH-DSA (FIPS 205) — Hash-based signatures (conservative)
- ML-KEM (FIPS 203) — Key encapsulation → replaces ECDH
- Catalyst certificates (ITU-T X.509 9.8)
- Composite certificates (supported, no lab demo)
See Qpki for the full list of supported algorithms.
- Qpki — The PKI toolkit used by QLAB
- Glossary — PQC and PKI terminology
- Troubleshooting — Common issues and solutions
- NIST Post-Quantum Cryptography
- FIPS 203 (ML-KEM)
- FIPS 204 (ML-DSA)
- ITU-T X.509 (Hybrid Certificates)
Apache License 2.0 — See LICENSE