Hybrid certificates are transitional certificates that carry both classical and post-quantum keys or signatures, enabling legacy and quantum-ready systems to each validate trust during the migration to post-quantum cryptography. Together with dual-signature strategies, which apply a classical and a post-quantum signature to the same artifact, they let organizations introduce quantum-resistant cryptography into existing PKI without breaking compatibility. They are a bridge to a fully quantum-resistant trust model, not a permanent design.
The transition to post-quantum cryptography is no longer theoretical. After NIST standardized ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205) on 13 August 2024, organizations are actively evaluating how quantum-resistant algorithms can enter existing PKI environments without disrupting operations.
The difficulty is that cryptographic migrations rarely happen all at once. An enterprise environment contains browsers, operating systems, applications, network devices, certificate authorities, hardware security modules (HSMs), and validation systems, and each evolves at a different pace. Replacing every component simultaneously is neither practical nor realistic.
Hybrid certificates and dual-signature strategies offer a way around this. Instead of switching from classical cryptography to PQC in one step, they add quantum-resistant capability while existing systems keep working. That lowers operational risk and builds crypto-agility into the PKI as the change rolls out.
Hybrid deployment is meant to be temporary. It buys time to move toward a future where quantum-resistant cryptography is the default, without a disruptive cutover. This article explains both approaches, how they differ, the main migration models, and the practical realities of running them in production.
Why Post-Quantum Migration Is Different
Earlier cryptographic migrations usually replaced one algorithm with another while keeping the same underlying trust model. The move from SHA-1 to SHA-256, for example, mainly affected signature and validation processes and was closer to a like-for-like substitution than PQC migration will be.
Post-quantum migration is different because it touches the entire cryptographic ecosystem. Quantum-resistant algorithms generally have larger keys, larger signatures, and different performance characteristics than RSA or Elliptic Curve Cryptography (ECC). Those size differences affect every layer of a PKI deployment: from TLS handshakes and certificate issuance at the edge, to HSM performance and lifecycle management at the infrastructure layer, to interoperability across distributed systems.
That is why NIST and other standard and regulatory bodies treat crypto-agility as a core requirement. Crypto-agility is the ability of a system, protocol, or infrastructure to switch cryptographic algorithms, key sizes, or standards quickly without requiring significant architectural redesign or operational disruption. An organization needs to support more than one algorithm at a time while the ecosystem catches up.
NIST’s draft transition roadmap, Internal Report 8547, still an Initial Public Draft, proposes deprecating 112-bit-strength RSA and ECC (for example, RSA-2048 and ECDSA P-256) after 2030 and disallowing all quantum-vulnerable RSA and ECC deployments after 2035, and it notes that the finalized standards can be adopted now.
For US National Security Systems, the NSA’s CNSA 2.0 suite already specifies the post-quantum parameter sets ML-KEM-1024 and ML-DSA-87 with category-specific deadlines: software and firmware signing were required to prefer CNSA 2.0 algorithms by 2025 (a deadline now in effect) and must exclusively use them by 2030, and all new NSS acquisitions must support CNSA 2.0 from January 1, 2027. Hybrid certificates and dual signatures are two practical ways to start, without waiting for every system to be ready.
What Are Hybrid Certificates
A hybrid certificate is not a completely new certificate format. It is typically an X.509 certificate extended to include both classical and post-quantum public key and signature information, enabling compatibility with existing systems while providing post-quantum protection.
The shared idea across implementations is that a single certificate carries cryptographic material allowing validation with a traditional algorithm, a quantum-resistant algorithm, or both.
The purpose is straightforward. Legacy systems continue to rely on the classical component, while PQC-capable systems use the quantum-resistant component. This lets an organization deploy PQC without waiting for every endpoint and application to become quantum-ready.
In June 2025 the IETF published RFC 9794, an informational document that establishes common terminology for post-quantum and traditional hybrid schemes, but the certificate mechanisms themselves are still being defined. The composite approach, in which two algorithms are combined and treated as a single algorithm, is specified in an active IETF LAMPS Working Group Internet-Draft (draft- ietf -lamps- pq -composite-sigs) that is on the Standards Track but is not yet a finished RFC. Teams should treat it as work in progress and design for change. Hybrid certificates are a migration mechanism for the period when classical and post-quantum systems must coexist, not the final state of PKI.
Dual-Signature Strategies
Dual-signing addresses a related but distinct problem. Instead of combining algorithms inside a certificate’s key material, a dual-signature approach applies two independent signatures to the same object, one with a classical algorithm and one with a post-quantum algorithm.
