Home icon

Post-quantum (ML-DSA) code signing with AWS Private CA and AWS KMS

Security Blog

This article demonstrates how to implement post-quantum ML-DSA code signing using AWS Private CA and AWS KMS, establishing quantum-resistant roots of trust for long-term security.

  • AWS Private CA now supports ML-DSA X.509 certificates for quantum-resistant PKI hierarchies
  • Create ML-DSA root and subordinate CAs, then issue code-signing certificates from subordinate CA
  • Generate ML-DSA asymmetric key pairs in AWS KMS for signing operations
  • Sign code using CMS (Cryptographic Message Syntax) standard with detached signatures
  • Verify signatures without AWS credentials using root CA certificate in trust store
  • ML-DSA provides quantum resistance while maintaining performance for large-scale deployments
  • Applicable to code signing, mTLS, IKEv2/IPsec, and IAM Roles Anywhere authentication

This release enables organizations to build quantum-resistant code-signing infrastructure and protect software authenticity against future quantum computing threats.

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Related articles

Jun 13
2025
How to create post-quantum signatures using AWS KMS and ML-DSA
Nov 10
2025
AWS Private CA now supports post-quantum digital certificates
Jun 13
2025
AWS KMS adds support for post-quantum ML-DSA digital signatures
Apr 7
2025
ML-KEM post-quantum TLS now supported in AWS KMS, ACM, and Secrets Manager

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.