See below how to generate and certify a composite key pair generated with the ecp256 and Dilithium3 algorithms.

Generating a key pair with the ecp256 and Dilithium3 algorithms
Generating the certificate request
Issuing the certificate
Verifying the certificate

The below examples shorten request and certificate contents with an ellipsis ("...") for better legibility.

Generating a key pair with the ecp256 and Dilithium3 algorithms

Generate the key pair with the pkiutil keygen command. For example:

./pkutil.sh keygen -alg MLDSA44-ECDSA-P256-SHA256 -pubout mldsa44ecp256_pub.pem  -privout mldsa44ecp256_priv.pem

Generating the certificate request

Generate the CSR with the pkiutil newcsr command. For example:

./pkiutil.sh newcsr -pubkey mldsa44ecp256_pub.pem  -privkey mldsa44ecp256_priv.pem -csrout mldsa44ecp256csr.pem -sigalg MLDSA44-ECDSA-P256-SHA256

The command saves an output like the following.

ecp256_dilithium3.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIV7DCCCIcCAQAwUDEL...AAAAAAAAAAAACBAdHyMo
-----END CERTIFICATE REQUEST-----

Issuing the certificate

Request the certificate with curl. For example:

./pkiutil.sh issue -csr mldsa44ecp256csr.pem -caprivkey falcon1024_priv.pem -certout mldsa44ecp256ee.pem -cacert falcon1024sub.pem -sigalg Falcon-1024 

The result will be the certificate For example:

ee_ecp256_dilithium3_cert.pem

-----BEGIN CERTIFICATE-----
MIJaZzCCCjmgAwIBAgIR...X7o399CHXD6OZkQxxoU=
-----END CERTIFICATE-----

Verifying the certificate

Verify the certificate with the verify -certchain command. For example:

./pkiutil.sh verify -certchain mldsa65cacert.pem -certchain falcon1024sub.pem -certchain mldsa44ecp256ee.pem