The command keytool -genkeypair -keyalg ec -keysize 256 -dname "CN=me" -keystore mycert.jks using JDK 11 generates the following signature:
220: SEQUENCE { 222: OBJECT IDENTIFIER ecdsa-with-Sha256 (1.2.840.10045.4.3.2) 232: NULL } 234: BIT STRING, encapsulates { 237: SEQUENCE { 239: INTEGER 71 51 7a 19 ac 22 92 ef 3b 6d f8 1c 5f d6 5f 89 3f 69 bf 84 aa ac a3 00 fb 3e 31 ef 3f b3 ea b4 273: INTEGER 1a 07 d1 24 fd b8 1d c8 70 ca 0d ab 35 b1 d0 d5 b6 e2 b7 d7 02 38 36 63 d6 db ff ea 7f f0 7d a9 } } } AFAICT, "NULL" shouldn't be there although it in practice seems to be benign. I could be an idea to fix it for EdDSA which I guess suffers from the same problem. https://tools.ietf.org/html/rfc5758#section-3.2 Regards, Anders