openssl req -newkey rsa:2048 -nodes -x509 -days 365 -out root.crt -keyout root.key
this works fine, but if i use ed25519:
openssl req -newkey ed25519 -nodes -x509 -days 365 -out root.crt -keyout root.key
Keychain Access could not import root.crt, err code : -25257 (unknown format)
is there anyway to use ed25519?
openssl verify -CAfile <(cat root.crt inter.crt) server.crt client.crt
server.crt: OK
client.crt: OK
.crt file works fine.
I have not been able to find any exact confirmation of this information, but it seems that macOS does not currently support Ed25519 certificates. When attempting to import a certificate outside of the Keychain Access interface, an error message also appears:
openssl req -newkey ed25519 -nodes -x509 -days 365 -out cert.pem -keyout key.pem
openssl x509 -in cert.pem -inform pem -out cert.der -outform der
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain cert.der
# SecCertificateAddToKeychain: Unknown format in import.
You might consider generating a certificate with a more traditional ECC:
openssl ecparam -genkey -name secp384r1 -out localhost-key.pem
openssl req -new -key key.pem -sha512 -x509 -days 365 -out cert.pem
It would be possible to use secp521r1, but it is still much less widely supported.