Skip to main content

Tools that support EdDSA algorithm signing

Preface

EdDSA algorithm is not widely supported by most commercially available code signing tools. These instructions cover the tools we have verified to work for the commands below.

Tools that support EdDSA

Table 1. Tools that support EdDSA

Windows

Linux

pkcs11-tool

p11importcert

p11req

p11tool


Commands for Windows and Linux

Windows

Generate keypair

Command:

pkcs11-tool --module <path to smpkcs11.dll> --keypairgen --key-type="<key type>" --label <alias>

Command sample

pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --keypairgen --key-type="EC:edwards25519" --label eddsa-key-19101

Sign using keypair

Command:

pkcs11-tool --module <path to smpkcs11.dll> --sign --id <PKCS11 key ID> --mechanism EDDSA --input-file <unsigned file name> --output-file <signature file name>

Command sample:

pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --sign --id 35396437316330372d303639362d346335642d626566632d616563376463343865386466 --mechanism EDDSA --input-file client_sign_config.json --output-file client_sign_config_signed.json

Import certificate

Command:

pkcs11-tool --module <path to smpkcs11.dll> --write-object <path to certificate> --type cert --id <certificate alias>

Command sample:

pkcs11-tool --module C:\Users\Name\Desktop\smctl\smpkcs11.dll --write-object C:\Users\Name\Desktop\smctl\linux\eddsa-18209-cert.crt --type cert --id eddsa-key-18209

Linux

Generate keypair with pkcs11-tool

Command:

pkcs11-tool --module <path to smpkcs11.so> --keypairgen --key-type="<key algorithm and curve>" --label <keypair alias>

Command sample:

pkcs11-tool --module /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --keypairgen --key-type="EC:edwards25519" --label eddsa-key-19101

Generate keypair with p11tool

Command:

p11tool --provider <path to smpkcs11.so> --generate-privkey=<algorithm and curve> --label=<keypair alias>

Command sample:

p11tool --provider /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --generate-privkey=ed25519 --label=eddsa-key-18204

Generate CSR

Command:

p11req -l <path to smpkcs11.so> -i <keypair alias> -d '/CN=<common name of certificate>/OU=<organizational unit of certificate>/C=<country code>' -H <hash algorithm type>

Command sample:

p11req -l /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so -i eddsa-key1 -d '/CN=test/OU=my dept/C=BE' -H sha512

Sign using keypair with pkcs11-tool

Command:

pkcs11-tool --module <path to smpkcs11.dll> --sign --id <PKCS11 key ID> --mechanism EDDSA --input-file <unsigned file name> --output-file <signature file name>

Command sample:

pkcs11-tool --module /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so --sign --id 35396437316330372d303639362d346335642d626566632d616563376463343865386466 --mechanism EDDSA --input-file client_sign_config.json --output-file client_sign_config_signed.json

Import certificate

Command:

p11importcert -l <path to smpkcs11.so> -i <keypair alias> -f <path to certificate> -s 0

Command sample:

p11importcert -l /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so -i eddsa-key-18209 -f /mnt/c/Users/Name/Desktop/smctl/linux/eddsa-18209-cert.crt -s 0

Import keypair

Command:

p11tool --login --write --load-privkey <path to private key> --label "<keypair alias>" --provider <path to smpkcs11.so>

Command sample:

p11tool --login --write --load-privkey /mnt/c/Users/Name/Desktop/smctl/linux/privatekey.pem --label "eddsa-key-imported1" --provider /mnt/c/Users/Name/Desktop/smctl/linux/smpkcs11.so

Tip

To locate PKCS11 key ID:

  1. Run:

    pkcs11-tool --module <path to pkcs11.dll or pkcs11.so> --list-objects

  2. Identify the ID field of the keypair, this is the PKCS11 key ID.

© 2025 DigiCert, Inc.
Publication date: