CMS Encrypt
Produce a CMS EnvelopedData targeted at a recipient certificate's public key.
Bring your own ML-KEM recipient certificate
EnvelopedData needs a recipient certificate carrying an ML-KEM public key. The playground can't issue one for you: ML-KEM is a key-encapsulation algorithm, not a signing one, so the key can't sign its own CSR (proof-of-possession) — the standard certificate flow rejects it. Upload an ML-KEM certificate obtained elsewhere (for example, issued by a CA with `openssl x509 -force_pubkey`). Encryption below works as soon as a valid ML-KEM recipient certificate is provided.