Keyfactor EJBCA + Command

Keyfactor is the market leader in enterprise PKI lifecycle management, and its 2024-2025 acquisitions of InfoSec Global and CipherInsights transformed it from a certificate management platform into a comprehensive post-quantum migration platform. The combined offering addresses the most underserved part of the enterprise PQC challenge: not algorithm deployment, but certificate lifecycle management at scale across heterogeneous environments. EJBCA (Enterprise Java Beans Certificate Authority) is the world's most widely deployed open-source CA software, used by thousands of enterprises and government agencies to issue and manage digital certificates. EJBCA 8.3 and later support hybrid certificate issuance — X.509 certificates that contain both a classical signature (RSA or ECDSA) and a parallel ML-DSA signature in the same certificate, enabling relying parties that support hybrid verification to validate the PQC signature while older clients fall back to the classical one. This is the practical migration path for enterprises that cannot update all certificate consumers simultaneously. Keyfactor Command is the SaaS-based certificate lifecycle management platform that manages certificate inventory, automated renewal, and policy enforcement across multi-CA environments. The integration of CipherInsights' cryptographic discovery capabilities means Command can now scan enterprise networks to detect all certificates in use, identify their cryptographic parameters (key sizes, signature algorithms, expiration dates), and flag certificates that need quantum-safe remediation. This is the enterprise-grade version of what IBM Quantum Safe Explorer does for code — applied to the live certificate estate. The acquired InfoSec Global (now Keyfactor Agility) contributes a broader crypto-agility layer: scanning applications, protocols, and libraries for cryptographic dependencies beyond just certificates, and providing a unified risk dashboard. Keyfactor now offers an end-to-end workflow from crypto discovery → CBOM generation → hybrid certificate issuance → renewal automation, all managed through a single platform. For enterprises with complex multi-CA environments — a common scenario in financial services, healthcare, and manufacturing — this unified lifecycle management is the most operationally practical PQC migration path available.