Into the Post-Quantum Future with Keyfactor Command 25.1

Visibility into all PQC certificates, faster & easier enrollment, and improved collaboration capabilities make Command 25.1 our best release yet

Nobody can see the future, but you can definitely prepare for it. Ever since NIST standardized three post-quantum algorithms and declared 2030 as a deprecation timeline for legacy algorithms, post-quantum cryptography (PQC) has become a major focus for our customers.

Keyfactor has been preparing for the PQC shift for years, with free tools like PQC Lab for customers to generate and test PQC and hybrid certificates. And we’re rapidly implementing PQC capabilities into our PKI and signing solutions as algorithms become standardized. We’ll cover some highlights of the 150+ improvements in Keyfactor Command 25.1 in this blog, which is available for download today. Let’s dive in.

In our previous release of Command, we introduced the ability to inventory certificates that leverage the ML-DSA post-quantum algorithm, as well as generate hybrid certificate signing requests (CSRs) for easier testing and PQC preparation.

With new PQC algorithms being developed and approved at a rapid pace, we want to ensure Keyfactor customers have visibility into all certificates, including those that leverage PQC algorithms, even if those algorithms are non-standardized. With discovery being a critical first step in the PQC transition, we’re thrilled to release this PQC-ready capability to customers.

Keyfactor Command can now identify non-standardized or test PQC algorithms with the object identifier (OID) in certificate details, ensuring comprehensive PQC discovery

Keyfactor Command now provides extensible support for non-standardized PQC algorithms by providing administrators the object identifier (OID) in certificate details upon discovery. This is ideal for identifying all certificates with PQC algorithms in your organization’s inventory.

Once a non-standardized PQC algorithm is standardized, Keyfactor will identify and name the PQC algorithm in Command just as it does today for RSA, ECC, and other algorithms.

Certificate enrollment is often a slow and painful process, riddled with room for human error. Keyfactor Command simplifies the process and reduces the likelihood of errors with intuitive self-service workflows and interfaces. Enrollment Patterns simplify the process of certificate enrollment for users and administrators while providing more flexibility and ensuring adherence to organizational standards.

Enrollment Patterns act as a subset of templates, allowing administrators to set multiple enrollment patterns per template, what fields are required by users in which pattern, and even which CA(s) should be used. But if you have existing templates you’re using today – no need to worry. They’ll inherit a default enrollment pattern automatically.

Enrollment patterns simplifies the process of certificate requests for end users, reducing the likelihood of errors and misconfigurations

Previously users who had a new one-off certificate request would have to fill out templates in two locations, including fields they may not understand for a successful enrollment. With many users lacking PKI expertise, this increased the risk of misconfigured certificates and made the process unnecessarily tedious.

Now when users have a new certificate request use case, they only need to submit administrator-specified information into Command once, which will be sent to an appropriate CA for enrollment.  Administrators have more control over new use case requests and can specify only what’s needed for each Enrollment Pattern.

Got vacation plans this year? With Command 25.1, managing certificate lifecycles is even easier. You can now add multiple email addresses for notifications in workflows, and recipients will also see who else received the request directly in the email.

This ensures redundancy, prevents delays, and keeps everyone informed, so critical certificate tasks are completed on time—even if someone sends their “Out of office” message.

Bottom line: you can worry less about certificate approvals and more about your piña colada the next time you’re on vacation.

To help businesses take actionable steps towards NIST’s recommended PQC timeline to deprecate traditional cryptographic algorithms by 2030 and disallow them entirely by 2035, we’re making significant updates across our product lines to Keyfactor Command, EJBCA, SignServer, and Bouncy Castle. You can learn more about recent enhancements in our latest press release.