By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: GlobalSignPublished November 19, 2025

TL;DR: Post-quantum cryptography aims to keep digital communication secure against both classical and quantum attacks while preserving interoperability with existing protocols, according to GlobalSign and NIST. The governance challenge is not that certificates fail today, but that CA, rotation, and migration decisions now need long lead times and clear ownership.


At a glance

What this is: This is a post on post-quantum cryptography and its implications for certificate authorities, with the key finding that current RSA and ECC certificates remain reliable today while transition planning is already necessary.

Why it matters: It matters because IAM and security teams depend on certificates for authentication, workload trust, and federation, so post-quantum readiness affects identity controls as well as crypto strategy.

By the numbers:

👉 Read GlobalSign's analysis of post-quantum cryptography for certificate authorities


Context

Post-quantum cryptography is the shift from algorithms that quantum computers could eventually break to new cryptographic methods designed to resist both classical and quantum attacks. In practice, the issue is not a current failure of certificates, but a future governance problem for certificate authorities, identity teams, and anyone relying on digital trust at scale.

For IAM and NHI programmes, the real question is how certificate lifecycles, workload identities, and federation trust chains will be migrated without breaking authentication or creating dual-crypto confusion. That makes PQC relevant to identity governance today, even though practical quantum attacks are not yet a day-to-day threat.


Key questions

Q: How should security teams prepare certificate estates for post-quantum migration?

A: Start with inventory, dependency mapping, and lifecycle automation. Teams need to know which applications, devices, and machine identities depend on each trust chain before they can safely introduce post-quantum algorithms. Without that visibility, migration becomes reactive, with outages and policy drift happening after the change instead of before it.

Q: Why do quantum-safe certificates create migration risk for IAM and PKI teams?

A: Because certificates are tied to issuance, validation, renewal, and trust distribution, not just algorithm choice. If client support is missing, the certificate may be technically valid but operationally unusable. Teams need to manage the full certificate lifecycle so the transition does not strand services or break authentication flows.

Q: How do organisations prepare PKI for post-quantum change?

A: They need a crypto-agility plan built on inventory, ownership, and testable replacement paths. Organisations should identify where RSA and ECC are used, decide which systems can support hybrid certificates, and rehearse algorithm migration before the change is forced by regulation or market pressure. Preparation is a lifecycle problem, not just a cryptography decision.

Q: Who should own post-quantum planning for certificates and workload identity?

A: Ownership should be shared across PKI, IAM, architecture, and platform operations, with clear decision rights for renewal policy, algorithm selection, and rollout sequencing. If those decisions sit in a single silo, the organisation will struggle to coordinate identity trust changes across applications and automated services.


Technical breakdown

Why RSA and ECC become a future trust problem

RSA and ECC underpin most digital certificates because they are computationally hard for classical systems to break. Quantum computing changes that assumption by making certain mathematical problems far easier to solve, which could expose long-lived certificates, signing keys, and trust anchors once sufficiently capable quantum hardware exists. Post-quantum cryptography addresses that by using algorithms based on problem classes such as lattices and code-based mathematics that are intended to remain resistant to both classical and quantum attack. The hard part is not just algorithm choice, but preserving interoperability while migrating a live trust ecosystem.

Practical implication: inventory certificate dependencies now so you can prioritize the systems whose trust failure would hurt identity and access first.

How post-quantum migration affects certificate authorities and PKI

A certificate authority does more than issue certificates. It anchors trust, signs identities, and supports revocation and lifecycle controls across applications and workloads. In a post-quantum transition, CA operators must plan for algorithm agility, dual-stack periods, and certificate chain compatibility so that older and newer cryptographic schemes can coexist without breaking authentication. This is especially important for enterprises with internal PKI, device certificates, and workload identity at scale, because the migration will not happen in one cutover. The operational challenge is governance, not theory.

Practical implication: require your PKI and identity teams to document algorithm-agility assumptions before renewal and platform refresh cycles begin.

What interoperability means for identity and workload trust

Interoperability in PQC is the requirement that new cryptographic systems work alongside existing communications protocols and networks. That matters because identity systems do not live in isolation: they support OIDC federation, service authentication, certificate pinning, device trust, and workload identity. If one trust domain moves too quickly, authentication failures can cascade across applications, CI/CD pipelines, and partner integrations. The technical risk is less about immediate exploitation and more about breaking identity availability during migration. That is why standards work and staged rollout planning matter as much as algorithm selection.

Practical implication: test PQC readiness in segmented environments before any production identity or certificate migration.


NHI Mgmt Group analysis

Post-quantum readiness is now a certificate governance issue, not a distant cryptography curiosity. The article is right to frame PQC as a transition problem rather than a current crisis. For identity and access teams, the relevant question is whether certificate lifecycles, issuance policies, and trust anchors can be changed without service disruption. Practitioners should treat algorithm agility as part of identity governance, not a separate crypto project.

