🚀 Launch Special: 50% off with code LAUNCH50. Offer ends Dec 31, 2026Get Started
April 2026 · 7 min read

Why Your RSA Certificates Have an Expiration Date on Quantum Safety

RSA certificates that are perfectly secure today will become trivially breakable by quantum computers. Here's the timeline and what you should do about it.

Every RSA certificate in your infrastructure has two expiration dates. The first is printed right on it, the notAfter field your browser checks. The second isn't written anywhere, but it's arguably more important: the date a quantum computer can factor your key in hours instead of millennia.

The Math That Protects You (For Now)

RSA's security rests on a single assumption: factoring the product of two large primes is computationally infeasible for classical computers. An RSA-2048 key would take a classical supercomputer roughly 300 trillion years to break. That's a comfortable margin.

Shor's algorithm, running on a sufficiently powerful quantum computer, reduces that to hours. Not through brute force, but by taking a fundamentally different approach to the factoring problem that exploits quantum superposition and interference.

The Timeline Is Closer Than You Think

The question isn't if but when. Current estimates for a cryptographically relevant quantum computer (CRQC) range from 2030 to 2040, depending on the source:

  • NSA (CNSA 2.0): Mandates PQC for national security systems by 2030, implying they believe the threat is real within that window
  • Global Risk Institute: Estimates a 50% chance of RSA-2048 being broken by 2037
  • IBM, Google, Microsoft: All have published quantum roadmaps targeting millions of logical qubits within the decade

Even the most conservative estimates put the deadline within the lifetime of certificates and keys being issued today.

Why Certificate Rotation Isn't Enough

"We rotate our certificates annually" is a common response. It misses the point for two reasons:

1. The data protected by those certificates outlives them. A TLS session encrypted with RSA key exchange today protects data that may be sensitive for decades. If an adversary records that session, they can decrypt it once quantum hardware arrives. This is the harvest now, decrypt later problem.

2. Your certificate chain is only as strong as its weakest link. Even if your leaf certificate uses a 4096-bit RSA key, your root CA's signing algorithm matters. If the root uses RSA-2048 with SHA-256, the entire chain is quantum-vulnerable. An attacker who can forge the root can forge any certificate it signs.

ECC Isn't Safe Either

If you've migrated from RSA to ECDSA or ECDH, you've improved performance but not quantum resistance. Elliptic curve cryptography is equally vulnerable to Shor's algorithm. A quantum computer that can break RSA-2048 can break P-256 with even less effort.

The only algorithms considered quantum-safe are the lattice-based and hash-based schemes standardized by NIST: ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205).

What a Certificate Audit Should Cover

A meaningful quantum readiness assessment of your certificate infrastructure should answer:

  • Which certificates use RSA, ECDSA, or other quantum-vulnerable algorithms?
  • What key sizes are in use? (RSA-1024 is already considered weak classically)
  • What signature algorithms are used in the chain? (SHA-1 is a red flag regardless of quantum)
  • How long until each certificate expires — and will quantum computers arrive before then?
  • Which services handle data with long-term sensitivity?

Prioritizing the Migration

Not all certificates need to migrate at the same pace. Priority should be based on:

  1. Data sensitivity window: Healthcare, financial, and government data with 10+ year sensitivity should migrate first
  2. Key exchange vs. signing: Key exchange (protecting confidentiality) is more urgent than signing (protecting integrity) because of HNDL attacks
  3. External exposure: Internet-facing services are more likely to have traffic captured than internal services
  4. Certificate lifetime: Long-lived certificates (5+ years) issued today may still be active when CRQCs arrive

Start With Visibility

The first step isn't migration — it's inventory. Most organizations don't have a complete picture of their cryptographic posture. Certificates are scattered across load balancers, CDNs, internal services, IoT devices, and third-party integrations.

Cerebion Rivet's certificate analyzer scans your infrastructure, identifies every quantum-vulnerable certificate, scores the risk on a 0-100 scale, and gives you a prioritized migration roadmap, not just a list of findings.

Scan your certificates for quantum risk

Cerebion Rivet identifies RSA, ECC, and DSA certificates that quantum computers will break, and tells you which ones to migrate first.

Download Cerebion Rivet