PQC SSL Certificate Installation Guide

This guide provides step-by-step instructions for deploying PQC SSL certificates alongside your existing traditional SSL setup using the HAProxy + BoringSSL architecture.

Table of Contents

1. Prerequisites 2. Architecture Decision 3. HAProxy Installation 4. BoringSSL PQC Server Setup 5. Backend Web Server Configuration 6. Certificate Installation 7. Service Configuration 8. Verification

Prerequisites

System Requirements

  • Operating System: Ubuntu 20.04+, Debian 11+, or RHEL 8+
  • RAM: Minimum 2GB (4GB recommended)
  • Disk Space: At least 10GB free space
  • Root Access: sudo or root privileges required

Software Requirements

# Update system packages
apt update && apt upgrade -y  # Debian/Ubuntu
# OR
yum update -y  # RHEL/CentOS

# Install build dependencies
apt install -y build-essential cmake git golang wget curl \
    libssl-dev pkg-config  # Debian/Ubuntu
# OR
yum install -y gcc gcc-c++ make cmake git golang wget curl \
    openssl-devel pkgconfig  # RHEL/CentOS

Domain Requirements

You need two domain names pointing to your server:

  • Main domain: e.g., \example.com\ (for traditional SSL)
  • PQC demo domain: e.g., \pqc.example.com\ or \demo.example.com\

Both should have DNS A records pointing to your server's IP address.

Obtain Your PQC SSL Certificate

Before proceeding, you should have received from PQCNow:

  • \your-domain.crt\ - PQC SSL certificate
  • \your-domain.key\ - Private key
  • \your-domain-bundle.crt\ - Certificate bundle with CA chain

Architecture Decision

Why HAProxy + BoringSSL?

Our production-tested architecture uses:

  • HAProxy on port 443 for SNI-based routing (no SSL termination)
  • Nginx/Apache on backend port 8080 for traditional SSL
  • BoringSSL server on backend port 9443 for PQC SSL

Advantages:
  • No firewall configuration needed (uses standard port 443)
  • Both sites accessible from internet
  • Clean separation of traditional and PQC traffic
  • Minimal changes to existing web server configuration

HAProxy Installation

Step 1: Install HAProxy

# Debian/Ubuntu
apt install -y haproxy

# RHEL/CentOS
yum install -y haproxy

# Verify installation
haproxy -v

Step 2: Configure HAProxy

Edit the HAProxy configuration:

nano /etc/haproxy/haproxy.cfg

Replace the entire file with this configuration (based on our production setup):

\\\haproxy global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon maxconn 2000

defaults log global mode tcp option tcplog timeout connect 5000 timeout client 50000 timeout server 50000

Frontend: Listen on port 443 and route based on SNI

frontend https_front bind *:443 mode tcp option tcplog tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Route PQC demo domain to BoringSSL backend # IMPORTANT: Replace "pqc.example.com" with your actual PQC domain use_backend pqc_demo if { req_ssl_sni -i pqc.example.com } # All other traffic goes to traditional SSL backend default_backend main_site

Backend: Traditional SSL site (Nginx/Apache on port 8080)

backend main_site mode tcp server nginx 127.0.0.1:8080 check

Backend: PQC demo site (BoringSSL on port 9443)

backend pqc_demo mode tcp server pqc 127.0.0.1:9443 check \\\

Important: Replace \pqc.example.com\ with your actual PQC demo domain.

Step 3: Enable and Start HAProxy

# Enable HAProxy to start on boot
systemctl enable haproxy

# Start HAProxy
systemctl start haproxy

# Check status
systemctl status haproxy

BoringSSL PQC Server Setup

Step 1: Download Pre-built Binary

We provide a pre-built BoringSSL HTTPS server with PQC support:

# Create directory for PQC server
mkdir -p /opt/pqc
cd /opt/pqc

# Download pre-built binary (contact support for download link)
wget https://pqcnow.com/downloads/bssl_https_server_pqc

# Make it executable
chmod +x bssl_https_server_pqc

# Verify it works
./bssl_https_server_pqc --help

Step 2: Alternative - Build from Source

If you prefer to build from source:

# Clone BoringSSL with PQC support
cd /opt
git clone https://github.com/google/boringssl.git
cd boringssl

# Checkout PQC-enabled version
git checkout main

# Build
mkdir build && cd build
cmake -DCMAKE_BUILD_TYPE=Release ..
make

# The server binary will be at: build/tool/bssl_https_server_pqc
cp tool/bssl_https_server_pqc /opt/pqc/

Backend Web Server Configuration

You need to configure your existing web server (Nginx or Apache) to listen on a backend port instead of port 443.

Option A: Nginx Configuration

#### Step 1: Modify Existing Site Configuration

Edit your existing Nginx site configuration:

nano /etc/nginx/sites-available/example.com

Change the \listen\ directive from port 443 to port 8080:

\\\nginx

Before:

listen 443 ssl http2;

After:

listen 8080 ssl http2; listen [::]:8080 ssl http2; server_name example.com www.example.com;

Keep your existing SSL certificate configuration

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Keep all your existing configuration...