Certificate authorities will become change-management pressure points during the quantum transition. When trust chains must support old and new algorithms at once, the CA becomes the coordination layer for renewal, compatibility, and policy enforcement. That increases the importance of lifecycle controls, auditability, and change sequencing across internal PKI and external trust relationships. The practitioner takeaway is to map CA dependencies before migration becomes urgent.

Post-quantum migration exposes the hidden coupling between certificate trust and workload identity. Certificates are not just for user-facing TLS. They also protect service-to-service authentication, API trust, and automated build pipelines, which means NHI governance will be part of the migration whether teams plan for it or not. The practical conclusion is that identity and PKI teams need a shared roadmap, not separate workstreams.

Dual-stack crypto periods will create new operational risk if ownership is unclear. The transition to PQC will likely require coexistence between legacy and post-quantum algorithms for years, which means policy exceptions, inventory gaps, and inconsistent renewal standards can accumulate quickly. That is a governance failure mode, not a technical inevitability. Practitioners should assign explicit ownership for crypto migration decisions across architecture, PKI, and identity operations.

Post-quantum planning should be measured by inventory quality, not by optimism. The organisations that move first will be the ones that know where certificates live, who issues them, which workloads depend on them, and how quickly they can be rotated or replaced. That is the same discipline identity teams already need for secrets and service accounts. The conclusion is straightforward: if you cannot map certificate dependency, you cannot manage quantum transition risk.

What this signals

Post-quantum planning will test whether identity programmes can manage trust as a lifecycle problem instead of a one-time cryptography upgrade. The organisations that treat certificates, workload identity, and federation as linked dependencies will be better positioned to avoid renewal failures and authentication outages during migration.

Crypto agility gap: the organisations most exposed are not necessarily the ones with the oldest certificates, but the ones that cannot prove where trust dependencies live. That is why certificate inventory quality, ownership clarity, and staged migration testing will matter more than abstract readiness claims.

Identity leaders should expect post-quantum work to surface the same control weaknesses seen in secrets and service-account governance: missing inventory, weak ownership, and unclear lifecycle management. The lesson is to build a migration roadmap that aligns PKI change windows with access governance, rather than treating them as separate programmes.


For practitioners

  • Inventory certificate dependencies Map every certificate used for user authentication, workload identity, API trust, device authentication, and internal PKI so you know where quantum-sensitive trust exists.
  • Define algorithm-agility requirements Require PKI, IAM, and application teams to document how they will support dual-stack crypto and eventual post-quantum replacement without breaking federation or service trust.
  • Prioritise long-lived trust paths Focus early planning on systems with long certificate lifetimes, external partner dependencies, and high-value automation flows where renewal failure would interrupt access or operations.
  • Align identity and PKI ownership Create a shared migration roadmap between identity architects, PKI owners, and platform teams so renewal, rotation, and compatibility decisions are governed together.

Key takeaways

  • Post-quantum cryptography is already an identity governance issue because certificates underpin authentication, federation, and workload trust.
  • The main operational risk is not today's cryptographic exposure, but unmanaged migration across long-lived trust chains and certificate lifecycles.
  • Security teams should inventory certificate dependencies, define algorithm-agility requirements, and align PKI ownership with IAM change management now.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.DS-5Cryptographic protection and migration planning sit at the core of this PQC discussion.
NIST SP 800-53 Rev 5SC-13Cryptographic protection governs certificate security and transition planning.
NIST Zero Trust (SP 800-207)Zero Trust depends on continuously validated trust mechanisms, including certificates.
NIST AI RMFGOVERNPQC planning needs explicit governance for ownership, policy, and migration sequencing.

Use GOVERN to assign accountable owners for cryptographic transition decisions across identity and platform teams.


Key terms

  • Post-Quantum Cryptography: Cryptographic methods designed to remain secure even if quantum computers become powerful enough to break RSA or ECC. In practice, PQC is about preserving confidentiality, authentication, and trust while the industry migrates to new algorithms that can coexist with existing protocols and infrastructure.
  • Certificate Authority For Access: A certificate authority for access is the trusted component that signs short-lived credentials after authentication and policy checks. In identity-led remote access, it becomes the control point for who can connect, for how long, and under what constraints.
  • Algorithm Agility: The ability to change cryptographic algorithms without redesigning the surrounding identity or communication system. For practitioners, it is a governance and architecture requirement that determines whether a certificate estate can move from legacy crypto to post-quantum crypto without breaking trust chains.

What's in the full article

GlobalSign's full blog covers the operational detail this post intentionally leaves for the source:

  • The vendor's own explanation of how PQC relates to certificate authority operations and trust chains.
  • A more detailed walkthrough of the quantum threat model for RSA and ECC in everyday certificate use.
  • The article's discussion of why practical quantum systems are not yet a present-day reality for most organisations.

👉 GlobalSign's full post provides the quantum context and CA perspective behind certificate transition planning.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, secrets management, and identity lifecycle control. It gives practitioners a structured way to connect certificate trust decisions to broader identity governance.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org