Quantum computing has moved from theory to reality, and organizations must advance in 2026 and beyond to keep pace.
The first post-quantum cryptographic (PQC) algorithms are standardized, and NIST is urging organizations to begin implementation and migration. The countdown to quantum-readiness has officially begun.
🚀 Today, we’re launching an all-new PQC Lab experience, a free, self-contained Test Drive that deploys in 20-30 minutes and unlocks a full environment for post-quantum experimentation and learning.
Now with full support for PQC signing and PQC PKI, the updated PQC Lab Test Drive makes it easier than ever to get hands-on with next-generation certificate and signing workflows.
If you have not begun your PQC journey yet, now is the perfect time. The PQC Lab gives you a safe, ready-to-use environment where you can test PQC in your own context: issue PQC certificates for TLS or IoT identities, experiment with ACME, validate PQC certificates, or try PQC signatures directly inside your CI/CD pipeline.
This is not only about future-proofing, it is about gaining velocity. Together, we can make the quantum transition smooth, practical, and secure for everyone.
PQC Certificate Issuance: Test Real Protocols, Real Workflows
Most organizations rely on multiple enrollment protocols. In a PQC transition, all of these must continue to work, only now with quantum-safe algorithms.
The PQC Lab makes this tangible:
- CMP (Certificate Management Protocol): Essential for telco and IoT ecosystems with automated device provisioning.
- ACME (Automatic Certificate Management Environment): Standard in cloud-native workflows and Kubernetes clusters.
- EST (Enrollment over Secure Transport): Common for provisioning routers, switches, and firewalls.
- REST APIs: Flexible integration into enterprise apps and custom workflows.
In the Lab, you can get a first introduction to PQC-only X.509 certificates and validate enrollment flows for IoT devices, workloads, and enterprise applications, without touching production.
PQC Signing: Future-Proof Your Artifacts
Certificates are only half the story. The software supply chain relies on trusted signatures; code, firmware, containers, and SBOMs all need to remain verifiable in a quantum-safe world.
The PQC Lab lets you experiment with a full set of PQC-enabled signing workflows, all pre-configured in the Test Drive, using SignServer via signclient or REST:
- Plain Signer: PQC signing for arbitrary data payloads.
- CMS (Cryptographic Message Syntax): Standard format for code, firmware, documents, and enterprise signing workflows.
- JAR Signing: PQC-enabled signing of Java archives.
- MSI Signing: PQC signing for Windows installer packages.
- Timestamping: PQC-supported timestamping.
This means you can plug PQC signing directly into your build pipelines and test end-to-end verification in real scenarios, ensuring the integrity of your software supply chain against future quantum threats.
The Power of EJBCA + SignServer Integration
What makes the Lab unique is the tight integration between EJBCA and SignServer.
- EJBCA issues PQC certificates via CMP, ACME, EST, and REST.
- SignServer uses those certificates to execute secure signing workflows.
The integration exemplifies enterprise-grade configuration: certificates issued in EJBCA can be used seamlessly in SignServer with centralized policies.
For enterprises, this setup example can easily be extended to support production capabilities:
- Unified policy and compliance enforcement
- Integration with identity providers (Keycloak, AD, etc.) and HSMs
- Controlled delegation of signing services to authorized teams and applications
- Deployment in Kubernetes or Docker, aligning with modern DevOps practices
While the Lab provides a safe, hands-on environment, it leverages the same components and configurations that can be extended to a secure, trusted production PQC environment, serving as an effective first step toward a blueprint for a production deployment.
Example Use Cases in the PQC Lab
- Issue PQC certificates for IoT devices using CMP or EST.
- Automate TLS certificate issuance with protocols like ACME, EST, & CMP
- Test REST-based issuance for enterprise applications.
- Sign firmware with CMS or Plainsigner for connected devices.
- Add PQC signing to a CI/CD pipeline for containers and artifacts.
These are not abstract demos, they are the exact scenarios enterprises need to validate before transitioning.
How to Get Access
Getting started with the PQC Lab is simple:
Sign up for a PQC Lab Test Drive
- Complete the registration form with your name, business email, phone number, company, and role.
- Accept the Test Drive terms and Keyfactor privacy policy, then submit.
Access your PQC Lab Test Drive
- You will receive an email with a link to the Test Drive portal.
- On your first login, select the PQC Lab instance and you will be directed to the Test Drive Portal.
Set up your environment
- Access Your Test Drive, the deployment will take 20-30 minutes.
- Follow the initial Setup guide to configure your browser for EJBCA and download the client CLI tools for issuing PQC certificates and signing artifacts.
Start exploring PQC
- Tutorials and step-by-step guides walk you through issuing certificates via CMP, ACME, EST, and REST, and performing PQC signing and validation.
The portal also allows you to manage your Test Drive: create new instances, log out, or access documentation at any time.
In about 20-30 minutes, you’ll have a fully deployed environment where you can experiment with PQC certificates and signing workflows in a safe, hands-on setup.
Urgency: Why We Must Act Together
The quantum threat is not science fiction. Adversaries are already collecting encrypted data today to decrypt tomorrow (“harvest now, decrypt later”). Once large-scale quantum computers arrive, classical RSA and ECC protections will fall.
If we wait, we risk running out of time to migrate. That is why the PQC Lab exists: to remove barriers, accelerate testing, and get people started.
But this isn’t just about one company or one product. We all depend on doing this right, together. Every engineer, every security team, every enterprise that starts testing now contributes to a safer digital future for everyone. (You can also explore this checklist to help your team prepare for a post-quantum future.)
Final Thoughts
The PQC Lab gives you a practical way to start today. Issue PQC certificates through CMP, ACME, REST, or EST. Sign artifacts with CMS, PlainSigner, timestamping and beyond. See how EJBCA and SignServer work together in an enterprise setup.
Most importantly, be part of the effort to make the quantum transition safe for everyone.
Request access to the PQC Lab and take your first step toward a quantum-safe future.
