Qlab
Post-Quantum PKI educational demos — Trust the transition to quantum-safe cryptography
Install / Use
/learn @qpki/QlabREADME
title: "Learning Path" description: "Post-Quantum PKI Lab - Hands-on learning for PQC migration"
QLAB
Post-Quantum PKI Lab
QLAB is an educational resource to help teams understand PKI and Post-Quantum Cryptography (PQC) migration through hands-on practice.
"The PKI is the tool for transition — post-quantum is an engineering problem, not magic."
What you'll learn:
- Understand the quantum threats to current cryptography (SNDL, TNFL)
- Assess your PQC migration urgency using Mosca's theorem
- Issue classical and post-quantum certificates with the same workflow
- Build complete PQC hierarchies (Root CA → Issuing CA → End-Entity)
- Deploy hybrid certificates for backward-compatible migration
- Manage full lifecycle: revocation, OCSP, CRL
- Sign code, timestamp documents, and create LTV signatures
- Encrypt with ML-KEM key encapsulation (the new pattern)
- Practice crypto-agile CA migration
QLAB uses Qpki for all PKI operations.
Installation
Prerequisites:
- Git — for cloning the repository
- Bash — for running demos (Git Bash or WSL on Windows)
- OpenSSL 3.x — optional, for cross-verification commands
macOS / Linux
git clone https://github.com/qpki/qlab.git
cd qlab
./tooling/install.sh
Windows
# 1. Install QPKI (PowerShell)
git clone https://github.com/qpki/qlab.git
cd qlab
.\tooling\install.ps1
# 2. Run demos (requires Git Bash or WSL)
./journey/00-revelation/demo.sh
Note: The install script works in PowerShell, but the demos require Git Bash or WSL.
Getting Started
./journey/00-revelation/demo.sh
Learning Path
Total time: ~2h | Quick path: 20 min (Revelation + Quick Start)
🗺️ Journey Map
┌───────────────────────────────────────────────────────────────────────┐
│ AWARENESS BUILD LIFECYCLE │
│ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────┐ │
│ │Lab-00│→│Lab-01│ → │Lab-02│→│Lab-03│ → │Lab-04│→│Lab-05│ │
│ │Why? │ │How? │ │Chain │ │Hybrid│ │CRL │ │OCSP │ │
│ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘ └──────┘ │
│ ↓ │
│ MIGRATION ENCRYPTION LONG-TERM SIGS │
│ ┌──────┐ ┌──────┐ ┌──────┬──────┬──────┐ │
│ │Lab-10│ ← │Lab-09│ ← │Lab-06│Lab-07│Lab-08│ │
│ │Agile │ │KEM │ │Sign │Time │LTV │ │
│ └──────┘ └──────┘ └──────┴──────┴──────┘ │
└───────────────────────────────────────────────────────────────────────┘
🚀 Awareness
| # | Lab | Time | Takeaway | |---|-----|------|----------| | 0 | The Quantum Threat | 10 min | Your data is already being recorded | | 1 | Classical vs Post-Quantum | 10 min | Same workflow, just different algorithms |
↓ Let's build!
📚 Build
| # | Lab | Time | Takeaway | |---|-----|------|----------| | 2 | Full PQC Chain | 10 min | Build a 100% PQC chain | | 3 | Hybrid | 10 min | Or hybrid to coexist with legacy |
↓ PKI operations stay identical
⚙️ Lifecycle
| # | Lab | Time | Takeaway | |---|-----|------|----------| | 4 | Revocation | 10 min | Revoke = same command | | 5 | OCSP | 10 min | Verify = same protocol |
↓ Sign, timestamp, archive for decades
💼 Long-Term Signatures
| # | Lab | Time | Takeaway | |---|-----|------|----------| | 6 | Code Signing | 10 min | Signatures that outlive the threat | | 7 | Timestamping | 15 min | Prove WHEN, forever | | 8 | LTV | 15 min | Bundle proofs for offline verification |
↓ Except for encryption...
🔐 Encryption
| # | Lab | Time | Takeaway | |---|-----|------|----------| | 9 | Encryption | 15 min | KEM keys require a new pattern: attestation |
↓ And for production migration?
🧭 Migration
| # | Lab | Time | Takeaway | |---|-----|------|----------| | 10 | Crypto-Agility | 15 min | CA versioning + trust bundles |
Algorithms
Post-Quantum (NIST 2024)
- ML-DSA (FIPS 204) — Lattice-based signatures → replaces ECDSA
- SLH-DSA (FIPS 205) — Hash-based signatures (conservative)
- ML-KEM (FIPS 203) — Key encapsulation → replaces ECDH
Hybrid (Transition)
- Catalyst certificates (ITU-T X.509 9.8)
- Composite certificates (supported, no lab demo)
See Qpki for the full list of supported algorithms.
Resources
- Qpki — The PKI toolkit used by QLAB
- Glossary — PQC and PKI terminology
- Troubleshooting — Common issues and solutions
- NIST Post-Quantum Cryptography
- FIPS 203 (ML-KEM)
- FIPS 204 (ML-DSA)
- ITU-T X.509 (Hybrid Certificates)
License
Apache License 2.0 — See LICENSE
Related Skills
xurl
343.3kA CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.
kubeshark
11.8kCluster-wide network observability for Kubernetes. Captures L4 packets, L7 API calls, and decrypted TLS traffic using eBPF, with full Kubernetes context. Available to AI agents via MCP and human operators via dashboard.
wanwu
4.2kChina Unicom's Yuanjing Wanwu Agent Platform is an enterprise-grade, multi-tenant AI agent development platform. It helps users build applications such as intelligent agents, workflows, and rag, and also supports model management. The platform features a developer-friendly license, and we welcome all developers to build upon the platform.
YC-Killer
2.7kA library of enterprise-grade AI agents designed to democratize artificial intelligence and provide free, open-source alternatives to overvalued Y Combinator startups. If you are excited about democratizing AI access & AI agents, please star ⭐️ this repository and use the link in the readme to join our open source AI research team.
