For Certificate Scan Outcome Analysis

Scope of Discovery

What it shows:
  • How certificates were discovered:
    • Agentless network scan (TLS handshake analysis)
    • Agent-based scan (local stores/configs on servers)
    • Managed device & CA integrations (PKI, load balancers, appliances).
Why it matters:
  • Ensures you have complete coverage across public and internal environments
  • Prevents hidden certificates from being left out of PQC planning.
Action:
  • Verify that all discovery sources are enabled to avoid blind spots.

Certificate Inventory

What it shows:
  • Full certificate chain elements:
    • Root (trust anchors)
    • Intermediate (delegated issuers)
    • Device/Service (bound to servers, apps, devices)
    • Leaf (end-entity certs for TLS, S/MIME, code signing, etc.)
  • Classification: public-facing vs internal.
Why it matters:
  • PQC readiness is impacted not only by leaf certs, but also by roots and intermediates
  • A weak root/intermediate undermines the trust of all dependent certificates.
Action:
  • Review inventory to ensure all trust chain elements are scanned.

Algorithms and Key Strength

What it shows:
  • Breakdown of:
    • Asymmetric algorithms (RSA, ECC, PQC, Hybrid)
    • Hash/signature algorithms (SHA-1, SHA-2, SHA-3, Dilithium, Falcon etc)
    • Key sizes (RSA-2048/4096, ECC-P256/P384, PQC parameter sets).
Why it matters:
  • Quantum computers will break RSA and ECC
  • Deprecated algorithms (MD5, SHA-1) are already insecure today
  • PQC algorithms (ML-KEM,ML-DSA,SLH-DSA) align with NIST recommendations.
Action:
  • Identify certificates using weak or quantum-vulnerable algorithms
  • Prioritize replacing them with hybrid or PQC-ready certificates.

Quantum Readiness Overview

Based on the signature algorithms used and their cryptographic strength, digital certificates in your cryptographic environment are scanned and classified as quantum vulnerable and quantum resistant.

Quantum vulnerable: Certificates that use classical cryptographic algorithms that are at risk in a post-quantum environment

Quantum resistant: Certificates that use post-quantum cryptographic algorithms that are designed to withstand classical as well as quantum computational attacks

The Quantum Readiness Overview donut chart represents this classification.

As seen in the image, the chart is rendered using two segments, Quantum Resistant and Quantum Vulnerable, each representing the percentage distribution of certificates that fall in the corresponding category. The center of the chart displays the total number of certificates scanned.

The chart is rendered with the following interactivities:

  • Hover over each segment to see the percentage distribution (also displayed in the chart legend).
  • Click a legend to show/hide the corresponding category on the chart.
  • Click Know More for a detailed reading and the recommended next steps.

Severity Assessment (NIST-Aligned)

What it shows:
  • Certificates rated by risk level.
    Cert Type Description Certificate Validity Window NIST PQC Timeline Severity
    Classical: RSA ≤ 2048 bits ~112-bit classical strength After 2030 Insecure beyond 2030 Critical
    Classical: RSA ≤ 2048 bits ~112-bit classical strength On/before 2030 Allowed within window High
    Classical: RSA 2048–3071 bits ~112–128-bit classical strength After 2035 Insecure beyond 2035 Critical
    Classical: RSA 2048–3071 bits ~112–128-bit classical strength On/before 2035 Allowed within window High
    Classical: RSA ≥ 3072 bits ≥128-bit classical strength Any Classical secure High
    Classical: DSA ≤ 1024 bits Weak / legacy Any Already insecure Critical
    Classical: DSA ≤2048 bits Moderate classical strength Any Classical secure High
    Classical: DSA ≥ 3072 bits Strong classical strength Any Classical secure High
    Classical: ECC < P‑256 Weak curve After 2030 Insecure beyond 2030 Critical
    Classical: ECC < P‑256 Weak curve On/before 2030 Allowed within window High
    Classical: ECC ≥ P‑256 Modern curve Any Classical secure High
    Classical: ECC P‑384 / P‑521 Strong curve Any Classical secure High
    Classical: Ed25519 / Ed448 Modern curve Any Classical secure High
    Hybrid: RSA + PQC Classical + PQC Any Recommended now → post-2035 Medium
    Hybrid: ECC + PQC Classical + PQC Any Recommended now → post-2035 Medium
    Pure PQC ML-KEM

