BYOC · post-quantum certificate store
Post-quantum certificates, and the tools to run them.
Buy an HSM-signed post-quantum certificate (ML-DSA-65, FIPS 204) for your APIs, devices, code, and nodes. Then download the gateway, libraries, and packages to actually use it, deployed in your cloud, so your plaintext never leaves your environment.
# 1. generate a key + CSR (never leaves your machine)$ sf-wallet csr ./my-node # 2. buy & sign the cert (x402 or card)$ curl -X POST certstore../cert/sign/pqcomms-server \ -H "X-PAYMENT: <usdc-proof>" -d @csr.json✓ cert.json issued · ML-DSA-65 · FIPS 140-3 L4 root # 3. run the BYOC gateway in your cloud$ sf-gateway --cert cert.json --listen :8443✓ post-quantum tunnel up · plaintext stays local
- NIST FIPS 204 · ML-DSA
- CNSA 2.0 aligned
- FIPS 140-3 Level 4 HSM root of trust
- BYOC · your cloud, your data
how it works
Buy the cert. Run the tools. Keep your data.
A certificate is only useful if something consumes it. We ship the consumer — a gateway, SDKs, and packages — so a post-quantum cert works in the systems you already run, without waiting for browsers and OpenSSL to catch up.
- 01
Buy a certificate
Generate a CSR locally, pay with USDC (x402) or card (Stripe), and receive an HSM-signed post-quantum certificate. Your private key never leaves your machine.
- 02
Download the tools
Grab the BYOC gateway binary, the WASM module, and the SDK for your language. Open-source clients, so you can read and verify exactly how the cert is used.
- 03
Deploy in your cloud
Run the gateway or link the library in your own environment. Traffic is post-quantum end to end; plaintext stays with you. We only issue and manage the certs.
certificates
One secure rail. Certs for every layer.
Post-quantum certificates (ML-DSA-65) signed on a FIPS 140-2 Level 4 hardware root. Bounded validity with full revocation (CRL). Consumed by our gateway and SDKs today; standards-based X.509 / CMS output is on the roadmap. Pay per certificate with USDC or card.
pqcomms-server
$2.00/ cert · USDC or card
Identity for a service endpoint or node. Use with the BYOC gateway to put a post-quantum tunnel in front of an API you already run.
- ML-DSA-65 (FIPS 204)
- Server / node identity
- Works with sf-gateway + SDKs
pqcomms-client
$1.00/ cert · USDC or card
Identity for a device, client app, or fleet agent. Mutually authenticate to your services and peers over a post-quantum channel.
- ML-DSA-65 client identity
- Device & fleet auth
- Offline-verifiable to a pinned root
code-signing
$5.00/ cert · USDC or card
Sign binaries, containers, and releases with a post-quantum signature. Verify with the open-source tool; anchor to a tamper-evident transparency log.
- ML-DSA-65 signing key
- Merkle transparency log
- Open-source verifier
Also available: 7fchain miner-cert ($0.70). Volume & enterprise issuance — per-workload licensing, private issuing CA — contact us.
bring your own cloud
Your plaintext never leaves your environment.
We run the control plane — issuance on an HSM root, rotation, and revocation. You run the data plane — the gateway sits in your cloud or on-prem. We never see your traffic.
- Deploy the gateway in AWS, GCP, Azure, on-prem, or air-gapped
- End-to-end post-quantum; the relay is a blind path, not a reader
- Certs issued and revoked from our control plane over a PQ channel
- Managed hosting available for low-sensitivity / dev use
CONTROL PLANE (Seven Fortunas) HSM root · issuance · rotation · CRL │ issues certs / policy (never sees plaintext) ▼DATA PLANE (your cloud) [ sf-gateway ] ◀──PQ tunnel──▶ [ peer ] │ your app · plaintext stays here
downloads
The tools that use the certs.
Everything you need to consume a post-quantum certificate today. Clients and SDKs are open source; the gateway ships as a signed binary and a container. Current release: v0.3.0.