Looks good, that was my initial take too.
However, I wonder why not generalize it further instead of relying on 
EC_* / RSA_* specific methods?
A more generic approach might be worth considering.
Even so, the code looks good — I’ll test it out and send more feedback.

On 5/27/26 3:10 AM, David Leadbeater wrote:
>> While reading ca.c and ssl.c in relayd, i noticed that only RSA CA keys seem
>> to be supported.
>> Is this intentional, or would support for EC CA keys be acceptable?
>> I can work on this if there is interest.
> Seehttps://marc.info/?l=openbsd-tech&m=177713980331541&w=2
>
> Tests would be welcome.