    ML-DSA

    SLH-DSA

    		 Any Recommended now → post-2035 Low (Quantum Safe)
Why it matters:
  • Helps you prioritize migration efforts
  • Aligns with NIST PQC transition guidance.
Action:
  • Remediate Critical and High first (public-facing certificates first).

Key Usage and Extended Key Usage (EKU)

What it shows:
  • Key Usage: Digital Signature, Key Encipherment, Data Encipherment, Certificate Signing
  • Extended Key Usage (EKU): TLS Web Server, Email Protection, Code Signing, Client Authentication.
Why it matters:
  • Different usages have different business impact

    Example: PQC vulnerability in code signing certs may be higher risk than in a test server cert.

Action:
  • Focus migration on business-critical usages (e.g., TLS for customer apps, email protection, code signing).

Quantum Readiness Classification

What it shows:
  • Classical → Quantum-vulnerable
  • Hybrid → Transitional (RSA/ECC + PQC)
  • PQC-only → Quantum-safe.
Why it matters:
  • Gives a snapshot of your organization’s post-quantum maturity.
Action:
  • Track progress from Classical → Hybrid → PQC only certificates.

High-Risk Certificates

What it shows:
  • Certificates using deprecated algorithms (MD5, SHA-1, RSA-1024, weak ECC curves)
  • Public vs internal exposure breakdown
  • Risk by Trust Hierarchy: Evaluates each level of the certificate chain.
    1. Root CAs → If weak, all downstream certs are at risk.
    2. Intermediate CAs → If vulnerable, compromise impacts every leaf they issue.
    3. Leaf Certificates → Endpoint exposure, typically seen in TLS handshakes.
Why it matters:
  • Public facing weak certificates pose the highest attack risk
  • A weak intermediate or root introduces risk across hundreds or thousands of certificates
  • Trust hierarchy risk helps prioritize remediation not just by usage, but by chain impact.
Action:
  • Replace or re-issue from secure intermediates and roots first
  • Ensure PKI trust anchors (roots & intermediates) are PQC-aligned
  • Prioritize migration of public facing chains over internal one.

Quantum Readiness Mapping

What it shows:
  • Certificates checked against:
    • NIST PQC guidance
    • Internal crypto/security policies
    • Standards (PCI-DSS, HIPAA, eIDAS, ETSI).

Dashboards

What it shows:
  • PQC Readiness Score: % PQC-ready vs vulnerable certificates
  • Classification View: Classical, Hybrid, PQC-only
  • Quantum Readiness Trend: Progress over time
  • Public vs Internal Risk: PQC exposure split
  • Algorithm Summary: Usage of asymmetric, hash, signature algorithms
  • Key Usage & EKU Summary: PQC readiness mapped to business functions
  • Risk by Trust Hierarchy: Risk summarized by root, intermediate and leaf certificates.
Why it matters:
  • Provides executive and technical visibility into PQC progress.
Action:
  • Track trends over time to demonstrate migration progress.

Migration Guidance

What it shows:
  • Recommended steps for moving to PQC
    • Replace weak certificates with hybrid/PQC-ready certs
    • Update PKI/CA infrastructure for PQC issuance
    • Enforce minimum key sizes and NIST-approved PQC algorithms.
Why it matters:
  • Ensures a structured, low-risk migration to PQC without disrupting services.
Action:
  • Follow a phased approach: ClassicalHybridPQC only.