PQC (Post-Quantum Cryptography) 07-01-2026

Quantum readiness
made practical

 

Introducing the Quantum Central preview

Mike Fleck
Quantum Central Blog Hero

On July 1, we announced the preview of DigiCert Quantum Central, a new solution designed to help organizations begin and manage their transition to post-quantum cryptography (PQC).

The word “begin” matters here because, while most organizations know they need to prepare for quantum-safe cryptography, many fewer know where to start. The guidance usually sounds simple enough: Build a cryptographic inventory, assess your risk, make a plan, and begin migration. None of that is wrong, but it’s also not especially helpful if your first practical question is, “What do I do on Monday?”

That’s the problem Quantum Central is built to address.

The Quantum Central preview gives teams a practical way to start building visibility into their cryptographic assets, identify quantum-vulnerable cryptography, prioritize what needs attention, and track readiness. During the preview, access is free, offering an intentionally focused experience with limited functionality compared with the fully formed solution we’re building. We’ll continue adding fixes, enhancements, and capabilities before general availability in the next few months.

That is what a preview should be: a chance to start learning from your own cryptographic data, see how the workflow fits your environment, and help shape your strategy for quantum readiness.

Quantum Central

Why we built Quantum Central

At DigiCert, we’ve already made significant progress preparing our infrastructure, products, and services for the post-quantum transition, and Quantum Central was inspired by our own work to become quantum ready. The lessons we learned from doing the work ourselves shaped what we believe organizations need.

Here’s what we recommend based on what worked for us.

Get executive buy-in

Leadership support is key to making PQC migration a priority for the disparate teams involved in the process. Right-size the support and resources you ask for. It’s likely easier to get approval with an initial scope of a single business application environment or portion of your infrastructure.

Assign ownership

Designate one person to oversee the migration, and make them accountable for tracking progress. Coincidentally, this is exactly what the United States Government did recently with Executive Order 14409. The first step in that EO is for each agency to assign a specific person to be the PQC Migration Lead.

Form a tiger team

With executive support secure and your migration lead at the helm, form a small tiger team. That team should collectively understand your organization’s key management and encryption standards, high-level data and network flows, IT change management, and process for handling escalations.

Start small

Pick one application to migrate first, ideally something that’s already subject to external audit, since those environments tend to be better documented. If you can, make sure the application you pick includes a set of technologies and vendors that are reasonably standardized so the lessons learned will be broadly applicable.

Engage vendors

Your inventory will uncover a list of vendors and technologies that touch cryptography. Engage your suppliers to understand how they can help (or hinder) your efforts. Vendor readiness is great, but having good answers is the next best thing. If their technology doesn’t support PQC today, ask the vendor very specific questions like:

  • “When will you support ML-KEM with TLS 1.3?”
  • “When will you support pure PQC certificates using ML-DSA?”

Current guidance for quantum readiness

For many organizations, quantum readiness means securing your internet-facing systems. These are visible, important, and often already managed through established TLS and certificate processes. Simply put, moving those systems to TLS 1.3 and enabling hybrid ML-KEM key exchange is the most actionable thing you can do today.

From there, expand inward, focusing on systems that:

  • Protect data with long confidentiality requirements
  • Are in scope for compliance, audit, or customer security SLAs

Those are the places where delay compounds and where readiness evidence will matter. But this doesn't mean ignoring everything else; it means creating a sequence that a real organization can execute.

Inventory is the on ramp, not the destination

A cryptographic inventory is essential, but it’s often the part of the process that teams find the most intimidating. Starting small helps: Create an inventory for one environment, move to remediation for that environment, and then repeat the process. This is how you’ll build and execute your quantum readiness program.

Quantum Central is designed around that broader workflow. It helps teams build cryptographic visibility from multiple sources, apply policies to identify weak or quantum-vulnerable cryptography, prioritize migration work, manage remediation, and produce evidence of progress.

PQC migration will not and cannot happen all at once. Key exchange and digital signatures are different problems. ML-KEM is used for key establishment, including hybrid key exchange in protocols like TLS. ML-DSA is used for digital signatures, including certificate and signing use cases as ecosystem support matures. TLS endpoints, internal PKI, software signing, device identity, VPNs, SSH connections, and application dependencies will each move on different timelines.

A useful readiness program needs to reflect that reality.

You can DIY this. It just gets hard fast

Nothing in Quantum Central is magic. Organizations can build their own inventories, define their own readiness criteria, manage remediation in spreadsheets, create dashboards, chase vendors, document exceptions, and prepare reports for leadership and auditors. Many will start that way.

The challenge is keeping it all moving.

As the scope grows, the work becomes less about a one-time assessment and more about the sustained coordination to maintain cryptographic posture over time. New systems are deployed. Certificates are renewed. Vendors update road maps. Standards evolve. Regulations become more specific, and auditors become more knowledgeable. Internal priorities change. What was accurate last quarter may already be stale.

The transition is already underway

No one needs to pretend we know the exact date a cryptographically relevant quantum computer will arrive. That’s not the only driver anymore. Standards are moving, governments are setting timelines, regulators are paying attention, and customers are asking harder questions. And every new system deployed with quantum-vulnerable cryptography adds to the work that will eventually need to be done—we call this “cryptographic debt.”

The organizations that make the most progress won't be the ones that wait for perfect certainty, but the ones that start incrementally building visibility and executing now. 

That’s what Quantum Central is meant to help with. Create your free account to explore the preview today.

Subscribe to the blog