What is the difference between composite and hybrid PQC certificates?

Composite certificates concatenate both classical and post-quantum key material and signatures into standard X.509 fields — a single public key contains both algorithms, and a single signature is produced by both. Hybrid (catalyst) certificates use X.509 alternative extensions to carry the PQC components alongside the classical certificate structure. Composite certificates are a single atomic unit; hybrid certificates maintain backward compatibility with clients that don't understand PQC by letting them fall back to the classical components.

Can OpenSSL 3.5 generate hybrid PQC certificates?

OpenSSL 3.5 supports pure PQC certificates (ML-DSA, SLH-DSA key pairs and signatures) and hybrid TLS key exchange (X25519MLKEM768). It does not natively generate composite or catalyst hybrid certificates. For composite certificate generation, the oqs-provider offers hybrid signature algorithms like p256_mldsa44 and p384_mldsa65, or the Bouncy Castle library provides full composite and catalyst certificate support.

How much larger are hybrid PQC certificates compared to classical certificates?

A typical ECDSA P-256 end-entity certificate is approximately 500-800 bytes. A pure ML-DSA-65 certificate is approximately 5,000-6,000 bytes due to the 1,952-byte public key and 3,309-byte signature. A composite certificate combining ECDSA P-384 + ML-DSA-65 is approximately 6,000-7,000 bytes. In a three-certificate TLS chain, this means the total chain size increases from roughly 2-3 KB to 15-20 KB.

Which hybrid PQC certificate approach should I use for production?

As of early 2026, neither composite nor catalyst certificate formats are finalized standards. The IETF Composite Signatures draft is progressing but not yet an RFC. For lab testing and pilot deployments, Axelspire recommends composite certificates via oqs-provider's hybrid signature algorithms (e.g., p384_mldsa65) because they work within existing X.509 parsing without certificate structure modifications. For production TLS today, use hybrid key exchange (X25519MLKEM768) with classical ECDSA certificates — this protects key exchange against harvest-now-decrypt-later while keeping certificate authentication on proven algorithms.

How do I test hybrid PQC TLS connections?

Use OpenSSL's s_server and s_client tools compiled against OpenSSL 3.5 or with oqs-provider. Start a server with a PQC certificate and specify hybrid groups: 'openssl s_server -cert mldsa65_cert.pem -key mldsa65_key.pem -tls1_3 -groups X25519MLKEM768'. Connect with: 'openssl s_client -connect localhost:4433 -tls1_3 -groups X25519MLKEM768 -CAfile ca_cert.pem'. The -brief flag shows the negotiated cipher suite and key exchange group for quick verification.

Hybrid PQC Certificates: Generation, Testing, and Compatibility

Pure PQC certs break legacy verifiers; hybrid designs carry classical + PQC material. This guide summarizes composite, catalyst, and chameleon styles, tooling, and what ships in production today—with algorithm background in NIST PQC algorithms.

Hybrid PQC Certificates: Generation, Testing, and Compatibility

TL;DR: Production now: hybrid TLS 1.3 key exchange (X25519MLKEM768) + classical ECDSA certificates. Lab now: ML-DSA and oqs-provider composite signatures. Not production-default yet: composite/catalyst certificates in browsers—standards and client support still catching up.

Why This Matters

Executives: Don’t fund “PQC TLS” that only swaps certs—session protection starts with KEM; auth evolution follows client ecosystems.

Security: Hybrid KEM addresses harvest-now-decrypt-later without waiting for PQC signature ubiquity.

Engineers: Certificate bloat breaks assumptions; test CDNs, WAFs, and CI with multi-kilobyte chains.

Problem Statement

Pure ML-DSA leafs fail on clients that don’t know the OID.
Terminology collision: “hybrid” means KEM, composite sig, or catalyst extensions depending on author.
Tooling split: OpenSSL 3.5 native vs oqs-provider vs Bouncy Castle for full format coverage.
Standards: Composite I-Ds ≠ universal RFC yet—plan for churn.
Downgrade story: Catalyst designs may let legacy clients validate classical only—understand the threat model.

Why hybrid: the transition problem

Pure ML-DSA is structurally valid X.509 but unrecognized on many stacks → hard failure. Hybrid certificates aim to carry both classical and PQC so updated verifiers use both and legacy verifiers use classical—different designs achieve this differently.

Separate concern: Hybrid key exchange (e.g. X25519MLKEM768) is standardized and deployable now; it does not replace the need to plan PQC signatures later.

Three hybrid certificate approaches

Summarized vs PKI Consortium PQC matrix (pqccm).

Composite certificates

Single cert; composite public key and composite signature OIDs embed both classical and PQC. Pros: clear semantics, standard ASN.1 shape. Cons: verifiers that don’t know the composite OID reject the whole cert—no classical-only fallback inside the same fields.

Hybrid (catalyst / alternative) certificates

ITU-T X.509 alternative extensions: classical “primary” cert; PQC in extensions PQC-aware clients understand. Pros: legacy may ignore unknown extensions and still validate classical. Cons: parsing complexity; downgrade to classical-only if attacker can forge classical (by design in transition).

