Implementing TLS connection using KEM algorithms

[octapi345]

I am currently trying to implement a TLS connection using the openssl C API. I would like the connection to use the KEM TLS handshake. As I understand it, the server needs to have a certificate containing its KEM public key. However, so far I have been unable to generate a valid certificate containing the KEM key. When i look into how to generate a certificate on the openssl documentation I find the X509_sign function which only allows signature algorithms. How can i generate a valid certificate for a PQ KEM algorithm through the API?

[baentsch]

As I understand it, the server needs to have a certificate containing its KEM public key.

Where did you get this understanding from? Please see our usage sample. Please note that the cert needs to contain a sig alg, not a KEM alg.

[octapi345]

Thank you for your quick response
I got that understanding from this document regarding KEM-based authentication for TLS https://www.ietf.org/archive/id/draft-celi-wiggers-tls-authkem-02.html
If I do not provide the SSL_CTX object the KEM key pair than how can I define what KEM algorithm to use within the API?

[baentsch]

how can I define what KEM algorithm to use

Pass a suitable -groups command line parameter as per the sample code

within the API

Please look up the API that the -groups command line parameter invokes.