ML-DSA examples creating a csr for ML-DSA-44 -65 or -87

ML-DSA keys can be generated by the HSM in the CKDemo tool, or via your client application.

When generating CSR from the HSM, CMU assumes ML-DSA-87 as the default signature algorithm. It is important to specify -65 or -44 in the generation if either of those sizes are needed instead. Some Certificate Authorities are forgiving and will ignore missing or incorrect flags of ML-DSA key size, and simply accept and adapt to what they receive from you, as long as it is properly formed. Others are more strict and will reject a size they are not expecting.

For ML-DSA-44:

cmu requestcertificate -password=default1 -slot=7 -privatehandle=1804 -publichandle=1828 -c=CA -s=ON -l=Ottawa -o=Thales -ou=CS -cn=CERT_REQ_44_CA2_20250508161858 -e=somefellow@thales.com -mldsa_44 -outputfile=CERT_REQ_44_CA2_20250508161858.req

For ML-DSA-65:

cmu requestcertificate -password=default1 -slot=7 -privatehandle=1612 -publichandle=1608 -c=CA -s=ON -l=Ottawa -o=Thales -ou=CS -cn=CERT_REQ_65_CA2_20250508161914 -e=somefellow@thales.com -mldsa_65 -outputfile=CERT_REQ_65_CA2_20250508161914.req

For ML-DSA-87:

cmu requestcertificate -password=default1 -slot=7 -privatehandle=1217 -publichandle=1195 -c=CA -s=ON -l=Ottawa -o=Thales -ou=CS -cn=CERT_REQ_87_CA2_20250508161930 -e=somefellow@thales.com -mldsa_87 -outputfile=CERT_REQ_87_CA2_20250508161930.req

If you are not sure, you can query the attributes of the keys that you input to the csr.



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2025, Thales Group Last Updated: 2025-10-28 08:00:20 GMT-05:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information