The threat is easy to state. A large enough quantum computer would break the public-key cryptography that TLS relies on, meaning RSA and the elliptic-curve algorithms behind almost every certificate in use today. That machine does not exist yet. The migration away from those algorithms is happening anyway, because waiting until it exists is too late.
Harvest Now, Decrypt Later
The reason this is not a problem for 2035 is a strategy called harvest now, decrypt later. An attacker records encrypted traffic today and stores it, betting that a future quantum computer will decrypt it. Anything with a long secrecy lifetime, health records, financial data, government communications, state secrets, is worth capturing now even though the key cannot be broken for years.
That changes the timeline. The clock on data you send today is not set by when quantum computers arrive. It is set by how long that data needs to stay private. If something must remain secret for ten years, the relevant question is whether a quantum computer exists within ten years, and the honest answer is nobody knows.
What Is Actually Changing
Two layers of TLS use the vulnerable cryptography, and they are migrating on different schedules.
The first is the key exchange, where the client and server agree on a session key. This is the urgent part, because it is what harvest-now-decrypt-later targets. The industry response is hybrid key exchange: combine a classical algorithm like X25519 with a post-quantum one so the session stays safe if either holds. NIST standardized the post-quantum piece, ML-KEM, in 2024, and major browsers and servers already negotiate hybrid groups by default in many configurations.
The second is the certificate signature, the part that proves the server is who it claims. This is less urgent for harvest-now attacks, because a forged signature is only useful in real time, not against recorded traffic. Post-quantum signature algorithms like ML-DSA are standardized, but they produce much larger keys and signatures, which complicates certificates, chains, and handshake size. This migration will take longer and will reshape what a certificate looks like on the wire.
Why Bigger Signatures Matter to You
A post-quantum signature is not a drop-in swap for an ECDSA one. ML-DSA signatures and public keys are kilobytes where today's are tens of bytes. A certificate chain that fit in one network packet may now span several, which affects handshake latency, especially on lossy mobile connections, and stresses systems that assumed certificates were small.
This is one more reason the broader industry push toward short certificate lifetimes and automation matters. Larger, more frequently rotated certificates are only manageable if issuance and renewal are automated, which ties directly to why certificate lifetimes are getting shorter.
What to Do Now
You do not need to re-issue every certificate this quarter. You do need to stop treating post-quantum as someone else's future problem.
- Inventory your data by secrecy lifetime. Anything that must stay private for years is already exposed to harvest-now attacks and should move to hybrid key exchange first.
- Confirm your servers and clients can negotiate hybrid key exchange, and enable it where your stack supports it. Much of this is a configuration change, not a certificate change.
- Track crypto-agility in your own systems. The real test is how fast you can swap an algorithm, because you will do it more than once before this settles.
- Keep your certificate inventory current, because you cannot migrate certificates you have not found.
The teams that handle this well are the ones that already treat cryptography as something that changes, not something you configure once and forget.
Watching It as It Rolls Out
Post-quantum migration is going to play out as a series of changes to what your endpoints negotiate and serve, and each change is a chance to misconfigure something. The same discipline that catches an expired certificate catches a server that quietly stopped offering a secure key exchange. SSL certificate monitoring and ongoing configuration checks are how you confirm what you actually serve, not what you intended to.
Generator Labs certificate monitoring tracks the certificates and configuration across your endpoints as this transition unfolds, and the TLS configuration guides at goodtls.com cover enabling modern key exchange on the servers you run. The quantum computer is not here. The migration is. Start watching your certificates before the ground shifts under them.