TL;DR: Post-quantum cryptography aims to keep digital communication secure against both classical and quantum attacks while preserving interoperability with existing protocols, according to GlobalSign and NIST. The governance challenge is not that certificates fail today, but that CA, rotation, and migration decisions now need long lead times and clear ownership.
NHIMG editorial — based on content published by GlobalSign: post-quantum cryptography and what it means for certificate authorities
By the numbers:
- According to Gartner, there will be three phases of activity over the next 10 years as quantum computing advances.
Questions worth separating out
Q: How should security teams prepare certificate estates for post-quantum migration?
A: Start with inventory, dependency mapping, and lifecycle automation.
Q: Why do quantum-safe certificates create migration risk for IAM and PKI teams?
A: Because certificates are tied to issuance, validation, renewal, and trust distribution, not just algorithm choice.
Q: How do organisations prepare PKI for post-quantum change?
A: They need a crypto-agility plan built on inventory, ownership, and testable replacement paths.
Practitioner guidance
- Inventory certificate dependencies Map every certificate used for user authentication, workload identity, API trust, device authentication, and internal PKI so you know where quantum-sensitive trust exists.
- Define algorithm-agility requirements Require PKI, IAM, and application teams to document how they will support dual-stack crypto and eventual post-quantum replacement without breaking federation or service trust.
- Prioritise long-lived trust paths Focus early planning on systems with long certificate lifetimes, external partner dependencies, and high-value automation flows where renewal failure would interrupt access or operations.
What's in the full article
GlobalSign's full blog covers the operational detail this post intentionally leaves for the source:
- The vendor's own explanation of how PQC relates to certificate authority operations and trust chains.
- A more detailed walkthrough of the quantum threat model for RSA and ECC in everyday certificate use.
- The article's discussion of why practical quantum systems are not yet a present-day reality for most organisations.
👉 Read GlobalSign's analysis of post-quantum cryptography for certificate authorities →
Post-quantum cryptography and certificates: are your controls ready?
Explore further
Post-quantum readiness is now a certificate governance issue, not a distant cryptography curiosity. The article is right to frame PQC as a transition problem rather than a current crisis. For identity and access teams, the relevant question is whether certificate lifecycles, issuance policies, and trust anchors can be changed without service disruption. Practitioners should treat algorithm agility as part of identity governance, not a separate crypto project.
A question worth separating out:
Q: Who should own post-quantum planning for certificates and workload identity?
A: Ownership should be shared across PKI, IAM, architecture, and platform operations, with clear decision rights for renewal policy, algorithm selection, and rollout sequencing. If those decisions sit in a single silo, the organisation will struggle to coordinate identity trust changes across applications and automated services.
👉 Read our full editorial: Post-quantum cryptography and certificate governance: what changes