Implementing PKI & Digital Signatures using PQC in ADSS Server

Post-Quantum Cryptography (PQC) is often discussed in terms of algorithms. The practical deployment is not about algorithms alone; it is about how those algorithms are encoded into real-world cryptographic structures: X.509 certificates, CRLs, CMS signatures, OCSP responses, and timestamp tokens.

If those structures are not standards-aligned, interoperability fails.

NIST has officially released three finalised post-quantum cryptography standards (FIPS 203, 204, 205) designed to protect against future quantum computer attacks.

The approved algorithms include:

• ML-KEM (formerly CRYSTALS-Kyber) for general encryption
• ML-DSA (CRYSTALS-Dilithium) and SLH-DSA (SPHINCS+) for digital signatures

With another algorithm, FALCON, also slated for upcoming standardisation.

With ADSS Server 8.3.5 (released July 2024), Ascertia introduced production-grade PQC support across signing and PKI services. Release 8.4 focused on standards conformance and structural correctness especially for ML-DSA (CRYSTALS-Dilithium).

This article examines:

• PQC algorithms supported in ADSS Server
• X.509 and CMS data structures generated
• ASN.1 encoding alignment with RFC 9881 and RFC 9882

We also provide downloadable artefacts for the above so you can understand the structure better and also allow independent validation.

This is the first article in a four-part technical series covering structures, interoperability, performance, and HSM-backed PQC deployments.

1. Supported Post-Quantum Algorithms

ADSS Server aligns with the NIST PQC standardisation effort and supports finalised ML-DSA and ML-KEM parameter sets. ADSS Server ML-DSA implementations are according to published standards RFC 9881 (for certificates and CRLs) and RFC 9882 (for digital signatures based on CMS).

1.1 ML-DSA (CRYSTALS-Dilithium)

Supported parameter sets:

*RSA equivalence ranges because different standards round differently.

44 (Level 2), 65 (Level 3), 87 (Level 5) parameters provide NIST security strength levels equivalent to classical RSA-2048, RSA-3072 and RSA-7680 asymmetric crypto security categories.

Within ADSS Server, we have provided ML-DSA support for:

• ADSS Certification Services:
  • X.509 certificate signatures
  • Certificate Revocation Lists (CRLs)
• ADSS OCSP Service:
  • OCSP response signing
• ADSS Signing & Verification Service:
  • Remote signing using CMS signatures timestamp token signing
• ADSS SAM Appliance:
  • Server-side PKCS#1 signatures

ML-DSA is used consistently across the PKI lifecycle, ensuring algorithm continuity.

1.2 ML-KEM (CRYSTALS-Kyber)

ML-KEM (Module-Lattice-based Key Encapsulation Mechanism), formerly known as CRYSTALS-Kyber, is a NIST-standardised (FIPS 203) post-quantum algorithm designed to establish secure shared keys over insecure channels—protecting against future quantum computer attacks.

It is primarily used for key exchange in TLS, hybrid, and VPN protocols, offering fast performance and three security levels (512, 768, 1024).

Supported parameter sets:

512 (Level 1), 768 (Level 3), and 1024 (Level 5) parameters are supported within ADSS Server for:

• Inclusion in standard SubjectPublicKeyInfo (SPKI) structures
• Support for issuing quantum-safe certificates
• Enablement of hybrid classical and post-quantum deployment models

Together, these capabilities enable quantum-resistant key establishment within existing PKI hierarchies, allowing organisations to transition to post-quantum cryptography without disrupting established trust models.

2. PQC-Enabled Structures in ADSS Server

The primary architectural objective of the industry standardisation effort was to ensure PQC support was added without altering the structural integrity of established PKI and signing standards, namely PQC had to fit into the following:

• PKIX (RFC 5280)
• CMS (RFC 5652)
• OCSP (RFC 6960)
• TSP (RFC 3161)

The only change is the cryptographic primitive, not the well-established trust model.

3. X.509 Certificates (RFC 9881 Compliance)

ML-DSA certificates generated by ADSS Server conform to RFC 9881, which defines integration of ML-DSA into PKIX.

