Post-Quantum Cryptography (PQC) SSL Certificate Deployment Guide

Overview

This documentation provides a complete guide for deploying PQC SSL certificates alongside your existing traditional SSL certificates. This dual-certificate approach allows you to:

Maintain your existing website with traditional SSL (e.g., www.example.com)
Showcase quantum-safe cryptography with a PQC demo site (e.g., pqc.example.com)
Demonstrate future-proof security to your clients

What is Post-Quantum Cryptography?

Post-Quantum Cryptography (PQC) refers to cryptographic algorithms designed to be secure against attacks by quantum computers. Our PQC SSL certificates use ML-DSA-65 (FIPS 204), a NIST-standardized post-quantum digital signature algorithm.

Architecture Overview

Our proven architecture uses HAProxy for SNI routing to direct traffic to the appropriate backend server:

\\\┌─────────────────────────────────────────────────────────────┐ │ Internet │ └────────────────────┬────────────────────────────────────────┘ │ ▼ ┌────────────────┐ │ Port 80 │ │ (HTTP) │ └────────┬───────┘ │ │ HTTP → HTTPS Redirect │ ▼ ┌────────────────┐ │ Port 443 │ │ HAProxy │ │ (SNI Router) │ └────────┬───────┘ │ ┌────────────┴─────────────┐ │ │ ▼ ▼ ┌───────────────┐ ┌──────────────┐ │ Backend 8080 │ │ Backend 9443 │ │ Nginx/Apache │ │ BoringSSL │ │ Traditional │ │ PQC Server │ │ SSL │ │ ML-DSA-65 │ │ │ │ │ │ example.com │ │ pqc.example │ └───────────────┘ └──────────────┘ \\\

How It Works

1. Port 80 (HTTP): Redirects all HTTP traffic to HTTPS 2. Port 443 (HAProxy): Inspects SNI (Server Name Indication) to route traffic: - \example.com\ → Backend traditional SSL server (port 8080) - \pqc.example.com\ → Backend PQC SSL server (port 9443) 3. Backend Servers: Handle actual SSL/TLS termination with their respective certificates

Quick Start

Prerequisites

Linux server (Ubuntu 20.04+ or Debian 11+ recommended)
Root or sudo access
Domain names pointing to your server
PQC SSL certificate from PQCNow

Basic Setup Steps

1. Install HAProxy for SNI routing 2. Configure your existing web server (Nginx/Apache) to listen on backend port (e.g., 8080) 3. Set up BoringSSL PQC server on backend port (e.g., 9443) 4. Configure HAProxy to route traffic based on domain name 5. Test both sites with appropriate browsers

Live Example

Our production deployment at \pqcnow.com\ uses this exact architecture:

Traditional Site: \https://pqcnow.com\ (Laravel app with Let's Encrypt)
PQC Demo Site: \https://demo.pqcnow.com\ (BoringSSL with ML-DSA-65)

You can test the PQC site using Qromium browser (Chromium with PQC support).

Documentation Structure

Installation Guide

Step-by-step instructions for setting up the complete dual-certificate architecture:

HAProxy installation and configuration
BoringSSL compilation with PQC support
Backend server configuration (Nginx, Apache)
Certificate installation

Configuration Reference

Detailed configuration examples based on our production setup:

HAProxy SNI routing configuration
Nginx backend configuration
Apache backend configuration
systemd service setup for PQC server
Docker deployment option

Testing Guide

How to verify your PQC deployment:

Certificate validation
Browser compatibility testing
SSL/TLS handshake verification
Performance testing

Troubleshooting

Common issues and solutions:

Port conflicts
Certificate errors
HAProxy routing issues
Browser compatibility problems

FAQ

Frequently asked questions about PQC deployment

Real-World Configuration Examples

HAProxy SNI Routing (Port 443)

\\\haproxy frontend https_front bind *:443 mode tcp option tcplog tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 }

# Route PQC demo to BoringSSL backend use_backend pqc_demo if { req_ssl_sni -i pqc.example.com } # Default traffic goes to traditional SSL backend default_backend main_site

backend main_site mode tcp server nginx 127.0.0.1:8080 check

backend pqc_demo mode tcp server pqc 127.0.0.1:9443 check \\\

Nginx Backend (Port 8080)

\\\nginx server { listen 8080 ssl http2; server_name example.com www.example.com;

# Traditional SSL certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# Your existing configuration... } \\\

PQC Server systemd Service

\\\ini [Unit] Description=PQC HTTPS Demo Server After=network.target

[Service] Type=simple User=root WorkingDirectory=/opt/pqc ExecStart=/opt/pqc/bssl_https_server_pqc pqc.example.com-bundle.crt pqc.example.com.key 9443 Restart=always

[Install] WantedBy=multi-user.target \\\

Browser Compatibility

Traditional Site (example.com)

✅ All modern browsers (Chrome, Firefox, Safari, Edge)
✅ Mobile browsers (iOS Safari, Android Chrome)

PQC Demo Site (pqc.example.com)

✅ Qromium browser (download from PQCNow)
✅ OQS-enabled browsers
⚠️ Standard browsers (will show certificate errors until PQC becomes mainstream)

Support

Documentation: See detailed guides linked above
Certificate Purchase: Contact sales@pqcnow.com
Technical Support: support@pqcnow.com
Website: https://pqcnow.com

Next Steps

1. Review the Installation Guide for your server type 2. Purchase your PQC SSL certificate from PQCNow 3. Follow the step-by-step setup process 4. Test your deployment using the Testing Guide 5. Share your PQC demo site with clients!

---

Note: All configuration examples in this documentation are based on our production deployment at \pqcnow.com\ and \demo.pqcnow.com\. These are tested, working configurations that you can adapt for your own setup.