Day 22: PKI Migration Layers

Phase 3 · July 29, 2026

Agenda (2–3 hours)

• Read (45 min): NIST IR 8547 §5–6 (PKI-specific migration guidance); CISA PQC migration guide §3 (inventory and planning)
• Study (60 min): What actually needs to change at each layer, in what order
• Challenge (45 min): Dependency map for your service's migration

The Migration Onion

PQC migration is a layered problem. You can't just "update the algorithm" — each
layer has dependencies on the layers below it.

Layer 5: Application layer  (provisioning API, DynamoDB, Lambda code)
Layer 4: Certificate layer  (CA hierarchy, cert profiles, CT, revocation)
Layer 3: TLS layer          (key exchange groups, cipher suites, cert verification)
Layer 2: HSM layer          (key storage, signing operations, key ceremonies)
Layer 1: Library layer      (aws-lc-rs, rustls, openssl in dependencies)
Layer 0: AWS service layer  (ACM PCA, KMS, CloudHSM PQC support)

You can't migrate Layer 4 (issue ML-DSA certs) without Layer 2 (HSM support).
You can migrate Layer 3 (hybrid TLS key exchange) without Layer 4 (certs stay ECDSA).

Layer 0: AWS Service Layer

What AWS needs to provide before you can fully migrate:

Layer 0 is the critical path for full migration. You can do TLS hybrid today,
but you can't migrate CA keys until CloudHSM supports ML-DSA.

Layer 1: Library Layer

What you can do today:

# Update Cargo.toml
rustls = "0.23"
rustls-aws-lc-rs = "0.2"    # enables PQC in rustls
aws-lc-rs = "1"             # PQC primitives available now

# For Lambda runtime:
# aws-lambda-rust-runtime uses hyper/tokio — check TLS stack

Action today: audit every Rust crate that does crypto.
Look for: ring, openssl, rustls (with ring provider), native-tls.
Each needs a migration path to aws-lc-rs or equivalent PQC-capable library.

Layer 3: TLS Key Exchange (Can Do Today)

This is the highest-ROI early migration step:

• No cert changes required
• No HSM changes required
• Protects new sessions from HNDL immediately

For your provisioning service:

1. Update Lambda client code: install aws-lc-rs provider, enable X25519MLKEM768
2. Update server (if you own it): install aws-lc-rs provider
3. Both sides negotiate hybrid automatically when they both support it

Estimated effort: 1–2 days of code change.
Risk: minimal — falls back to X25519 if either side doesn't support hybrid.

Layer 4: Certificate Migration (Blocked on HSMs)

This is the hard part:

Certificate migration requires:
  1. HSM support for ML-DSA (CloudHSM roadmap)
  2. New CA hierarchy (root + intermediate) with ML-DSA keys
  3. Key ceremony for new root CA
  4. New certificate profiles (FIPS 204 format)
  5. Client code updates to validate ML-DSA signatures
  6. Transition period: dual-cert or composite cert delivery
  7. CRL/OCSP infrastructure updates
  8. CT log acceptance of PQC certs

Estimated effort: 6–18 months of PKI operations work.
Start date: when CloudHSM PQC support is available.

Challenge Assignment

Draw a dependency map of your migration:

For each layer (0–5), list:

1. What PQC change is needed at this layer?
2. What does it depend on (which lower layers must be complete first)?
3. Can it be done in parallel with other layers?
4. Estimated effort (T-shirt sizing: S, M, L, XL)
5. Who owns it (your team vs. platform team vs. AWS)?

This becomes the "Migration Dependency Graph" section of your roadmap.

Resources

• NIST IR 8547: PKI migration planning
• CISA post-quantum migration guide: cisa.gov
• AWS Security blog: "Preparing for post-quantum cryptography with AWS"