Frequently Asked Questions (FAQ)

Common questions about PQC SSL certificate deployment and post-quantum cryptography.

Table of Contents

1. General Questions 2. Technical Questions 3. Certificate Questions 4. Browser and Compatibility 5. Deployment and Operations 6. Security and Performance

---

General Questions

What is Post-Quantum Cryptography (PQC)?

Post-Quantum Cryptography refers to cryptographic algorithms that are designed to be secure against attacks by both classical and quantum computers. Traditional cryptographic algorithms like RSA and ECC could be broken by sufficiently powerful quantum computers, but PQC algorithms are resistant to these attacks.

Why do I need PQC SSL certificates now?

While large-scale quantum computers don't exist yet, organizations are preparing for "Q-Day" (when quantum computers can break current encryption). Benefits include:

• Future-proofing: Protect data that needs to remain secure for years
• Compliance: Meet emerging regulatory requirements
• Competitive advantage: Demonstrate security leadership
• Client confidence: Show commitment to cutting-edge security

What is ML-DSA-65?

ML-DSA-65 (Module-Lattice-Based Digital Signature Algorithm) is a NIST-standardized post-quantum digital signature scheme (FIPS 204). It was previously known as CRYSTALS-Dilithium. The "65" refers to the security level (equivalent to AES-192).

Do I need to replace my existing SSL certificates?

No! Our approach lets you run both traditional and PQC SSL certificates simultaneously:

• Main site (example.com): Keep your existing SSL (Let's Encrypt, etc.)
• PQC demo site (pqc.example.com): Add PQC SSL to showcase quantum-safe security

---

Technical Questions

How does the HAProxy architecture work?

HAProxy uses Server Name Indication (SNI) inspection to route traffic without decrypting SSL:

1. Client connects to port 443 2. HAProxy reads the SNI field in the TLS handshake (the domain name) 3. If SNI matches your PQC domain → routes to BoringSSL server (port 9443) 4. Otherwise → routes to traditional SSL server (port 8080) 5. Backend servers handle actual SSL/TLS termination

Why not just use PQC on my main website?

Main challenges:

• Browser support: Only specialized browsers (like Qromium) support PQC currently
• Performance: PQC certificates are larger, may impact load times
• Compatibility: Would break access for standard browsers

Can I use Apache instead of Nginx?

Yes! The architecture works with any web server. See our Configuration Guide for Apache examples. The key is:

• HAProxy on port 443 (SNI router)
• Your web server on backend port 8080
• BoringSSL PQC server on backend port 9443

What ports do I need open in my firewall?

External (internet-facing):

• Port 80 (HTTP - redirects to HTTPS)
• Port 443 (HTTPS - HAProxy)

• Port 8080 (backend traditional SSL)
• Port 9443 (backend PQC SSL)

---

Certificate Questions

How long are PQC SSL certificates valid?

Our PQC SSL certificates are typically valid for 1 year, same as traditional SSL certificates. You'll receive renewal reminders before expiration.

Can I use Let's Encrypt for PQC certificates?

Not yet. Let's Encrypt doesn't currently support PQC algorithms. You need to purchase PQC certificates from providers like PQCNow that support ML-DSA-65.

What's the difference between .crt and -bundle.crt files?

• domain.crt: Just your certificate
• domain-bundle.crt: Your certificate + intermediate CA certificates + root CA

How do I renew my PQC certificate?

1. Contact support@pqcnow.com before expiration 2. Receive new certificate files 3. Replace old files in \/opt/pqc/certificates/\ 4. Restart PQC server: \systemctl restart pqc-demo\

No configuration changes needed - just swap the certificate files.

Can I use the same PQC certificate on multiple servers?

Yes, but each server needs its own copy of the certificate and key files. Make sure to:

• Keep private keys secure during transfer
• Use \scp\ or other secure methods to copy files
• Set proper permissions (600 for .key files)

Browser and Compatibility

Why does my PQC site show a certificate error in Chrome?

This is expected! Standard browsers (Chrome, Firefox, Safari, Edge) don't support PQC algorithms yet. They'll show certificate warnings when visiting PQC sites.

Solution: Use Qromium browser (available from PQCNow) to access PQC sites without errors.

What browsers support PQC certificates?

Currently:

• Qromium (our custom Chromium build) - Full PQC support
• OQS-enabled browsers - Various experimental builds

When will standard browsers support PQC?

Browser vendors are working on PQC support, likely timeline:

• 2025-2026: Experimental/beta support
• 2026-2027: General availability
• 2027+: Widespread adoption

Can mobile devices access PQC sites?

