Generating a Certificate from an Existing Key

1. Obtain the key label using p11tool2.

p11tool2 slot=SLOT_NUMBER LoginUser=ask ListObjects

2. Generate a Certificate Signing Request (CSR).

openssl req -new -key "pkcs11:token=<token_label>;object=<key_label>" -out MLDSA_CSR.csr

Here, key_label is the key label on the HSM. Provide the Cryptouser PIN and certificate details when prompted.

3. Create the self-signed certificate based on the generated key.

openssl req -new -x509 -days 365 -key "pkcs11:token=<token_label>;object=<key_label>" -out MLDSA.cert