PQC test servers and the browser gap in quantum-safe TLS

TL;DR: A simple PQC test server can use ML-DSA for certificate signatures and ML-KEM for key exchange, according to DigiCert’s walkthrough, but only command-line clients currently validate it because mainstream browsers do not yet support ML-DSA certificates. That gap makes PQC readiness a staged migration problem, not a browser toggle.

NHIMG editorial — based on content published by DigiCert: How to Build Your Own PQC Test Server

Questions worth separating out

Q: How should teams pilot post-quantum TLS without breaking existing clients?

A: Start in a controlled environment with non-browser clients that can validate the handshake, then confirm certificate parsing, trust-store behaviour, and fallback handling.

Q: Why do quantum-safe certificates create migration risk for IAM and PKI teams?

A: Because certificates are tied to issuance, validation, renewal, and trust distribution, not just algorithm choice.

Q: What breaks when a PQC server is deployed before client support exists?

A: The trust chain breaks at the client layer.

Practitioner guidance

• Inventory all TLS termination points Map every service, load balancer, reverse proxy, and application that issues or validates certificates so you know where PQC pilots can actually run.
• Test with non-browser clients first Use Curl and other command-line validators to confirm handshake behaviour, certificate parsing, and error handling before expecting browser support.
• Separate signing from key exchange planning Track which components need ML-DSA for authentication and which need ML-KEM for shared secret establishment so migration decisions do not blur the two controls.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step build instructions for the PQC test server on AWS Linux
• Command-line validation examples using Curl and Links to confirm the TLS handshake
• Implementation notes for ML-DSA certificate use and ML-KEM key exchange
• Practical environment requirements for adapting the test setup to other Linux systems

👉 Read DigiCert's guide to building a PQC test server →

PQC test servers and the browser gap in quantum-safe TLS?

Explore further

View Full Forum →  |  NHI Foundation Course →