This is particularly useful for artifacts rather than connections, including code-signing operations, software packages, firmware updates, digital documents, supply-chain artifacts, and security assertions. Legacy systems validate the classical signature, while updated systems validate the post-quantum signature, so trust does not depend on the entire ecosystem being upgraded before anything can be deployed.
For long-lived signed artifacts, this matters more than it might first appear. A firmware image or signed document may need to remain verifiable for many years, well into the period when quantum-resistant verification is expected, so attaching a post-quantum signature today protects the artifact’s future verifiability.
| Area | Hybrid certificates | Dual-signature strategy |
|---|---|---|
| Primary purpose | Certificate transition | Artifact transition |
| Typical use cases | PKI, TLS, authentication | Code signing, software distribution, document signing |
| Compatibility | Supports legacy and PQ-aware certificate validation | Supports legacy and PQ-aware signature verification |
| Operational complexity | Requires certificate and PKI changes | Requires signing workflow changes |
| Migration benefit | Enables phased certificate migration | Enables phased artifact validation migration |
Although they are often discussed together, these approaches solve different problems, and many organizations will use both within a broader PQC program.
Practical Migration Strategies
Industry guidance commonly describes several models for moving PKI toward post-quantum trust, and the right choice depends on how much an organization controls its endpoints.
Hard cutover. Replace classical cryptography with PQC over a short timeframe. This can work in tightly controlled environments, but it creates serious interoperability risk in large enterprises with diverse endpoints.
Soft cutover. Run classical and post-quantum environments in parallel. This adds flexibility but also operational complexity, since two trust models must be maintained at once.
Hybrid migration. Issue certificates that support both classical and quantum-resistant trust. This generally offers the strongest backward compatibility during the transition.
Dual-signature migration. Protect critical artifacts such as software updates and signed code with two signatures while broader PKI modernization continues.
For most enterprises, phased approaches are far more practical than immediate replacement.
Operational Challenges
Hybrid and dual-signature strategies reduce migration risk, but they do not remove complexity, and a few realities deserve early attention.
The first is size. Post-quantum algorithms typically produce much larger keys and signatures than RSA or ECC, and combining them with a classical algorithm makes a hybrid cryptographic artifact even larger. This increases TLS handshake sizes, consumes more bandwidth, and adds storage and processing overhead across the certificate lifecycle. NIST itself cautions that hybrid solutions add complexity to implementations and architectures, which can raise both cost and the chance of implementation error.
The second is infrastructure readiness. Not every certificate authority, HSM, load balancer, VPN gateway, or security appliance yet supports the emerging PQC algorithms or the hybrid encodings, so roadmaps must be assessed before anything reaches production. There is also a specific security constraint to build into design decisions: a composite signature provides slightly weaker security guarantees than ML-DSA with randomized signing.
In practice, an attacker who has already obtained one valid signature could theoretically produce another valid signature on the same message, something that ML-DSA with randomized signing prevents (in technical terms, composite signatures offer only existential unforgeability (EUF-CMA), not the stronger strong unforgeability (SUF-CMA) that ML-DSA with randomized signing can provide).
This difference is unlikely to affect most PKI deployments, but applications with strict non-repudiation requirements should be aware of it, and substituting composite for standalone ML-DSA is a reduction in security guarantees. Composite keys are not meant to be used for both signing and key establishment, so design choices should follow the relevant draft specifications closely.
The third is lifecycle management. Security teams must simultaneously track classical assets, hybrid deployments, dual-signed artifacts, and future PQC-native implementations. Without centralized visibility, a migration of this scope quickly becomes difficult to govern.
Common Migration Mistakes
Many organizations underestimate the scope of post-quantum migration. A frequent mistake is assuming hybrid certificates automatically solve compatibility, when in reality every component involved in issuance, validation, storage, and trust-chain processing must support the chosen implementation.
Another is focusing on issuance while ignoring validation. A certificate can be issued successfully, but if downstream systems cannot parse the new format or algorithm, deployment fails at the point of verification. Teams also overlook infrastructure dependencies, since certificate authorities, HSMs, key management systems, and automation platforms all need to be assessed for post-quantum readiness.
The deeper mistake is treating PQC as a one-off technology project rather than a crypto-agility initiative. Successful migration depends on governance, inventory management, lifecycle controls, testing frameworks, and multi-year planning, not on a single algorithm swap.
