certtool automatically applies "digital signature" usage flag for EdDSA and other certificates
the relevant bits of generate_certificate()
in src/certtool.c
say:
if (!ca_status || server) {
if (pk == GNUTLS_PK_RSA ||
pk == GNUTLS_PK_GOST_01 ||
pk == GNUTLS_PK_GOST_12_256 ||
pk == GNUTLS_PK_GOST_12_512) { /* DSA and ECDSA keys can only sign. */
result = get_sign_status(server);
if (result)
usage |=
GNUTLS_KEY_DIGITAL_SIGNATURE;
result = get_encrypt_status(server);
if (result)
usage |=
GNUTLS_KEY_KEY_ENCIPHERMENT;
} else {
usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
}
This suggests that as long as the generated certificate is not a CA, and it is not one of the selected algorithms, it must have the "digital signature" flag set in its usage field.
But rfc 8410 suggests, for example, that an end-entity certificate using Ed25519 with only the "non-repudiation" usage set should be acceptable.