Quantum Nexum

PKI.

Coming soon. The Quantum Nexum PKI is being refactored. The new hierarchy will sign with FIPS 204 ML-DSA at every level, with ACME automation and a published revocation surface. No live endpoints to advertise right now.

What's planned

root          ML-DSA-87       (NIST level 5)
policy        ML-DSA-65       (NIST level 3)
issuing       ML-DSA-65       (NIST level 3)
endpoints     AIA, CRL, OCSP, ACME (RFC 8555)
profiles      TLS, code-signing, S/MIME, device, identity

Hybrid profiles (classical + PQ side-by-side) are on the plan for interop with software that doesn't yet understand pure-PQ chains. The reissue follows industry guidance and the relevant NIST CSOR OID arc; see the Vault for the standards mapping.

Endpoints (planned)

When the hierarchy is live, these are the surfaces it will publish. None of them respond right now — they're listed here so the URLs are predictable.

AIA    quantumnexum.com/pki/aia/    CA bundle + per-CA cert downloads
CRL    quantumnexum.com/pki/crl/    full + delta CRLs per issuing CA
OCSP   quantumnexum.com/pki/ocsp/   live revocation status per policy CA
ACME   quantumnexum.com/acme/        RFC 8555 automated issuance

The AIA bundle is what you'd install into a system trust store to verify QN-issued certs — update-ca-certificates on Debian/Ubuntu, update-ca-trust on RHEL/Fedora. CRL distribution-point URLs will be embedded in every issued cert, so standard verifiers handle revocation automatically by reading the cRLDistributionPoints extension. See /acme/ for the automated-issuance side.

When

Honest answer: no exact date. The previous PKI was running but the algorithm and policy decisions have moved enough that a clean rebuild is faster than a migration. If you have a specific use case that depends on it — an integration test, a research deployment — email hello@quantumnexum.com and we'll prioritize the path that unblocks you.

Meanwhile

The Vault reference library doesn't need the PKI to be live; standards content is independent of the live infrastructure. Spork (the PQ CA software that will eventually run this PKI) is in alpha and you can run it yourself in the interim.