Yes, with Qromium browser installed on:

• Android devices (download from PQCNow)
• iOS support coming soon

---

Deployment and Operations

How much does this setup cost?

Infrastructure costs:

• HAProxy: Free (open source)
• BoringSSL: Free (open source)
• Nginx/Apache: Free (open source)

• Traditional SSL: Free (Let's Encrypt) or paid
• PQC SSL: Purchase from PQCNow (contact sales@pqcnow.com)

• Minimal additional resources (same server can handle both)

Can I use Docker/Kubernetes?

Yes! See our Docker deployment example in the Configuration Guide. The architecture works in containerized environments.

Do I need a separate server for PQC?

No. The beauty of this architecture is everything runs on one server:

• HAProxy (minimal resources)
• Your existing web server (Nginx/Apache)
• BoringSSL PQC server (minimal resources)

What happens if the PQC server crashes?

Only the PQC demo site (pqc.example.com) would be affected. Your main site (example.com) continues working normally because they're independent.

Our systemd service config includes automatic restart on failure.

How do I update the PQC server binary?

\\\bash

1. Stop service

---

Security and Performance

Are PQC certificates more secure than traditional SSL?

Against quantum computers: Yes, PQC is resistant to quantum attacks Against classical computers: Both are secure (for now) Overall: PQC provides future-proof security

Think of it as insurance against future quantum computing threats.

Does PQC impact website performance?

Main site: No impact (uses traditional SSL) PQC demo site: Slightly larger certificates (~2-5KB vs ~1KB)

Performance difference is negligible for most use cases. HAProxy routing adds <1ms latency.

Is HAProxy a security risk?

HAProxy is:

• Industry-standard load balancer
• Used by major companies worldwide
• Regularly audited for security
• Only inspects SNI (doesn't decrypt traffic)

What if someone bypasses HAProxy?

Backend ports (8080, 9443) should only listen on localhost (127.0.0.1), not external IPs. This prevents direct access bypassing HAProxy.

Verify with: \\\bash ss -tlnp | grep -E ':(8080|9443)'

Should show: 127.0.0.1:8080 and 127.0.0.1:9443

How often should I update the PQC server?

• Security updates: As soon as available
• Feature updates: Based on your needs
• Check for updates: Monthly recommended

Can I monitor PQC server health?

Yes! Use the health check script from our Testing Guide. It monitors:

• PQC server availability
• HAProxy status
• Certificate expiration
• Response times

Business Questions

Who should I showcase my PQC demo to?

Great audiences for PQC demos:

• Clients: Demonstrate security leadership
• Partners: Show commitment to data protection
• Investors: Highlight technical sophistication
• Compliance auditors: Prove future-readiness
• Industry peers: Establish thought leadership

How do I explain PQC to non-technical people?

Simple explanation: "Quantum computers are coming that could break today's encryption. PQC (Post-Quantum Cryptography) is like a future-proof lock that even quantum computers can't pick. We're preparing now so your data stays secure for decades to come."

What's the ROI of implementing PQC?

Direct benefits:

• Competitive differentiation
• Compliance with emerging regulations
• Client confidence and trust
• Marketing and PR opportunities

• Protect long-term sensitive data
• Avoid costly migrations later
• Insurance against "Q-Day"

Can I get a certificate for testing first?

Contact sales@pqcnow.com to discuss testing options and pricing.

---

Troubleshooting

Where can I find logs?

\\\bash

HAProxy logs

My question isn't answered here

Check our other documentation:

• Installation Guide
• Configuration Reference
• Testing Guide
• Troubleshooting Guide

• Email: support@pqcnow.com
• Website: https://pqcnow.com/docs/
• Sales: sales@pqcnow.com

Quick Reference

Important Files and Paths

| Item | Path | |------|------| | HAProxy config | \/etc/haproxy/haproxy.cfg\ | | PQC certificates | \/opt/pqc/certificates/\ | | PQC server binary | \/opt/pqc/bssl_https_server_pqc\ | | PQC service config | \/etc/systemd/system/pqc-demo.service\ | | Nginx configs | \/etc/nginx/sites-available/\ | | Apache configs | \/etc/apache2/sites-available/\ |

Important Commands

\\\bash

Check all services

Live Example

Visit our production demo:

• Traditional site: https://pqcnow.com (works in any browser)
• PQC demo site: https://demo.pqcnow.com (requires Qromium)

*Last updated: December 2024* *For the latest information, visit https://pqcnow.com/docs/*