Build PQC mTLS Between Internal Services

Wire QNSP-managed PQC certificates into your service mesh — hybrid X25519MLKEM768 TLS for confidentiality, ML-DSA-65 signed SPIFFE SVIDs for identity. Rotate via QNSP KMS automation; audit via audit-service. Pattern proven on QNSP's own 18-service production mesh.

45 minTime to first PQC

GoPrimary SDK

3Services used

PQC-TLS via oqsprovider →

PQC Key Management (KMS) →

Audit Service →

Generate an ML-DSA-65 service identity + hybrid TLS certgo

package main

import (
	"context"
	"os"

	"github.com/cuilabs/qnsp-go/qnsp"
)

func main() {
	ctx := context.Background()
	q, _ := qnsp.NewClient(qnsp.WithAPIKey(os.Getenv("QNSP_API_KEY")))

	// Generate an ML-DSA-65 signing key for service identity
	key, _ := q.KMS().CreateKey(ctx, &qnsp.CreateKeyRequest{
		Algorithm: "ml-dsa-65",
		Purpose:   "signing",
		Tags:      map[string]string{"service": "payments-api"},
	})

	// Issue an mTLS cert signed by that key, valid for the mesh
	cert, _ := q.KMS().IssueCert(ctx, &qnsp.IssueCertRequest{
		KeyID:    key.KeyID,
		Subject:  "spiffe://qnsp.cuilabs.io/payments-api",
		ValidFor: "72h",
		KemGroup: "X25519MLKEM768",  // hybrid PQC TLS
	})

	// Hand 'cert' to your gRPC/HTTP server's TLS config
	_ = cert
}

Defense & national security →

Critical infrastructure →

Manufacturing & IP →

Get a free API key Back to all patterns Full API reference

Build PQC mTLS Between Internal Services

Stack

Real code, real SDK calls

Get an API key and start building