Notifications
Clear all
Topic starter
24/06/2026 6:57 pm
TL;DR: Core post-quantum infrastructure migration will finish by 2029, with TLS and certificate systems moving in stages to avoid breaking existing customers while reducing harvest-now, decrypt-later exposure, according to DigiCert. The shift shows that cryptographic agility and certificate lifecycle governance are now identity security priorities, not future research.
NHIMG editorial — based on content published by DigiCert: DigiCert’s 2029 post-quantum infrastructure migration plan
Questions worth separating out
Q: How should security teams plan a post-quantum migration for TLS and certificates?
A: Start with a dependency inventory that covers every TLS endpoint, certificate issuing path, and vendor-managed termination point.
Q: When does PQC migration become a governance issue rather than a crypto project?
A: It becomes a governance issue as soon as multiple teams, vendors, and certificate lifecycles must change in sequence.
Q: What usually slows down certificate migration to post-quantum algorithms?
A: Legacy browsers, embedded systems, custom SDKs, and unsupported libraries are the usual blockers.
Practitioner guidance
- Build a complete TLS dependency inventory Map every internal and external endpoint that uses TLS 1.3, including vendor termination services, legacy applications, embedded systems, and customer-facing properties.
- Classify certificate lifecycle readiness by system family Separate internal PKI, public PKI, and customer-issued certificates into distinct migration tracks so you can see where ML-DSA support, renewal automation, and trust anchor changes are actually blocked.
- Plan for legacy software constraints early Identify browsers, custom SDKs, and long-lived platforms that cannot move quickly to PQC-safe configurations, then tie them to a remediation sequence instead of assuming a single cutover date will work.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The staged 2029 migration sequence for TLS confidentiality, including how x25519mlkem768 fits into current deployments.
- The product and standards dependencies behind public ML-DSA certificate support, including browser and CA/B Forum coordination.
- The practical implications of Merkle Tree Certificates for certificate transparency and post-quantum Web PKI.
- The article's own view of vendor readiness, customer compatibility constraints, and why hybrid deployments remain a transition tool.
👉 Read DigiCert's post-quantum infrastructure migration plan for 2029 →
PQC migration and certificate lifecycle: what IAM teams need now?
Explore further
25/06/2026 4:00 am
PQC migration is now an identity governance problem, not just a cryptography project. DigiCert’s roadmap shows that the hardest work is not algorithm selection but lifecycle coordination across TLS, certificates, vendors, and legacy systems. That is exactly the kind of dependency chain identity teams already manage in NHI governance, except the trust boundary is cryptographic rather than purely administrative. Practitioners should treat PQC readiness as a governed identity transition, not a lab exercise.
A few things that frame the scale:
- 69% of organisations now have more machine identities than human ones, according to the Critical Gaps in Machine Identity Management report.
- Only 38% have automated certificate lifecycle management in place, which helps explain why large-scale cryptographic change is so operationally difficult.
A question worth separating out:
Q: How do IAM teams prepare for harvest-now, decrypt-later risk?
A: Focus on the identities and certificates that will remain valid for the longest time, then shorten exposure by improving lifecycle control, renewal discipline, and migration sequencing. The goal is to reduce the value of captured traffic before quantum capability matures.
👉 Read our full editorial: Post-quantum certificate migration is now an identity governance issue
