← Back to Spork
🔒

Spork 101

Certificate authorities explained

🏛️ Think of the DMV

The DMV checks who you are. Then it gives you a driver's license. That license proves your identity to anyone who sees it.

A Certificate Authority (CA) does the same thing for websites. It checks who owns a website. Then it gives that website a certificate.

🏛️
DMV

Checks your identity

Gives you a license

🔒
CA

Checks a website's identity

Gives it a certificate

📄 What Does a Certificate Do?

A certificate proves identity. When you visit a website, your browser checks the site's certificate. If the certificate is valid, you see a padlock icon. That padlock means the site is who it claims to be.

💡 Everyday example
You visit your bank's website. Your browser asks: "Can you prove you are really this bank?" The bank shows its certificate. Your browser checks it and shows the padlock.

🔗 How Trust Works

Your browser has a built-in list of trusted CAs. When a website shows a certificate, the browser checks which CA signed it. If that CA is on the trusted list, the browser accepts the certificate.

This system is called PKI (Public Key Infrastructure). PKI is the set of CAs, certificates, and rules that make online trust work.

You already use this every day. Every padlock in your browser means a CA checked the website and issued a certificate.

✍️ Certificates Contain Signatures

When a CA issues a certificate, it signs it. A signature is like a wax seal on a letter. It proves the certificate came from a real CA and has not been changed.

Those signatures use math. Today, most CAs use math called RSA or ECDSA.

⚠️ That Math Will Break

Quantum computers solve certain math problems very fast. RSA and ECDSA rely on exactly those problems. A powerful enough quantum computer will break them.

A broken signature means the certificate cannot be trusted. It is like a wax seal that anyone can forge.

⚠️ Root CA certificates are often valid for 20 years or more. A root CA signed with RSA today may still be in use when quantum computers arrive.

💡 New Math Exists

NIST (the U.S. standards agency) spent eight years finding new math that quantum computers cannot break. They published the final standards in August 2024.

CAs need to switch to this new math. That is what "upgrading" means.

📚 Want to know more about the new algorithms? See Forge 101 for a plain-English explanation.

🥄 CA Software

Spork is CA software. It issues and manages certificates. It runs the same services that large commercial CAs run, but in a single program.

Spork is written in Rust. Rust is a programming language designed to prevent common security bugs like memory errors.

🔐 Quantum-Safe From Day One

Spork supports the new NIST algorithms alongside the old ones. You can issue certificates with old math, new math, or both at the same time.

Single file. No extra software to install. Download it and run it.

🧰 Built-In Toolkit

  • 🔍OCSP — Answers the question: "Is this certificate still valid?"
  • 📜CRL — A published list of revoked (canceled) certificates.
  • ACME — Automatic certificate issuing. No manual steps needed.
  • 🏢EST — Enterprise enrollment. For organizations with many servers.
  • 📱SCEP — Device enrollment. For phones, routers, and IoT devices.