PQLensGuides › Audit your certificate stores
100% local · nothing leaves your machine

Audit your certificate stores

Point PQLens at a certificate file or a whole directory and get every certificate’s key algorithm, key size, signature hash and validity — with deprecated signatures called out and code-signing certificates flagged as the priority they are.

pqlens scan certs /etc/ssl/certs
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. Run pqlens scan certs on a PEM/DER file or a directory — it walks the tree.
  2. Each certificate is parsed for key algorithm, key size, signature hash and validity window.
  3. SHA-1 signatures and small RSA keys are flagged broken / deprecated; standard RSA/ECDSA certs are quantum-vulnerable.
  4. Certificates with the code-signing EKU are called out explicitly — they carry the earliest post-quantum deadline (CNSA 2.0).

Why code-signing certificates get special treatment

CNSA 2.0’s earliest deadline is software and firmware signing, because signatures have to outlive the key that made them: firmware you sign today must still verify in a decade, and you cannot re-sign what has already shipped. PQLens flags any certificate with the code-signing EKU so it lands at the top of your migration roadmap, not in the long tail.

Certificates on disk are only part of the story

Java services and load balancers usually keep certificates inside JKS or PKCS#12 keystores, and cloud workloads keep them in ACM — scan those surfaces too, or the inventory will flatter you.

Frequently asked questions

Which certificate formats are supported?

PEM and DER, as single files or directories that get walked recursively. For PKCS#12/JKS containers use the keystore scan; for live endpoints use the TLS scan.

My certificate is RSA-2048 — do I need to replace it now?

Not urgently. RSA-2048 is fine against classical attackers today; NIST disallows it after 2035. What you need now is to know where it is used and when it expires — which is what the inventory is.

Are certificate contents uploaded anywhere?

No. Parsing happens locally. Even the optional Compliance-tier push sends only algorithm names, statuses and counts — never certificate contents.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.