OPENSSL_KEYALG=ec OPENSSL_KEYBITS=brainpoolP256r1 ./mkcert.sh genee \
"Server ECDSA brainpoolP256r1 cert" server-ecdsa-brainpoolP256r1-key \
server-ecdsa-brainpoolP256r1-cert rootkey rootcert
+
+openssl req -new -nodes -subj "/CN=localhost" \
+ -newkey rsa-pss -keyout server-pss-restrict-key.pem \
+ -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \
+ ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \
+ server-pss-restrict-cert rootkey rootcert
+
+# CT entry
+./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key