--- title: Post-quantum ML-DSA certificates for Authenticated Origin Pulls and Custom Origin Trust Store description: Authenticated Origin Pulls and Custom Origin Trust Store now accept ML-DSA (FIPS 204) post-quantum certificates, enabling end-to-end post-quantum authentication between Cloudflare and your origin. image: https://developers.cloudflare.com/changelog-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) [ ← Back to all posts ](https://developers.cloudflare.com/changelog/) ## Post-quantum ML-DSA certificates for Authenticated Origin Pulls and Custom Origin Trust Store Jun 17, 2026 [ SSL/TLS ](https://developers.cloudflare.com/ssl/) Cloudflare now accepts [ML-DSA ↗](https://csrc.nist.gov/pubs/fips/204/final) (FIPS 204) post-quantum certificates on the connection between Cloudflare's edge and your origin server. Combined with our existing [X25519MLKEM768](https://developers.cloudflare.com/ssl/post-quantum-cryptography/#hybrid-key-agreement) key agreement, this lets you establish end-to-end post-quantum authentication on the Cloudflare-to-origin connection. ML-DSA is supported in two origin-facing features: * [Authenticated Origin Pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) (AOP) — upload an ML-DSA client certificate that Cloudflare will present during the mTLS handshake to your origin. Available at both zone-level and per-hostname scopes. * [Custom Origin Trust Store](https://developers.cloudflare.com/ssl/origin-configuration/custom-origin-trust-store/) (COTS) — upload an ML-DSA certificate authority that Cloudflare will trust when validating your origin server certificate under [Full (strict) encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/). Refer to [Post-quantum signatures](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-to-origin/#post-quantum-signatures) for certificate generation and setup guidance, and to [PQC in Cloudflare products](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-cloudflare-products/) for the current post-quantum deployment status across Cloudflare. ```json {"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/post/2026-06-17-pqc-mldsa-aop-cots/#page","headline":"Post-quantum ML-DSA certificates for Authenticated Origin Pulls and Custom Origin Trust Store · Changelog","description":"Authenticated Origin Pulls and Custom Origin Trust Store now accept ML-DSA (FIPS 204) post-quantum certificates, enabling end-to-end post-quantum authentication between Cloudflare and your origin.","url":"https://developers.cloudflare.com/changelog/post/2026-06-17-pqc-mldsa-aop-cots/","inLanguage":"en","image":"https://developers.cloudflare.com/changelog-preview.png","dateModified":"2026-06-17","datePublished":"2026-06-17","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}} ```