3.1 Structural Impact

The following certificate components are affected:

• tbsCertificate.signature
• signatureAlgorithm
• subjectPublicKeyInfo.algorithm
• subjectPublicKeyInfo.subjectPublicKey

Here’s an example of a simplified ASN.1 structure:

Certificate  ::=  SIGNED{ TBSCertificate }

SIGNED{ToBeSigned} ::= SEQUENCE {
    toBeSigned           ToBeSigned,
    algorithmIdentifier  SEQUENCE {
        algorithm        SIGNATURE-ALGORITHM.
                            &id({SignatureAlgorithms}),
        parameters       SIGNATURE-ALGORITHM.
                            &Params({SignatureAlgorithms}
                              {@algorithmIdentifier.algorithm})
                                OPTIONAL
    },
    signature BIT STRING (CONTAINING SIGNATURE-ALGORITHM.&Value(
                              {SignatureAlgorithms}
                              {@algorithmIdentifier.algorithm}))
}

SubjectPublicKeyInfo (ML-DSA)

SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE {
     algorithm        AlgorithmIdentifier {PUBLIC-KEY, {IOSet}},
     subjectPublicKey BIT STRING
}

Key observations:

• Correct ML-DSA OIDs are used as defined in RFC 9881
• Parameters are encoded according to RFC guidance
• Public key is encoded as a BIT STRING of the expected size for the selected parameter set

3.2 Practical Structural Observations

Compared to RSA-2048 or ECDSA-P256:

• PQC public keys are significantly larger (RSA-2048=256 bytes, ECDSA-P256=33 bytes and ML-DSA-44=1312 bytes)
• PQC signature BIT STRING values increase substantially (RSA-2048=256 bytes, ECDSA-P256=64 bytes and ML-DSA-44=2420 bytes)
• Overall certificate size increases

However:

• The PKIX validation model remains unchanged
• Certificate path building logic remains unchanged
• Trust anchor semantics remain unchanged

3.3 ML-DSA-44 Certificate

Here is an example of ML-DSA-44 Certificate (ASN.1 Structure details):

Document Signing Certificate (ML-DSA-44)
Certificate SEQUENCE (3 elem)
└─ tbsCertificate TBSCertificate SEQUENCE (8 elem)
   ├─ version [0] (1 elem)
   │  └─ Version INTEGER 2
   ├─ serialNumber CertificateSerialNumber INTEGER (125 bit) 38701396122719744824873050854229556033
   ├─ signature AlgorithmIdentifier SEQUENCE (1 elem)
   │  └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17 ← Signature algorithm OID for ML-DSA-44
   ├─ issuer rdnSequence Name SEQUENCE (2 elem)
   ├─ validity Validity SEQUENCE (2 elem)
   │  ├─ notBefore utcTime Time UTCTime 2026-02-09 11:32:31 UTC
   │  └─ notAfter utcTime Time UTCTime 2027-02-09 11:32:31 UTC
   ├─ subject rdnSequence Name SEQUENCE (2 elem)
   ├─ subjectPublicKeyInfo SubjectPublicKeyInfo SEQUENCE (2 elem) 
   │  ├─ algorithm AlgorithmIdentifier SEQUENCE (1 elem) ← PublicKey algorithm OID and value for ML-DSA-44
   │  │  └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17
   │  └─ subjectPublicKey BIT STRING (10496 bit) 1111110111101010000110100111001011010110001000000110011111100011010101...
   └─ extensions [3] (1 elem)
signatureAlgorithm AlgorithmIdentifier SEQUENCE (1 elem) ← Signature algorithm OID and value for ML-DSA-44
└─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17
signature BIT STRING (19360 bit) 0110011011001100010011101100000001100010011101100011001110101110110...

Here is the ML-DSA-44 Certificate object

The integration is structurally clean.

4. ML-DSA Certificate Revocation Lists (CRLs)

ADSS Server generates CRLs signed using ML-DSA compliant with RFC 9881.

Here’s the relevant structure:

CertificateList  ::=  SIGNED{ TBSCertList }

CertificateList ::= SEQUENCE {
    tbsCertList          TBSCertList,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING
}

The signatureAlgorithm field reflects the ML-DSA OID and the signature is encoded as a BIT STRING consistent with the selected parameter set.

Structural differences vs classical CRLs:

• Increased PQC signature size
• Larger overall PQC-based CRL size

Again, the integration is structurally clean with no deviation from RFC 5280 CRL semantics.

