For RHEL 10.1 the crypto-policy will by default support PQC, RHEL 9.7 users can opt into PQC by switching to the DEFAULT:PQ policy.

After supporting PQC key exchanges (SAT-36256) the second phase is support PQC certificates. Supporting ML-DSA certificates besides RSA will require changes throughout the stack.

Apache needs to be configured with another pair of SSLCertificateFile and SSLCertificateKeyFile statements to serve both RSA and ML-DSA certificates. Candlepin will also need support and a lot of software needs to be verified. For example, Foreman receives the client certificate to extract some data. Will that continue to work?