> But surely the openssl command line tool should provide a mechanism for allowing an X25519-based certificate to be signed by a CA. > Its seems that the "certificate request" protocol, which requires self-signing, prevents this in this case. Yes, that is exactly the point.