Supported Algorithms and Standards¶
Zero Touch PKI supports a broad range of cryptographic standards to ensure compatibility with legacy systems and future-readiness for modern environments.
When running in a FIPS 140-3 Level 3 certified environment, supported algorithms are restricted to those approved by the National Institute of Standards and Technology (NIST).
Classical Cryptography¶
| Category | Supported Algorithms |
|---|---|
| Asymmetric | RSA: 2048, 3072, 4096 bits. ECDSA: P-256, P-384, P-521. ECDH: P-256, P-384, P-521. |
| Symmetric | AES: 128, 192, and 256 bits. |
| Hashing | SHA-2: SHA-224, SHA-256, SHA-384, SHA-512. SHA-3: SHA3-224, SHA3-256, SHA3-384, SHA3-512. HMAC: Based on approved SHA-2 or SHA-3 hashes. |
Post-Quantum Cryptography (PQC)¶
To prepare your organization for the Q-Day transition, Zero Touch PKI supports FIPS-approved post-quantum algorithms as follows.
- ML-DSA (formerly Dilithium): For quantum-safe digital signatures.
- SLH-DSA (formerly SPHINCS+): For stateless hash-based signatures.
Post-Quantum certificates
Post-Quantum (PQ) certificates are currently available for evaluation and testing purposes only. Do not deploy them in critical production environments without a thorough understanding of the risks. CyberArk does not accept responsibility for service interruptions or system failures that result from using PQC in unsupported production environments.