Scriptable way to generate ML-KEM signed certificates

[MrSuicideParrot]

Hi! I need to generate multiple ML-KEM certificates, signed by a CA. I'm able to do this using the web ui of ejbca. But I haven't been able to do it in a scriptable way. I have tried both the CLI and REST API and I haven't had any success.

For instance if I try the following commands:

ejbca.sh  ra addendentity --username test11--dn "CN=test11" --caname PQCa --type 1 --token PEM --password test11
ejbca.sh ra setclearpwd test11 test11
ejbca.sh batch  --keyalg ML-KEM --keyspec 768

I obtain this error:

2025-10-10 20:52:27,423+0000 INFO  [org.ejbca.ui.cli.batch.BatchMakeP12Command] (main) Generating ML-KEM keys of size 768 for test11.
2025-10-10 20:52:27,570+0000 ERROR [org.ejbca.ui.cli.batch.BatchMakeP12Command] (main) An error happened, setting status to FAILED.
org.bouncycastle.operator.OperatorCreationException: cannot create signer: Supplied key (org.bouncycastle.jcajce.provider.asymmetric.mlkem.BCMLKEMPrivateKey) is not a RSAPrivateKey instance
        at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown Source) ~[bcpkix-jdk18on-1.79.jar:?]
        at com.keyfactor.util.certificate.SimpleCertGenerator.signCert(SimpleCertGenerator.java:470) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.certificate.SimpleCertGenerator.generateCertificate(SimpleCertGenerator.java:397) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.CertTools.genCertForPurpose(CertTools.java:1417) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.CertTools.genSelfCertForPurpose(CertTools.java:1270) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.CertTools.genSelfCertForPurpose(CertTools.java:1260) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.CertTools.genSelfCertForPurpose(CertTools.java:1235) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.CertTools.genSelfCert(CertTools.java:1185) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.CertTools.genSelfCert(CertTools.java:1194) ~[x509-common-util-4.1.4.jar:?]
        at com.keyfactor.util.CertTools.genSelfCert(CertTools.java:1167) ~[x509-common-util-4.1.4.jar:?]
        at org.ejbca.ui.cli.batch.BatchMakeP12Command.createKeysForUser(BatchMakeP12Command.java:316) ~[ejbca-ejb-cli.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
        at org.ejbca.ui.cli.batch.BatchMakeP12Command.processUser(BatchMakeP12Command.java:426) ~[ejbca-ejb-cli.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
        at org.ejbca.ui.cli.batch.BatchMakeP12Command.doCreateKeys(BatchMakeP12Command.java:448) ~[ejbca-ejb-cli.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
        at org.ejbca.ui.cli.batch.BatchMakeP12Command.createAllWithStatus(BatchMakeP12Command.java:557) [ejbca-ejb-cli.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
        at org.ejbca.ui.cli.batch.BatchMakeP12Command.createAllFailed(BatchMakeP12Command.java:498) [ejbca-ejb-cli.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
        at org.ejbca.ui.cli.batch.BatchMakeP12Command.execute(BatchMakeP12Command.java:172) [ejbca-ejb-cli.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
        at org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.execute(PasswordUsingCommandBase.java:201) [ejbca-ejb-cli.jar:?]
        at org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:309) [keyfactor-commons-cli-2.0.0.jar:?]
        at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.findAndExecuteCommandFromParameters(CommandLibrary.java:88) [keyfactor-commons-cli-2.0.0.jar:?]
        at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:38) [ejbca-ejb-cli.jar:EJBCA 9.1.1 Community (8207be0e6112067a33b82328d8e15870b5492da7)]
Caused by: java.security.InvalidKeyException: Supplied key (org.bouncycastle.jcajce.provider.asymmetric.mlkem.BCMLKEMPrivateKey) is not a RSAPrivateKey instance
        at org.bouncycastle.jcajce.provider.asymmetric.rsa.DigestSignatureSpi.engineInitSign(Unknown Source) ~[bcprov-jdk18on-1.79.jar:?]
        at java.security.Signature$Delegate.engineInitSign(Unknown Source) ~[?:?]
        at java.security.Signature.initSign(Unknown Source) ~[?:?]
        ... 20 more

From this error I supposed that this is not the correct interface to create this type of certificate, but what should I use?
If the web ui can create a ML-KEM-768 certificate, how can I do it in an automatic way?

On the REST API, I tried to use the /v1/certificate/enrollkeystore API, but with a similar result, it generates a 500 error.

[primetomas]

Server generated PQC keys are not supported yet. Multiple reasons for that, for ML-DSA the private key format changed recently, so we didn't want to spend time on that until it's stable and interoperable. For ML-KEM everything is a bit harder and also the RFC isn't final. It will get there eventually.