CMS Encrypt

Bring your own ML-KEM recipient certificate

EnvelopedData needs a recipient certificate carrying an ML-KEM public key. The playground can't issue one for you: ML-KEM is a key-encapsulation algorithm, not a signing one, so the key can't sign its own CSR (proof-of-possession) — the standard certificate flow rejects it. Upload an ML-KEM certificate obtained elsewhere (for example, issued by a CA with `openssl x509 -force_pubkey`). Encryption below works as soon as a valid ML-KEM recipient certificate is provided.

If you don't have a file, type any text here. It will be wrapped as the operation payload.