If you ever tried to organize a half-day technical meetup that covers everything from quantum-safe algorithms to automated PKI deployments, you know it is not exactly an easy task. Luckily, our incredible team, a bit of caffeine and Swedish cinnamon rolls, all helped pull off the Keyfactor Tech Meetup 2025: “Hands-on with PQC – Build, Secure, Automate.”
As Head of Community and Developer Relations (and the official Agenda Master), I had the pleasure of curating a half-day where compliance met code, theory met practice, and cryptography connected our customers, partners, and the wider developer community.
Why We are Here: PQC in Practice
Post-Quantum Cryptography (PQC) is no longer a “future topic.” It’s now!
With the EU’s Cyber Resilience Act (CRA) and emerging guidance from NIST and BSI, the industry is shifting toward crypto agility and quantum resilience. Our goal with this year’s Tech Meetup was to make PQC real, not just about slides or isolated implementations of standards and specs, but about live demos that engineers can relate to, test, and apply in their own use cases and environments.
We kicked off with deep insights from our tech experts:
- Guillaume Crinon, our IoT guru, showed how to turn compliance into code, guiding OEMs on how to prepare for the Cyber Resilience Act (CRA) with secure-by-design IoT.
- David Hook, the legend behind Bouncy Castle, demonstrated how PQC standards are evolving and being implemented in the cryptographic libraries that developers use every day.
- Tomas Gustavsson, the brain behind EJBCA, explained how PQC is being integrated into PKI foundations, paving the way for the next quantum leap.
- Sven Rajala, our automation wizard, showed how to scale and secure a PKI with all-you-can-eat PQC, all deployed and managed at enterprise speed.
From CRA to Crypto-Agility
The first session dove into real-world CRA obligations and what OEMs need to enforce, from coordinated vulnerability disclosure to secure updates and RBAC in firmware signing. Guillaume showcased firmware signing with PQC on NXP’s i.MX 9 family, using SPSDK + Keyfactor SignServer integration.
The result? Quantum-resilient signing flows that fit naturally into CI/CD pipelines.
For engineers, this means crypto-evolution without chaos. Hybrid migration paths using both ECC/RSA and PQC algorithms showed how to future-proof systems while maintaining interoperability with existing infrastructure.
Cryptography, PKI & Signing Updates
In this session, David Hook and Tomas Gustavsson took us deep into the evolving world of cryptography and PKI.
David shared insights on how post-quantum standards like ML-DSA and ML-KEM are progressing through NIST and IETF, and how these new algorithms are already being implemented in Bouncy Castle to support hybrid and composite certificate formats.
Tomas followed with a look at how these cryptographic advancements are being integrated into PKI, including support for hybrid chains, CRLs, certification requests, PQC-capable HSMs, signing (CMS), and TLS.
Together, they showed how EJBCA, SignServer, and Bouncy Castle are helping developers bridge the gap between today’s infrastructure and the quantum-ready future.
Making PQC Tangible: The Live Demos
This year’s live demos were where everything came together, the part that truly defines our meetup style.
We built and deployed a fully automated, PQC-enabled PKI using:
- EJBCA, containerized for agility
- Helm, for repeatable and scalable deployments
- ConfigDump, ensuring consistent configuration across environments
- And, of course, HSM integration, securing keys and operations throughout the process.
In real time, attendees watched us issue and test PQC, hybrid, and composite certificates, validate TLS 1.3 hybrid handshakes, and confirm CMS message signing and verification, all interoperable across classical and quantum-safe setups.
It was not just about showing that it works; it was about showing agility, that it can scale, integrate, and be automated by any engineer, in any environment.
The Bigger Picture: Ecosystem and PQC Leadership
PQC does not happen in isolation. It takes a village, or in our case, an ecosystem of standardization bodies, technology providers, customers, and partners.
Through our collaborations with silicon vendors like NXP, HSM vendors, open-source communities such as OpenSSL, and active involvement in standards development, we are making sure that PQC and hybrid cryptography are available right where developers live, build, and innovate.
Keyfactor’s open-source products EJBCA, SignServer, and Bouncy Castle are not just part of the discussion; they are driving it. We are helping define how PQC, hybrid, and composite certificates will function across the next generation of connected systems, from cloud-native environments to bank and finance applications and IoT.
Build → Secure → Automate
If there was one message we wanted everyone to take home, it was this:
Crypto-agility doesn’t have to mean chaos.
With the right integrations, from HSM-backed PKIs to Helm-deployed containers, you can evolve your cryptography strategy while maintaining trust and control.
Thank You!
To everyone who joined us in Stockholm, thank you for bringing your curiosity, questions, and energy. Your participation made the demos come alive and the conversations a driving force in moving this evolution forward.
If you could not make it, stay tuned! We will be publishing recorded how-to guides, demo scripts, and ConfigDump samples soon on https://www.keyfactor.com/keyfactor-for-developers/.
And if you ever wondered what it looks like to run a PKI demo while juggling a couple of remote HSMs, Helm charts, and hybrid certificates, let’s just say: it is part science, part magic, and 100% community spirit.
Together, we are building the future of cryptographic trust. One demo at a time.