4.1 ML-DSA-44 Signed CRL

Here is an example of CRL signed by ML-DSA-44 Certificate (CRL ASN.1 Structure details):

CRL (ML-DSA-44)
CertificateList SEQUENCE (3 elem)
└─ tbsCertList TBSCertList SEQUENCE (6 elem)
   ├─ version Version INTEGER 1
   ├─ signature AlgorithmIdentifier SEQUENCE (1 elem)
   │  └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17 ← Signature algorithm OID for ML-DSA-44
   ├─ issuer rdnSequence Name SEQUENCE (2 elem)
   │  ├─ RelativeDistinguishedName SET (1 elem)
   │  │  └─ AttributeTypeAndValue SEQUENCE (2 elem)
   │  │     ├─ type AttributeType OBJECT IDENTIFIER 2.5.4.6 countryName (x.520 DN component)
   │  │     └─ value AttributeValue [?] PrintableString GB
   │  └─ RelativeDistinguishedName SET (1 elem)
   │     └─ AttributeTypeAndValue SEQUENCE (2 elem)
   │        ├─ type AttributeType OBJECT IDENTIFIER 2.5.4.3 commonName (x.520 DN component) 
   │        └─ value AttributeValue [?] UTF8String ML-DSA-44_RootCA
   ├─ thisUpdate utcTime Time UTCTime 2026-02-09 11:06:01 UTC
   ├─ nextUpdate utcTime Time UTCTime 2026-02-10 11:06:01 UTC
   └─ crlExtensions [0] (1 elem)
      └─ Extensions SEQUENCE (2 elem)
         ├─ Extension SEQUENCE (2 elem)
         │  ├─ extnID OBJECT IDENTIFIER 2.5.29.35 authorityKeyIdentifier (x.509 extension)  
         │  └─ extnValue OCTET STRING (24 byte) 30168014839536A58C470C0456A05B9225240CD8D54DC84D
         └─ Extension SEQUENCE (2 elem)
            ├─ extnID OBJECT IDENTIFIER 2.5.29.20 cRLNumber (x.509 extension) 
            └─ extnValue OCTET STRING (3 byte) 020101
signatureAlgorithm AlgorithmIdentifier SEQUENCE (1 elem)
└─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17 ← Signature algorithm OID and value for ML-DSA-44
signature BIT STRING (19360 bit) 0111110101010101101100010101010011001000100110000001101001110111100000...

Here is the CRL object signed by a CA using a ML-DSA-44 Certificate

5. CMS Signatures (RFC 9882 Compliance)

ADSS Server generates CMS signatures using ML-DSA compliant with RFC 9882, which defines ML-DSA integration within CMS.

5.1 SignedData Structure

SignedData ::= SEQUENCE {
    version             CMSVersion,
    digestAlgorithms    SET OF DigestAlgorithmIdentifier,
    encapContentInfo    EncapsulatedContentInfo,
    certificates        [0] IMPLICIT CertificateSet OPTIONAL,
    signerInfos         SET OF SignerInfo
}

Within SignerInfo:

SignerInfo ::= SEQUENCE {
    version               CMSVersion,
    sid                   SignerIdentifier,
    digestAlgorithm       DigestAlgorithmIdentifier,
    signedAttrs           [0] IMPLICIT SignedAttributes OPTIONAL,
    signatureAlgorithm    AlgorithmIdentifier,
    signature             OCTET STRING,
    unsignedAttrs         [1] IMPLICIT UnsignedAttributes OPTIONAL
}

Key points:

• signatureAlgorithm contains ML-DSA OID as defined by RFC 9882
• PQC signature OCTET STRING reflects ML-DSA output size
• No non-standard CMS extensions are introduced

In ADSS Server we have applied this to:

• Document signatures
• Detached signatures
• Timestamp tokens
• Archive signatures

5.2 ML-DSA-44 Signed CMS

Here is an example of CMS signature signed by ML-DSA-44 Certificate (CMS ASN.1 Structure details):

