Command-line tools for assessing Post-Quantum Cryptography (PQC) readiness.
Scan your infrastructure for quantum-vulnerable cryptography before Q-Day arrives.
- TLS Certificate Scanner - Identify RSA/ECC certificates requiring PQC migration
- Key Length Analyzer - Flag weak key lengths (RSA < 3072, ECC < 256)
- Algorithm Inventory - Generate Cryptographic Bill of Materials (CBOM)
- NIST PQC Alignment - Check readiness against FIPS 203/204/205 standards
- CI/CD Integration - JSON/CSV export for pipeline integration
# Clone the repository
git clone https://github.com/qryptonic/pqc-readiness-checklist.git
cd pqc-readiness-checklist
# Scan a domain's TLS certificates
./scripts/scan-tls.sh example.com
# Generate CBOM for a directory
python scripts/generate-cbom.py /path/to/certs --output cbom.json- Python 3.8+
- OpenSSL 1.1.1+
- Bash 4.0+ (for shell scripts)
pip install -r requirements.txt| Script | Description |
|---|---|
scan-tls.sh |
Scan TLS certificates for a domain |
generate-cbom.py |
Generate Cryptographic Bill of Materials |
check-key-strength.py |
Analyze key lengths against NIST recommendations |
pqc-readiness-report.py |
Generate comprehensive readiness report |
# Scan single domain
./scripts/scan-tls.sh qryptonic.com
# Scan multiple domains from file
./scripts/scan-tls.sh --file domains.txt
# Output JSON for CI/CD
./scripts/scan-tls.sh qryptonic.com --format json# Scan certificate directory
python scripts/generate-cbom.py /etc/ssl/certs --output cbom.json
# Include private keys (requires permissions)
python scripts/generate-cbom.py /etc/ssl --include-private --output cbom.json# Check single certificate
python scripts/check-key-strength.py certificate.pem
# Batch check with NIST thresholds
python scripts/check-key-strength.py /path/to/certs --threshold nist-2030This tool checks alignment with:
| Standard | Algorithm | Use Case |
|---|---|---|
| FIPS 203 | ML-KEM (Kyber) | Key Encapsulation |
| FIPS 204 | ML-DSA (Dilithium) | Digital Signatures |
| FIPS 205 | SLH-DSA (SPHINCS+) | Hash-Based Signatures |
- 2025: Begin planning and inventory
- 2030: Software/firmware must support PQC
- 2033: All NSS must use PQC exclusively
{
"scan_date": "2026-01-14T12:00:00Z",
"domain": "example.com",
"certificates": [
{
"subject": "CN=example.com",
"algorithm": "RSA",
"key_length": 2048,
"pqc_ready": false,
"recommendation": "Migrate to ML-KEM + RSA-3072 hybrid"
}
],
"summary": {
"total": 5,
"pqc_ready": 0,
"requires_migration": 5
}
}subject,algorithm,key_length,expiry,pqc_ready,priority
CN=example.com,RSA,2048,2027-01-01,false,high
CN=api.example.com,ECC,256,2026-06-15,false,critical- name: PQC Readiness Check
run: |
pip install -r requirements.txt
python scripts/pqc-readiness-report.py --domain ${{ github.event.repository.name }}.com --output report.json
- name: Fail if not PQC ready
run: |
if jq -e '.summary.requires_migration > 0' report.json; then
echo "::warning::Certificates require PQC migration"
fipqc-scan:
script:
- pip install -r requirements.txt
- python scripts/pqc-readiness-report.py --domain $CI_PROJECT_NAME.com
artifacts:
reports:
dotenv: pqc-report.envContributions welcome! Please read CONTRIBUTING.md before submitting PRs.
# Clone and setup
git clone https://github.com/qryptonic/pqc-readiness-checklist.git
cd pqc-readiness-checklist
python -m venv venv
source venv/bin/activate
pip install -r requirements-dev.txt
# Run tests
pytest tests/Found a vulnerability? Please report it responsibly:
- Email: [email protected]
- Do NOT open public issues for security vulnerabilities
MIT License - see LICENSE for details.
Qryptonic provides enterprise post-quantum cryptography assessments and migration services. This open-source tool is part of our commitment to helping organizations prepare for Q-Day.
For comprehensive assessments including real quantum hardware testing, visit qryptonic.com/services.
Q-Day is coming. Get ready.