`

#### Step 2: Add HTTP Redirect

Create a simple HTTP to HTTPS redirect (or modify existing):

\\\nginx server { listen 80; listen [::]:80; server_name example.com www.example.com; return 301 https://\$host\$request_uri; } \\\

#### Step 3: Create PQC Demo HTTP Redirect

Create a configuration file for your PQC demo domain:

nano /etc/nginx/sites-available/pqc.example.com

\\\nginx server { listen 80; listen [::]:80; server_name pqc.example.com;

# Redirect to HTTPS (HAProxy will route to port 9443) location / { return 301 https://\$server_name\$request_uri; } } \\\

Enable the site:

ln -s /etc/nginx/sites-available/pqc.example.com /etc/nginx/sites-enabled/

#### Step 4: Test and Reload Nginx

# Test configuration
nginx -t

# Reload Nginx
systemctl reload nginx

Option B: Apache Configuration

#### Step 1: Modify Virtual Host

Edit your existing Apache virtual host:

nano /etc/apache2/sites-available/example.com-ssl.conf  # Debian/Ubuntu
# OR
nano /etc/httpd/conf.d/ssl.conf  # RHEL/CentOS

Change the port from 443 to 8080:

\\\apache

Before:

After:

Listen 8080 ServerName example.com # Keep your existing SSL certificate configuration SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem # Keep all your existing configuration... \\\

#### Step 2: Test and Restart Apache

# Test configuration
apachectl configtest

# Restart Apache
systemctl restart apache2  # Debian/Ubuntu
# OR
systemctl restart httpd  # RHEL/CentOS

Certificate Installation

Step 1: Create Certificate Directory

mkdir -p /opt/pqc/certificates
cd /opt/pqc/certificates

Step 2: Install Your PQC Certificates

Copy the certificate files you received from PQCNow:

# Upload certificates to server (using scp from your local machine)
scp pqc.example.com.crt root@your-server:/opt/pqc/certificates/
scp pqc.example.com.key root@your-server:/opt/pqc/certificates/
scp pqc.example.com-bundle.crt root@your-server:/opt/pqc/certificates/

Or if you have them locally on the server:

cp /path/to/pqc.example.com.crt /opt/pqc/certificates/
cp /path/to/pqc.example.com.key /opt/pqc/certificates/
cp /path/to/pqc.example.com-bundle.crt /opt/pqc/certificates/

Step 3: Set Proper Permissions

chmod 600 /opt/pqc/certificates/*.key
chmod 644 /opt/pqc/certificates/*.crt

Service Configuration

Step 1: Create Demo Website Files

Create a simple demo HTML page:

mkdir -p /opt/pqc/www
cat > /opt/pqc/www/index.html << 'EOF'
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>PQC Demo - Quantum-Safe SSL</title>
    <style>
        body { font-family: Arial, sans-serif; max-width: 800px; margin: 50px auto; padding: 20px; }
        .success { background: #d4edda; border: 1px solid #c3e6cb; padding: 20px; border-radius: 5px; }
        .info { background: #d1ecf1; border: 1px solid #bee5eb; padding: 15px; border-radius: 5px; margin-top: 20px; }
        h1 { color: #155724; }
        code { background: #f8f9fa; padding: 2px 5px; border-radius: 3px; }
    </style>
</head>
<body>
    <div class="success">
        <h1>โœ“ PQC SSL Connection Successful!</h1>
        <p>You are now connected using Post-Quantum Cryptography (ML-DSA-65).</p>
        <p>This connection is protected against quantum computer attacks.</p>
    </div>
    
    <div class="info">
        <h2>Certificate Information</h2>
        <p><strong>Algorithm:</strong> ML-DSA-65 (FIPS 204)</p>
        <p><strong>Quantum-Safe:</strong> Yes</p>
        <p><strong>Provider:</strong> PQCNow</p>
    </div>
</body>
</html>
EOF

Step 2: Create systemd Service

Create a systemd service to run the PQC server automatically:

nano /etc/systemd/system/pqc-demo.service

\\\ini [Unit] Description=PQC HTTPS Demo Server After=network.target

[Service] Type=simple User=root WorkingDirectory=/opt/pqc/certificates ExecStart=/opt/pqc/bssl_https_server_pqc pqc.example.com-bundle.crt pqc.example.com.key 9443 /opt/pqc/www Restart=always RestartSec=5 StandardOutput=journal StandardError=journal

Security settings

PrivateTmp=yes NoNewPrivileges=true

[Install] WantedBy=multi-user.target \\\

Important: Replace \pqc.example.com\ with your actual certificate filenames.

Step 3: Enable and Start PQC Service

# Reload systemd
systemctl daemon-reload

# Enable service to start on boot
systemctl enable pqc-demo

# Start the service
systemctl start pqc-demo

# Check status
systemctl status pqc-demo

Verification

Step 1: Check All Services

# Check HAProxy
systemctl status haproxy

# Check Nginx/Apache
systemctl status nginx  # or apache2/httpd

# Check PQC server
systemctl status pqc-demo

Step 2: Check Ports

# All these ports should be listening
ss -tlnp | grep -E ':(80|443|8080|9443)'

# Expected output:
# *:80     - Nginx/Apache (HTTP redirect)
# *:443    - HAProxy (SNI router)
# *:8080   - Nginx/Apache (traditional SSL backend)
# *:9443   - BoringSSL (PQC SSL backend)

Step 3: Test Traditional Site

# Should return HTTP 200
curl -I https://example.com

# Should work in any browser

Visit \https://example.com\ in any web browser - should work normally.

Step 4: Test PQC Site

# Check that it's listening
curl -k -I https://localhost:9443

# Test from HAProxy
curl -I --resolve pqc.example.com:443:127.0.0.1 https://pqc.example.com

Visit \https://pqc.example.com\` in Qromium browser (download from PQCNow).

Note: Standard browsers will show certificate errors because they don't support PQC yet.

Next Steps

Support

If you need assistance:

  • Technical Support: support@pqcnow.com
  • Documentation: https://pqcnow.com/docs/
  • Sales: sales@pqcnow.com