RFC 9882 compliant CMS Signature (ML-DSA-44)
ContentInfo SEQUENCE (2 elem)
├─ contentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.7.2 signedData (PKCS #7)
└─ content [0] (1 elem)
   └─ SignedData SEQUENCE (5 elem)
      ├─ version CMSVersion INTEGER 1
      ├─ digestAlgorithms DigestAlgorithmIdentifiers SET (1 elem)
      │  └─ DigestAlgorithmIdentifier SEQUENCE (1 elem) ← Digest algorithm OID
      │     └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.3 sha-512 (NIST Algorithm)
      ├─ encapContentInfo EncapsulatedContentInfo SEQUENCE (2 elem)
      │  ├─ eContentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.7.1 data (PKCS #7)
      │  └─ eContent [0] (1 elem)
      │     └─ OCTET STRING (20978 byte) Demo File SigningDemo File SigningDemo File SigningDemo File Signin...
      ├─ CertificateSet [?] [0] (2 elem)
      │  ├─ certificate CertificateChoices SEQUENCE (3 elem)
      │  └─ certificate CertificateChoices SEQUENCE (3 elem)
      └─ signerInfos SignerInfos SET (1 elem)
         └─ SignerInfo SEQUENCE (6 elem)
            ├─ version CMSVersion INTEGER 1
            ├─ sid issuerAndSerialNumber SignerIdentifier SEQUENCE (2 elem)
            ├─ digestAlgorithm DigestAlgorithmIdentifier SEQUENCE (1 elem)
            │  └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.3 sha-512 (NIST Algorithm)
            ├─ SignedAttributes [?] [0] (2 elem)
            │  ├─ Attribute SEQUENCE (2 elem)
            │  │  ├─ type AttributeType OBJECT IDENTIFIER 1.2.840.113549.1.9.3 contentType (PKCS #9)
            │  │  └─ values SET (1 elem)
            │  │     └─ AttributeValue [?] OBJECT IDENTIFIER 1.2.840.113549.1.7.1 data (PKCS #7)
            │  └─ Attribute SEQUENCE (2 elem)
            │     ├─ type AttributeType OBJECT IDENTIFIER 1.2.840.113549.1.9.4 messageDigest (PKCS #9)
            │     └─ values SET (1 elem)
            │        └─ AttributeValue [?] OCTET STRING (64 byte) 1F9C7C39FAF8B11580D06C803662725FB797425CCBC1CED4EC534332C3236876F31E54...
            ├─ signatureAlgorithm SignatureAlgorithmIdentifier SEQUENCE (1 elem)
            │  └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17 ← Signature algorithm OID and value for ML-DSA-44
            └─ signature SignatureValue OCTET STRING (2420 byte) 92D594F85A6B8253B27B5C7081CD39472302C0CAFD47E182A9C660442FDFED86F8E4 ...

Here is the CMS object signed by a ML-DSA-44 Certificate

6. OCSP Responses (PKIX-Based)

ADSS Server produces ML-DSA-signed OCSP responses using the standard BasicOCSPResponse structure:

BasicOCSPResponse ::= SEQUENCE {
    tbsResponseData      ResponseData,
    signatureAlgorithm   AlgorithmIdentifier,
    signature            BIT STRING,
    certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
}

The signatureAlgorithm reflects ML-DSA OID usage.

The response remains fully compliant with PKIX OCSP semantics. Only the signature primitive changes.

6.1 ML-DSA-44 Signed OCSP Response

Here is an example of OCSP Response signed by ML-DSA-44 Certificate (OCSP Response ASN.1 Structure details):

OCSP Response (ML-DSA-44)
PKIMessage SEQUENCE (2 elem)
├─ header PKIHeader [?] ENUMERATED 0
└─ body ir PKIBody [0] (1 elem)
   └─ CertReqMessages SEQUENCE (2 elem)
      ├─ CertReqMsg [?] OBJECT IDENTIFIER 1.3.6.1.5.5.7.48.1.1 ocspBasic (OCSP)
      └─ CertReqMsg [?] OCTET STRING (10760 byte) 30822A043081CEA1283026310B30090603550406130247423117301506035504030...
         └─ certReq CertRequest SEQUENCE (4 elem)
            ├─ certReqId INTEGER [?] SEQUENCE (3 elem)
            ├─ certTemplate CertTemplate SEQUENCE (1 elem)
            │  └─ OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17
            ├─ BIT STRING (19360 bit) 101111010010101110100001001111111001001100100010010000000111100...
            └─ [0] (1 elem)
               └─ SEQUENCE (2 elem)
                  ├─ SEQUENCE (3 elem)
                  │  ├─ SEQUENCE (8 elem)
                  │  └─ SEQUENCE (1 elem)
                  │     └─ OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17
                  │  └─ BIT STRING (19360 bit) 101010011110101010101101100000010110011010101101101101100001111000...
                  └─ SEQUENCE (3 elem)
                     ├─ SEQUENCE (8 elem)
                     └─ SEQUENCE (1 elem)
                        └─ OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17 ← Signature algorithm OID and value for ML-DSA-44
                     └─ BIT STRING (19360 bit) 0101100000111010011010110101010100111000111010000001101101000001100010...

Here is the OCSP Response object signed by a ML-DSA-44 Certificate.