Security Best Practices
A sound migration begins with a comprehensive cryptographic inventory. Certificates, TLS deployments, code-signing workflows, HSMs, applications, and trust relationships should all be documented before planning begins, because an algorithm that is not visible cannot be migrated.
Make crypto-agility a design principle so that systems can accommodate future algorithm changes without major architectural redesign.
Protect private keys in HSMs, ideally validated to FIPS 140-3 Level 3, and confirm PQC support across hardware and software before large-scale rollout.
Test thoroughly in non-production environments, validating hybrid certificates, dual-signature workflows, and PQC-enabled TLS before they reach production.
Track standardization status, since the hybrid certificate and composite signature specifications are still evolving in the IETF.
Treat the migration as a multi-year transformation, sequenced by risk and the long-term sensitivity of the data and artifacts involved.
Together, these steps keep a hybrid deployment interoperable and easy to govern while the standards and the wider ecosystem settle.
How Encryption Consulting Can Help
Post-quantum migration affects every layer of trust infrastructure, from certificate authorities and HSMs to code-signing platforms and certificate lifecycle management. Organizations often struggle to decide which assets to migrate first, which hybrid approaches fit their environment, and how to maintain continuity throughout.
PQC Advisory Services
Encryption Consulting supports organizations throughout this journey with end-to-end PQC migration services covering discovery, assessment, planning, validation, and deployment. Our PQC Advisory Services help organizations identify certificates, keys, algorithms, protocols, and cryptographic dependencies across cloud environments, applications, infrastructure, HSMs, source code repositories, containers, APIs, and CI/CD pipelines.
Using this visibility, we assess exposure to quantum-vulnerable cryptography, identify high-priority remediation areas, and develop risk-based migration roadmaps aligned with NIST standards, regulatory requirements, and business objectives.
Beyond planning, Encryption Consulting assists with vendor readiness assessments, proof-of-concept validation, interoperability testing, hybrid cryptography deployments, crypto-agile PKI architecture design, and enterprise-scale implementation programs. This structured approach enables organizations to move from fragmented cryptographic visibility to a governed, measurable, and sustainable PQC migration program.
CBOM Secure
A successful post-quantum transition begins with visibility. Encryption Consulting’s CBOM Secure provides continuous discovery and inventory of cryptographic assets across enterprise infrastructure, cloud environments, applications, and cryptographic services.
Unlike a point-in-time inventory, CBOM Secure continuously generates and consumes Cryptographic Bills of Materials (CBOMs) while tracking certificates, keys, algorithms, and cryptographic dependencies across the environment. It provides visibility into what is deployed, where it is running, and how cryptographic dependencies evolve over time.
The platform also supports policy-driven governance by validating cryptographic configurations against organizational standards, identifying deviations, and helping organizations address security, operational, and compliance risks.
For PQC readiness, CBOM Secure helps identify systems that rely on quantum-vulnerable algorithms, prioritize remediation activities, and establish the continuous cryptographic governance required to achieve long-term crypto-agility.
If your organization is working to establish a PQC governance model, assess cryptographic exposure, or build a migration roadmap against NIST and CNSA 2.0 timelines, reach out to us at [email protected].
Conclusion
Post-quantum migration will reshape every layer of PKI, from root CAs to endpoint certificates, and organizations that wait for the ecosystem to fully mature before starting will find themselves behind. Organizations cannot replace classical cryptography overnight, and they cannot afford to delay planning until quantum threats are imminent, particularly where harvest-now-decrypt-later collection puts long-lived data at risk today.
Hybrid certificates and dual-signature strategies provide practical mechanisms for managing that transition. They enable organizations to introduce quantum-resistant trust while maintaining interoperability with existing systems, even as standards and implementations continue to mature.
Ultimately, successful PQC migration is a crypto-agility initiative rather than a one-time technology upgrade. It requires organizations to understand where cryptography is deployed, establish visibility into cryptographic assets, modernize certificate lifecycle management, and build the flexibility to adopt new algorithms as standards evolve. A practical first step is to inventory cryptographic assets, identify long-lived data and systems most exposed to quantum risk, and begin controlled pilots of hybrid or dual-signature deployments.
Organizations that establish these capabilities now will be far better positioned to adapt as the post-quantum ecosystem matures.
If you’re planning your post-quantum migration, Encryption Consulting can help assess your PKI environment, develop a crypto-agility roadmap, and implement a phased migration strategy.