Chameleon certificates

Classical “outer” + embedded inner PQC cert in an extension—strong transition story, ~2× size.

Tooling (verify versions locally)

OpenSSL 3.5 (native)

Pure ML-DSA (and KEM) for lab certs and TLS with PQC signatures on stacks that support them—not native composite catalyst generation.

openssl genpkey -algorithm ML-DSA-65 -out server_key.pem
openssl req -x509 -new -key server_key.pem \
  -out server_cert.pem -days 365 \
  -subj "/CN=pqc-lab.example.com"
openssl x509 -in server_cert.pem -text -noout | head -20

oqs-provider (composite-style signature algorithms)

Hybrids like p384_mldsa65 combine classical + ML-DSA under one provider algorithm name.

openssl genpkey -algorithm p384_mldsa65 \
  -provider oqsprovider -out hybrid_key.pem
openssl req -x509 -new -key hybrid_key.pem \
  -provider oqsprovider \
  -out hybrid_cert.pem -days 365 \
  -subj "/CN=hybrid-lab.example.com"
openssl x509 -in hybrid_cert.pem -text -noout -provider oqsprovider

Examples: p256_mldsa44, rsa3072_mldsa44, p384_mldsa65, p521_mldsa87. Catalyst/chameleon: use Bouncy Castle PoCs / tools for full format coverage.

IETF Hackathon PQC certificates

Cross-vendor artifacts and matrices: IETF-Hackathon/pqc-certificates.

Testing hybrid PQC TLS

s_server / s_client with hybrid KEM

openssl genpkey -algorithm ML-DSA-65 -out ca_key.pem
openssl req -x509 -new -key ca_key.pem -out ca_cert.pem -days 3650 \
  -subj "/CN=PQC Test CA/O=Lab"
openssl genpkey -algorithm ML-DSA-65 -out server_key.pem
openssl req -new -key server_key.pem -out server_csr.pem \
  -subj "/CN=pqc-lab.example.com"
openssl x509 -req -in server_csr.pem -CA ca_cert.pem -CAkey ca_key.pem \
  -CAcreateserial -out server_cert.pem -days 365

openssl s_server -cert server_cert.pem -key server_key.pem \
  -tls1_3 -groups X25519MLKEM768 -accept 4433

openssl s_client -connect localhost:4433 -tls1_3 \
  -groups X25519MLKEM768 -CAfile ca_cert.pem -brief

Confirm group X25519MLKEM768 and expected signature algorithm in output.

Size checks

wc -c classical_cert.pem pqc_cert.pem hybrid_cert.pem
openssl x509 -in classical_cert.pem -outform DER -o classical.der
# compare DER sizes; full chain byte count for realistic handshake modeling

Rule of thumb (order of magnitude): ECDSA P-256 leaf ~0.5–0.8 KiB DER; ML-DSA-65 leaf ~5–6 KiB; composite P-384 + ML-DSA-65 ~6–7 KiB; three-cert ML-DSA chains often ~15–20 KiB vs classical ~2–3 KiB.

Nginx (illustrative)

Requires nginx built against OpenSSL 3.5+ with appropriate directives; example pattern:

ssl_conf_command Groups X25519MLKEM768;
# ssl_conf_command SignatureAlgorithms ML-DSA-65;  # if using ML-DSA certs

Compatibility matrix (high level)

Capability	Maturity
X25519MLKEM768	Production in major browsers / OpenSSL 3.5
Pure ML-DSA server certs	Lab / limited production verifier support
Composite certs (oqs-provider / BC)	Generation & internal testing; not universal browser TLS auth
Catalyst extensions	Mostly research / BC—limited mainstream TLS

Practical recommendation

Deploy now: Hybrid KEM + classical certs.
Test now: ML-DSA and composite pipelines, monitoring, and size limits.
Track: IETF composite drafts + browser PQC signature roadmaps.

Operational checklist

Benchmark handshake size end-to-end (edge, mobile, API gateway)
Inventory tools that parse or inspect certs—upgrade if size/OID limits exist
OpenSSL + provider versions pinned in runbooks
Lab matrix aligned with IETF Hackathon artifacts for regression tests

NIST PQC algorithms — ML-KEM / ML-DSA / SLH-DSA sizes and OpenSSL
TLS protocol
X.509 standard
Cryptographic primitives
Key management best practices
HSM integration — signing throughput for large signatures
Certificate lifecycle management
Threat models and attack vectors

Hybrid PQC Certificates: Generation, Testing, and Compatibility

Hybrid PQC Certificates: Generation, Testing, and Compatibility

Why This Matters

Problem Statement

Why hybrid: the transition problem

Three hybrid certificate approaches

Composite certificates

Hybrid (catalyst / alternative) certificates

Chameleon certificates

Tooling (verify versions locally)

OpenSSL 3.5 (native)

oqs-provider (composite-style signature algorithms)

IETF Hackathon PQC certificates

Testing hybrid PQC TLS

s_server / s_client with hybrid KEM

Size checks

Nginx (illustrative)

Compatibility matrix (high level)

Practical recommendation

Operational checklist

Related documentation