Spork.

A pure-Rust post-quantum certificate authority. Signs with ML-DSA and SLH-DSA as first-class options alongside classical ECDSA / RSA / Ed25519. Currently alpha. Will run the Quantum Nexum PKI when the refactor lands; self-hostable today.

What it does

CA hierarchy    root + policy + issuing tiers, chain validation
ML-DSA-65/87    FIPS 204 signatures throughout the chain
SLH-DSA         FIPS 205 hash-based signatures
classical       ECDSA P-256/P-384, RSA 2048–4096, Ed25519
ACME            RFC 8555 — certbot-compatible enrollment
EST             RFC 7030 enrollment over secure transport
SCEP            legacy device enrollment
OCSP            online certificate status responder
CRLs            full + delta CRL generation
spork-shell     `repl` for interactive CA management

Design

Spork is built in pure Rust with no OpenSSL dependency. CAs are security-critical infrastructure; memory-safety bugs in CA software have historically led to serious vulnerabilities, and Rust removes whole classes of those. Cryptographic primitives come from the well-audited RustCrypto project — pure-Rust implementations of the lattice and hash-based schemes. The few C dependencies (SQLite, TLS) are vendored and isolated.

Where it fits

Spork is for private CAs: certificate authorities you run inside your own organization or lab, where you control which roots are trusted. Certificates issued from a Spork CA are not publicly trusted — browsers don't ship with your root, so visitors to your site will see a security warning unless they install your CA bundle first.

If you want PQ-signed certificates without running your own CA, the Quantum Nexum ACME endpoint issues them from the public Quantum Nexum PKI. Same private-root caveat applies; install the QN CA bundle.

Status

Alpha. See the release notes: Spork v0.2.0-alpha release notes. Downloads aren't publicly available yet; if you have a concrete use case and want an early build, email hello@quantumnexum.com with a short description. Builds go to people who'll exercise them.

Licensing

Spork is licensed under BSL 1.1 (Business Source License). Evaluation and testing are free with no time limit. Production deployments require a commercial license; for terms contact licensing@quantumnexum.com.

Known limitations

Web UI is partial — the CLI is the primary interface today.
HSM integration is partial — SoftHSM works; hardware HSMs need testing.
Linux x86_64 only. macOS and Windows builds depend on demand.
Not yet security-audited. Third-party audit planned for v1.0.