hybrid x509 certificates

[derstrand]

Dear Community,

I have been experimenting with OpenSSL+liboqs. When I run the client server TLS demo, I specify hybrid authentication in the key request along with the x509 certificate request.

When I print the certificate, public key details are not present.. I tried all combinations: classical, pqc, hybrid CA each with classical, pqc, and hybrid new key pair request along with x509 certificate request. In all cases, when I print the x509 certificate, only classical one prints full details. All others show that algorithms are not supported. Please see sample commands and images.

example HybridCA
apps/openssl req -x509 -new -newkey p521_falcon1024 -keyout Falcon_CA.key -out Falcon_CA.crt -nodes -subj "/CN=oqstest CA" -days 365 -config apps/openssl.cnf

server hybrid key & x509 req
apps/openssl req -new -newkey p521_Dilithium5 -keyout Dilithium5_srv.key -out Dilithium5_srv.csr -nodes -subj "/CN=oqstest server" -config apps/openssl.cnf
apps/openssl x509 -req -in Dilithium5_srv.csr -out Dilithium5_srv.crt -CA Falcon_CA.crt -CAkey Falcon_CA.key -CAcreateserial -days 365
openssl x509 -in Dilithium5_srv.crt -text -noout

now, if I try with classical key request:
server classical key & x509 req
apps/openssl req -new -newkey ec:<(apps/openssl ecparam -name secp384r1) -keyout ecdsa_srv.key -out ecdsa_srv.csr -nodes -subj "/CN=oqstest server" -config apps/openssl.cnf
apps/openssl x509 -req -in ecdsa_srv.csr -out ecdsa_srv.crt -CA Falcon_CA.crt -CAkey Falcon_CA.key -CAcreateserial -days 365
openssl x509 -in ecdsa_srv.crt -text -noout

Are hybrid certificates showing both classical and post quantum endpoints supported?

Best,
@derstrand

[derstrand]

resolved: openssl x509 -in Dilithium5_srv.crt -text -noout
should be apps/openssl x509 -in Dilithium5_srv.crt -text -noout :)

[christianpaquin]

This happened to me so many times!