EdDSA
Full Title
Edwards-curve Digital Signature Algorithm (EdDSA) scheme
Context
To get a certificate signed with EdDSA, you can use the Edwards-curve Digital Signature Algorithm (EdDSA) scheme. This algorithm is designed to be faster than existing digital signature schemes without sacrificing security. You can create a Certificate Authority (CA) using EdDSA keys both using the EJBCA Admin UI and the CLI1.<ref>Keyfactor EdDSA Keys and Signatures (retrieved 2021-12-23) https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/certificate-authority-overview/eddsa-keys-and-signatures</erf>
When generating a CA in EJBCA, up to three keys and certificates are generated: A CA signing keypair and certificate, an encryption keypair, used for encrypting key recovery information, and an OCSP signer keypair and certificate1. When using EdDSA keys, the CA signing keypair and the OCSP signer keypair will be the EdDSA keytype you select when creating the CA. The CA signing and OCSP signing certificate will be signed using your selected signature algorithm. The encryption keypair will always be RSA, using 1024 or 2048 bit key length1.
Here is a sample CSR generation command for your clients using OpenSSL1:
openssl genpkey -algorithm ED25519 -out ed25519.key.pem openssl req -new -key ed25519.key.pem -out ed25519.csr.pem openssl req -in ed25519.csr.pem -text
