Experiences Creating a CA with ML‑DSA Using Microsoft Smart Card Key Storage Provider (ADCS / PQC)

Hi all,

I’m exploring the possibility of using post‑quantum cryptography within an Active Directory Certificate Services (ADCS) environment in the Insider release 29550. Specifically, I’m interested in creating a Certificate Authority (CA) where the CA’s key material is generated and stored using a Microsoft Smart Card Key Storage Provider (KSP) with support for ML‑DSA. This is an option selectable in the "Specify the cryptographic options".

Has anyone in the community successfully done the following:

Created a CA using ML‑DSA: Micosoft Smart Card KSP as the cryptographic provider?

If so, what smart card or hardware token did you use that supports ML‑DSA via the Microsoft Smart Card KSP?

(e.g., specific vendor and/or model that exposes ML‑DSA support correctly to Windows)

Is it actually possible to create a CA using ML‑DSA as the cryptographic provider?

If yes, what are the key steps or gotchas?

What changes when ML‑DSA is used as the CA key provider compared to traditional providers like RSA/ECC?

Any differences in certificate creation, enrollment, templates, compatibility with clients, etc.?

Is there any official documentation for using ML‑DSA or PQC with ADCS?

Are there other post‑quantum cryptographic (PQC) options already supported or coming soon in ADCS?