Creating an X25519 client certificate

Viktor Dukhovni openssl-users at
Wed Mar 17 23:22:03 UTC 2021

On Wed, Mar 17, 2021 at 05:50:41PM -0400, Robert Moskowitz wrote:

> I have created my X25519 pub/priv keypair with:
> openssl genpkey -algorithm X25519\
>      -out $dir/private/$clientemail-X.key.$format

Are you sure you didn't want ed25519 instead?  X25519 is a key agreement
menthod, not a signature method.

> openssl req -config $dir/openssl-intermediate.cnf\
>      -key $dir/private/$clientemail-X.key.$format \
>      -subj "$DN" -new -out $dir/csr/$clientemail-X.csr.$format
> which is what I used for ED25519 client certs.  But I get an error:
> 140487683954496:error:0608D096:digital envelope 
> routines:EVP_PKEY_sign_init:operation not supported for this 
> keytype:crypto/evp/pmeth_fn.c:39:

Not surprising, why do you expect this to work?

> Can someone point me to what I am missing?
> Oh, and I am ASSuMEing that a CA cert of ED25519 signs an X25519 client 
> cert.  Haven't found instructions on this, but it seems reasonable...


More information about the openssl-users mailing list