// Product / QHx PKI

Trust expires.

QHx PKI issues short-lived workload credentials only after the node and workload have been identified through the attestation path.

Workload identityPQC →

// Operating principle

Secrets prove possession.

Static secrets create standing access. QHx PKI issues credentials tied to the workload identity and its parent node, reducing the blast radius of credential theft and stale trust.

  • X.509-SVIDsWorkloads receive SPIFFE identities they can present to peers and verify in return. Each workload identity is structurally a child of its node identity; the node must remain attested for the workload credential to be renewable.
  • Node supervisionThe PKI Agent runs locally and works with the PKI Server to attest workloads on the node.
  • Post-quantum signaturesPolicy can select ML-DSA variants for SVID issuance, with conventional algorithms retained for compatibility.
  • Namespace controlQHxPolicy can set signature and key-exchange algorithms per namespace.

// Attestation strategies

Identity is grounded in evidence, not assumed.

Issuance follows a two-phase model. The node proves itself first; the workload identity is then issued as a child of the attested node. Several attestation strategies are supported so the right one can apply to each environment.

  • TPM with PCR policyHardware-rooted attestation where measured boot state is verifiable. Used where assurance requirements demand it.
  • Kubernetes Projected Service Account TokensFor clusters where the orchestrator is the trustworthy source of node identity.
  • Cloud instance identity documentsAWS, GCP, and Azure instance identity, used where the cloud provider's signed metadata is the appropriate root.
  • Join tokensFor bootstrapping environments without hardware roots or orchestrator-rooted identity.

Renew identity from fresh evidence.