See below how to generate and certify a composite key pair generated with the RSA2048 and Dilithium3 algorithms.

Generating a key pair with the RSA2048 and Dilithium3 algorithms
Generating the certificate request
Issue the Intermediate certificate signed by the ML-DSA-65 root
Verifying the certificate

The below examples shorten request and certificate contents with an ellipsis ("...") for better legibility.

Generating a key pair with the RSA2048 and Dilithium3 algorithms

Generate the key pair with the pkiutil keygen command. For example:

./pkiutil.sh keygen -alg Falcon-1024 -pubout falcon1024_pub.pem  -privout falcon1024_priv.pem

Generating the certificate request

Generate the CSR with the pkiutil newcsr command. For example:

./pkiutil.sh newcsr -pubkey falcon1024_pub.pem -privkey falcon1024_priv.pem -csrout falcon1024csr.pem -sigalg Falcon-1024

The command saves an output like the following.

rsa2048_dilithium3.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIXcjCCCVICAQAwUDEL...AAAAAAAAAAAABAgQEBgb
-----END CERTIFICATE REQUEST-----

Issue the Intermediate certificate signed by the ML-DSA-65 root

Remove the end lines from the CSR and add it to a JSON request. For example:

rsa2048_dilithium3.json

./pkiutil.sh issue -csr falcon1024csr.pem -caprivkey mldsa65_priv.pem -certout falcon1024sub.pem -cacert mldsa65cacert.pem -sigalg ML-DSA-65-ipd -subca

Verifying the certificate

Verify the certificate with the verify -certchain command. For example:

./pkiutil.sh verify -certchain mldsa65cacert.pem -certchain falcon1024sub.pem