Organisations are upgrading their cryptographic infrastructure to become quantum safe before large scale quantum computers materialise. Post quantum cryptography (PQC) standards now exist for key exchange and digital signatures, but the urgent question for adopters is how to operationalise PQC in complex environments with confidence. In banking, Transport Layer Security (TLS), for example, protects data in transit across public facing channels and internal services, and is terminated at many heterogeneous endpoints (web servers, API gateways, load balancers, reverse proxies), each a potential quantum vulnerable component and migration target. We argue that the bottleneck is operational rather than algorithmic, hybrid key exchanges such as MLKEM and hybrid MLKEM key exchanges are already available in mainstream libraries, but security teams lack precise visibility into TLS configurations and repeatable methods for enabling PQC compatible settings across a heterogeneous estate. This paper presents a configuration parsing methodology that automatically extracts and normalises TLS cryptographic posture across dominant enterprise web server stacks, producing a unified, provenance traced cryptographic inventory as a foundation for migration and compliance. We demonstrate the approach on 8,443 real world Nginx configurations from public repositories and in a proof of concept deployment at a financial institution, where MLKEM and hybrid MLKEM key exchanges at TLS termination points (web server and API gateway) securing an internal application, with zero application layer changes and manageable performance overhead.

翻译：组织正在升级其密码学基础设施，以便在大型量子计算机问世之前实现量子安全。目前，后量子密码学（PQC）标准已涵盖密钥交换和数字签名领域，但采用者面临的紧迫问题是如何在复杂环境中自信地将PQC付诸实践。以银行业为例，传输层安全协议（TLS）可保护面向公众的渠道及内部服务中传输的数据，并由众多异构端点（Web服务器、API网关、负载均衡器、反向代理）终止，其中每个端点都可能是潜在量子脆弱组件及迁移目标。我们认为，瓶颈在于操作层面而非算法层面：主流库中已提供诸如MLKEM及混合MLKEM密钥交换等方案，但安全团队缺乏对TLS配置的精确可见性，也无法通过可重复方法在异构资产中启用PQC兼容设置。本文提出一种配置解析方法，可自动提取并归一化企业主流Web服务器堆栈中的TLS密码学状态，生成统一且可溯源密码学清单，为迁移与合规提供基础。我们在来自公共仓库的8443个真实Nginx配置以及某金融机构的概念验证部署中验证了该方法——在该部署中，MLKEM及混合MLKEM密钥交换于TLS终止点（Web服务器及API网关）保护内部应用，且无需应用层修改，性能开销可控。