Keygen
Status: dev — commands are provided for reference; verify against your OpenSSL version before use.
PQC Key Generation
Generate keys using FIPS 203/204/205 algorithms. Algorithms marked with ★ meet CNSA 2.0 requirements for National Security Systems (maximum security levels only).
OpenSSL Commands
CNSA 2.0 Algorithm Reference
NSA Commercial National Security Algorithm Suite 2.0 — Software/browsers by 2025, networking by 2030, exclusive use by 2033 (CNSA 2.0); NSM-10 broader 2035 goal.
FIPS 203
Key Encapsulation (KEMs)
Key exchange, TLS, encryption
- ★ ML-KEM-1024 — CNSA 2.0 required
- ML-KEM-768 — Level 3, recommended default
- ML-KEM-512 — Not approved for NSS
FIPS 204
Digital Signatures (ML-DSA)
Certificates, code signing, auth
- ★ ML-DSA-87 — CNSA 2.0 required
- ML-DSA-65 — Level 3, recommended default
- ML-DSA-44 — Not approved for NSS
FIPS 205
Hash-based Signatures (SLH-DSA)
Root CAs, firmware, long-term
- SLH-DSA-*-256s — Level 5 (not CNSA 2.0)
- -s variants — Smaller signatures, slower signing
- -f variants — Faster signing, larger signatures
Note: These commands require OpenSSL 3.5+ with native PQC support.
Check your version:
openssl version