Quantum Nexum PKI
Post-quantum certificate authority using ML-DSA (FIPS 204). Click any CA to view details and downloads.
Architecture
Complete 3-tier hierarchy: 1 Root CA + 7 Policy CAs + 14 Issuing CAs = 22 CAs
DN Format: cn=...,ou=PQC,o=Quantum Nexum,dc=quantumnexum,dc=com
Generated: December 2025 | Root Algorithm: ML-DSA-87 | Policy/Issuing: ML-DSA-65
Archived: This PKI version is preserved for reference. CRLs are no longer being updated.
DN Format: C=US, ST=Texas, L=Sherman, O=Quantum Nexum, OU=PQC, CN=...
Generated: December 2025 | Root Algorithm: ML-DSA-87 | Policy/Issuing: ML-DSA-65
v1 certificates available at pki.quantumnexum.com/v1/aia/ · CRLs at pki.quantumnexum.com/v1/crl/
These CRLs are archived and no longer being refreshed.
Repositories
- pki.quantumnexum.com/crl/ — Certificate Revocation Lists
- pki.quantumnexum.com/aia/ — CA Certificates (AIA)
- ocsp.quantumnexum.com — OCSP Responder (coming soon)
Policy Documents
- Certificate Policy / Certification Practice Statement (CP/CPS) (January 2026)
- Certificate Profiles (coming soon)
- Relying Party Agreement (coming soon)
Algorithms
- Signatures: ML-DSA-87 (root), ML-DSA-65 (subordinate/EE)
- Key Exchange: X25519MLKEM768 (hybrid), ML-KEM-768/1024 (pure PQ)
- Hash: SHA-384
Downloads
All downloads include SHA3-384 checksums for post-quantum integrity verification.
| File | SHA3-384 |
|---|---|
| qn-root-ca.crt | 53de238ff9cfdfb3430a0a0d23f34249af9ab0744ea348b78f27ce6cd9f073b4210a912e15516e1f086a8bc824529a0c |
| qn-ca-bundle.crt | 3d95e7792aa8b426110c225f17df274369686e580806251b38a9be34374a468c87d5140f96f6480ea5bbe60376e543fd |
| qn-ca-bundle.p7b | 7230f4ea8e0ae28fa343c733b9b666a477d9c3aa8ab596f03096dac64fc8b45f18d38fc3848c19e4a6c330fa0fe635ab |
Verify Downloads
Verify file integrity using SHA3-384 (post-quantum secure hash):
# Download and verify curl -O https://pki.quantumnexum.com/aia/qn-root-ca.crt openssl dgst -sha3-384 qn-root-ca.crt # Expected output: SHA3-384(qn-root-ca.crt)= 53de238f...24529a0c
Inspect Certificate
Requires OpenSSL 3.5+ (native) or OpenSSL 3.x with OQS provider:
openssl x509 -provider oqsprovider -provider default \ -in qn-root-ca.crt -text -noout
OID Reference
Quantum Nexum PKI uses the following Object Identifiers:
| OID | Description |
|---|---|
| 1.3.6.1.4.1.56266 | Ogjos Enterprise Arc (Base OID) |
| 1.3.6.1.4.1.56266.1 | Quantum Nexum PKI |
| 1.3.6.1.4.1.56266.1.1 | Root CA Policy |
| 1.3.6.1.4.1.56266.1.2 | TLS Policy |
| 1.3.6.1.4.1.56266.1.3 | Code Signing Policy |
| 1.3.6.1.4.1.56266.1.4 | Document Signing Policy |
| 1.3.6.1.4.1.56266.1.5 | S/MIME Policy |
| 1.3.6.1.4.1.56266.1.6 | Device Policy |
| 1.3.6.1.4.1.56266.1.7 | Identity Policy |
| 1.3.6.1.4.1.56266.1.8 | Hybrid Transition Policy |
Certificate Profiles
| Profile | Algorithm | Validity | Key Usage |
|---|---|---|---|
| Root CA | ML-DSA-87 (Level 5) | 20 years | keyCertSign, cRLSign |
| Policy CA | ML-DSA-65 (Level 3) | 10 years | keyCertSign, cRLSign |
| Issuing CA | ML-DSA-65 (Level 3) | 7 years | keyCertSign, cRLSign |
| TLS Server | ML-DSA-65 | 3 years | digitalSignature, keyEncipherment |
| TLS Client | ML-DSA-65 | 3 years | digitalSignature |
| Code Signing | ML-DSA-65 | 3 years | digitalSignature |
| S/MIME | ML-DSA-65 | 3 years | digitalSignature, keyEncipherment |