Might be more of a Feature Request, but shouldn't it be possible to use an EC key for the certificate (the CSR, the PKCS#10) but specify another RSA key (from another certificate) for the PKCS#7 wrapper??
The idea would be to have options to do like this https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/enrolling_a_certificate_in_a_cisco_router#issuing-ecc-certificates-with-scep
I suppose it's possible but it is not likely something we would prioritize.
Is the project targeting quantum resistant crypto? The roadmap is empty (or managed elsewhere)
In the meantime, Embedded devices, "IoT" could benefit from Active Directory Certificate Service and their "Network Device Enrolment Service NDES" SCEP server implementation.
to comment on this ticket.