Public and internal TLS
Domains, load balancers, reverse proxies, mTLS, private CAs, client certificates and renewal policies.
Expected evidence: scans, chains, dates, algorithms, owners.Asset inventory
What a PQC inventory must cover
A good inventory does not only list certificates. It connects algorithms, owners, confidentiality lifetime, supplier dependencies and replacement capacity.
SSH and administrator access
User keys, machine keys, bastions, deployment accounts, automation scripts and secret stores.
Expected evidence: key inventory, rotation, revocation, logging.Code signing
Packages, container images, binaries, plugins, EV/OV certificates, HSMs, timestamping and release policies.
Expected evidence: CI/CD chain, signature formats, validity period.Long-confidentiality flows
Contracts, health, identity, industrial secrets and archives that may be captured today and decrypted later.
Expected evidence: classification, protection lifetime, network exposure.SaaS, cloud and appliances
CDN, WAF, VPN, IAM, HSM, EDR, email, backup and network equipment with cryptographic dependencies.
Expected evidence: PQC roadmaps, hybrid support, contractual clauses.Cryptographic libraries
OpenSSL, BoringSSL, libsodium, Java, .NET, Go, HSM modules and custom usage that freezes RSA, ECDSA or ECDH.
Expected evidence: SBOM, versions, configuration, replacement tests.