See below how to generate and certify a key pair generated with the Falcon512 algorithm.

Generating a key pair with the ML-DSA-65 algorithm
Generating a Root Certificate
Verifying the certificate

The below examples shorten request and certificate contents with an ellipsis ("...") for better legibility.

Generating a key pair with the ML-DSA-65 algorithm

Generate the key pair with the pkiutil keygen command. For example:

./pkiutil.sh keygen -alg ML-DSA-65-ipd -pubout mldsa65_pub.pem  -privout mldsa65_priv.pem

Generating a Root Certificate

Generate the CSR with the pkiutil newcsr command. For example:

./pkiutil.sh newca -capubkey mldsa65_pub.pem  -caprivkey mldsa65_priv.pem -certout mldsa65cacert.pem -dn cn=mldsa65testcert,ou=myorg,c=ca -sigalg ML-DSA-65-ipd

The command will save an output file like the following.

falcon512.csr

-----BEGIN CERTIFICATE-----
 MIIGoTCCA/ICAQAwUDEL...TMoVuElXwJkZbxqTu/Sg 
-----END CERTIFICATE-----

Verifying the certificate

Verify the certificate with the pkiutil verify -cer <cer> command. For example:

./pkiutil.sh verify -certchain mldsa65cacert.pem