A certificate renewal is now a quantum decision

A security lead renewing a batch of TLS certificates or signing a firmware image is doing a routine job that now carries a quantum-era choice. On 9 July Cloudflare said plainly that it will not wait for better post-quantum signatures and will use ML-DSA, the algorithm standardised last year. It aims to be fully migrated by 2029, ahead of national deadlines that fall between 2030 and 2035.

The reason is timing, not preference. Quantum hardware and the software around it keep advancing, and the migration itself takes years to reach every certificate and device. Starting late, not choosing the wrong algorithm, is the real exposure.

Post-quantum has an easy half and a hard half

Most attention goes to encryption and the harvest-now-decrypt-later threat, where a new key exchange called ML-KEM protects data in transit. That half is already well underway across browsers and servers.

Signatures are the harder half. They authenticate certificates, code, firmware, documents and identity, and they live in certificate chains, embedded devices and long-lived roots that no one swaps overnight. ML-DSA signatures are larger than the ones they replace, and every layer - browsers, libraries, certificate authorities and hardware - has to add support before the move is real.

The better signatures are a NIST round, not a product

NIST advanced nine additional signature candidates - FAEST, HAWK, MAYO, MQOM, QR-UOV, SDitH, SNOVA, SQIsign and UOV - to a third evaluation round on 14 May 2026, with final tweaks due by 14 August 2026. Several are smaller or faster than ML-DSA on paper.

That round is a two-year study of implementation security and physical attacks. When NIST last picked a signature it still took about a year to draft the standard, another to publish it as FIPS 204, and another for certificate integration. A better signature is therefore a 2029-and-beyond artefact, not a choice you can make in 2026.

What an owner does before the next audit

Start with an inventory of where you sign: TLS certificates, code-signing, firmware update chains, and document and identity signatures. In Europe the eIDAS framework and the coming EU digital-identity wallet both ride on this signing layer, so the surface is wider than most teams assume.

Then adopt ML-DSA where you control the endpoints now, ask vendors and certificate authorities for a dated post-quantum signature roadmap, and treat crypto-agility - the ability to swap the algorithm later - as the deliverable. NIS2 and DORA already expect you to manage exactly this risk.