7. Timestamp Tokens (CMS-Based)

Timestamp tokens generated by ADSS Server are CMS SignedData structures containing TSTInfo.

ML-DSA is applied at the CMS signature layer, ensuring:

• RFC 9882 compliance for encapsulated CMS
• Long-term validation compatibility
• Structural compatibility with existing validation engines

7.1 ML-DSA-44 Signed Timestamp Token

Here is an example of Timestamp Token signed by ML-DSA-44 Certificate (Timestamp Token ASN.1 Structure details):

Timestamp Token (ML-DSA-44)
ContentInfo SEQUENCE (2 elem)
├─ contentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.7.2 signedData (PKCS #7)
└─ content [0] (1 elem)
   └─ SignedData SEQUENCE (5 elem)
      ├─ version CMSVersion INTEGER 3
      ├─ digestAlgorithms DigestAlgorithmIdentifiers SET (1 elem)
      │  └─ DigestAlgorithmIdentifier SEQUENCE (1 elem) ← Digest algorithm OID
      │     └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.3 sha-512 (NIST Algorithm)
      ├─ encapContentInfo EncapsulatedContentInfo SEQUENCE (2 elem)
      │  ├─ eContentType ContentType OBJECT IDENTIFIER 1.2.840.113549.1.9.16.1.4 tSTInfo (S/MIME Content Types)
      │  └─ eContent [0] (1 elem)
      ├─ CertificateSet [?] [0] (2 elem)
      │  ├─ certificate CertificateChoices SEQUENCE (3 elem)
      │  └─ certificate CertificateChoices SEQUENCE (3 elem)
      └─ signerInfos SignerInfos SET (1 elem)
         └─ SignerInfo SEQUENCE (6 elem)
            ├─ version CMSVersion INTEGER 1
            ├─ sid issuerAndSerialNumber SignerIdentifier SEQUENCE (2 elem)
            ├─ digestAlgorithm DigestAlgorithmIdentifier SEQUENCE (1 elem)
            │  └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.3 sha-512 (NIST Algorithm)
            ├─ SignedAttributes [?] [0] (3 elem)
            │  ├─ Attribute SEQUENCE (2 elem)
            │  │  ├─ type AttributeType OBJECT IDENTIFIER 1.2.840.113549.1.9.3 contentType (PKCS #9)
            │  │  └─ values SET (1 elem)
            │  │     └─ AttributeValue [?] OBJECT IDENTIFIER 1.2.840.113549.1.9.16.1.4 tSTInfo (S/MIME Content Types)
            │  ├─ Attribute SEQUENCE (2 elem)
            │  │  ├─ type AttributeType OBJECT IDENTIFIER 1.2.840.113549.1.9.4 messageDigest (PKCS #9)
            │  │  └─ values SET (1 elem)
            │  │     └─ AttributeValue [?] OCTET STRING (64 byte) 46595C7481883E82E048F8F0F9F29C7EE6E6328330EBE512...
            │  └─ Attribute SEQUENCE (2 elem)
            ├─ signatureAlgorithm SignatureAlgorithmIdentifier SEQUENCE (1 elem) ← Signature algorithm OID and value for ML-DSA-44
            │  └─ algorithm OBJECT IDENTIFIER 2.16.840.1.101.3.4.3.17
            └─ signature SignatureValue OCTET STRING (2420 byte) FC3B9ADB9DDF9D7B95B694523BA70591F40546BB9215230EDA561F50C5882CC2B84D...

Here is the Timestamp Token object signed by a ML-DSA-44 Certificate.

8. Downloadable Artefacts

The following artefacts are available for independent validation and ASN.1 inspection:

These artefacts allow validation using independent toolchains such as OpenSSL and Bouncy Castle — which will be covered in detail in the next article.

9. Architectural Perspective

From an architectural standpoint, the integration of PQC into ADSS Server demonstrates an important principle: Post-Quantum Cryptography does not require redesigning PKI — it requires correctly integrating new primitives into existing, well-defined structures.

While ML-DSA and ML-KEM introduce:

• Larger key material
• Larger signatures
• Increased storage and transmission requirements

The trust model, validation logic, and structural semantics of PKIX and CMS remain intact. The migration challenge is therefore operational and performance-oriented — not structural.

A deeper dive into cross-validation and interoperability testing

The next article in this series will examine:

Cross-validation and interoperability testing with OpenSSL 3.6.1 and Bouncy Castle 1.83, including command-level walkthroughs and verification outputs.