On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote: > I have created my X25519 pub/priv keypair with: > > openssl genpkey -algorithm X25519\ > -out $dir/private/$clientemail-X.key.$format Are you sure you didn't want ed25519 instead? X25519 is a key agreement menthod, not a signature method. > openssl req -config $dir/openssl-intermediate.cnf\ > -key $dir/private/$clientemail-X.key.$format \ > -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format > > which is what I used for ED25519 client certs. But I get an error: > > 140487683954496:error:0608D096:digital envelope > routines:EVP_PKEY_sign_init:operation not supported for this > keytype:crypto/evp/pmeth_fn.c:39: Not surprising, why do you expect this to work? > Can someone point me to what I am missing? > > Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client > cert. Haven't found instructions on this, but it seems reasonable... https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures -- Viktor.
