A Rust-based, post-quantum Certificate Authority
SPORK is a PKI suite written in Rust with native support for ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) signatures. It handles certificate issuance, revocation, and provides protocol servers (ACME, EST, SCEP) as well as client tools for PKI operations.
v0.4.0-beta.14 ships the ACME server as the first standalone beta product β an RFC 8555 certificate automation server with CAA validation, admin dashboard, and CRL lifecycle management. Whether you're building a lab PKI, replacing aging Windows CA infrastructure, or preparing your organization for cryptographic agility β Spork provides a modern, auditable, and memory-safe foundation.
Why Spork?
Memory Safe
No OpenSSL. Rust CA engine with minimal vendored C. No buffer overflows, no memory corruption.
Post-Quantum Ready
ML-DSA (FIPS 204) signatures. Classical, PQ, and hybrid modes supported.
Kernel Architecture
All operations flow through spork-core. Consistent policy enforcement, full audit trail.
Single Binary
Deploy anywhere. No runtime dependencies. No complex installation procedures.
SPORK CLI
The spork command replaces OpenSSL. View certs, probe TLS, lint security, enroll via ACME/EST/SCEP.
Current Capabilities
| Version | v0.4.0-beta.14 |
| Classical Algorithms | ECDSA P-256/P-384, RSA 2048/4096 |
| Post-Quantum Algorithms | ML-DSA-44/65/87 (FIPS 204), SLH-DSA-SHA2-128s/192s/256s (FIPS 205) |
| Hybrid Algorithms | ECDSA + ML-DSA composite signatures (draft specification) |
| CA Hierarchy | Root, Policy, Issuing CAs with full path validation |
| Revocation | CRL generation with 7-day lifecycle, automatic 6-hour regeneration |
| Storage | SQLite β lab, test, and small deployments |
| Interface | CLI (REST API roadmapped) |
| SPORK CLI | PKI file viewer, TLS probing, certificate linting, ACME/EST/SCEP clients |
| Protocol Servers | ACME (RFC 8555) with CAA validation (RFC 8659), EST (RFC 7030), SCEP (RFC 8894), OCSP |
| Protocol Clients | ACME, EST, SCEP enrollment clients |
| Admin Dashboard | Web-based CA status, certificate metadata, operational controls |
| Installer | Self-extracting installer with SHA3-256 verification and Ed25519 signing |
PostgreSQL support planned for production and HA deployments.
Roadmap
| v0.3.x | Alpha refinement, certbot-style automation, enrollment controls |
| v1.0.0 | Security audit, HA clustering |
What's New in v0.4.0-beta.14
February 2026 β ACME Server Release
7-day validity, automatic 6-hour regeneration via systemd timer
Web-based CA status, certificate metadata, operational controls
RFC 8555 mailto: required, InvalidContact on failure
CA_LOCKED flag after initial setup, manual admin unlock
14-section subscriber agreement with explicit acceptance
RFC 8659 checks before every issuance
See v0.2.1 for previous release.
Version Comparison
Track feature progression across releases.
Archive βΎ
| Feature | Spork v0.1.0 | AD CS | Keyfactor | step-ca |
|---|---|---|---|---|
| Classical Crypto | ECDSA, RSA | Yes | Yes | Yes |
| PQC Support | No | Unknown | Unknown | Unknown |
| Root CA | Yes | Yes | Yes | Yes |
| Cert Issuance | Yes | Yes | Yes | Yes |
| OCSP | No | Yes | Yes | Yes |
| CRL | No | Yes | Yes | Unknown |
| ACME | No | Unknown | Unknown | Yes |
| Deployment | Single binary | Windows Server | Complex | Single binary |
| Language | Rust | C/C++ | Java | Go |
v0.1.0 β October 2025 β Initial Release
Root CA, certificate issuance, ECDSA/RSA support
β Next: v0.1.5 adds OCSP, CRL, scheduler
| Feature | Spork v0.1.5 | AD CS | Keyfactor | step-ca |
|---|---|---|---|---|
| Classical Crypto | ECDSA, RSA | Yes | Yes | Yes |
| PQC Support | No | Unknown | Unknown | Unknown |
| Root CA | Yes | Yes | Yes | Yes |
| Cert Issuance | Yes | Yes | Yes | Yes |
| OCSP | Yes | Yes | Yes | Yes |
| CRL | Yes | Yes | Yes | Unknown |
| Scheduler | Yes | Yes | Yes | Unknown |
| Notifications | Yes | Limited | Yes | Unknown |
| ACME | No | Unknown | Unknown | Yes |
| Deployment | Single binary | Windows Server | Complex | Single binary |
| Language | Rust | C/C++ | Java | Go |
v0.1.5 β December 2025 β Protocols
Added OCSP responder, CRL generation, scheduler, notifications
β Next: v0.2.0 adds PQC algorithms, ACME/EST/SCEP
| Feature | Spork v0.2.0 | AD CS | Keyfactor | step-ca |
|---|---|---|---|---|
| Classical Crypto | ECDSA, RSA | Yes | Yes | Yes |
| PQC Support | ML-DSA, SLH-DSA | Unknown | Unknown | Unknown |
| Hybrid Signatures | ECDSA + ML-DSA | Unknown | Unknown | Unknown |
| OCSP | Yes | Yes | Yes | Yes |
| CRL / Delta CRL | Yes / Yes | Yes / Yes | Yes / Yes | Unknown |
| ACME Server | Yes | Unknown | Unknown | Yes |
| EST Server | Yes (RFC 7030) | Yes | Yes | Unknown |
| SCEP Server | Enrollment Only | Yes | Yes | Unknown |
| Deployment | Single binary | Windows Server | Complex | Single binary |
| Language | Rust | C/C++ | Java | Go |
v0.2.0 β January 15, 2026 β PQC Release
ML-DSA (FIPS 204), SLH-DSA (FIPS 205), hybrid signatures, ACME/EST/SCEP servers
β Next: v0.2.1 adds 100% RFC 8555, web installer, EAB
| Feature | Spork v0.2.1 | AD CS | Keyfactor | step-ca |
|---|---|---|---|---|
| PQC Support | ML-DSA (FIPS 204) | Unknown | Unknown | Unknown |
| Hybrid Signatures | ECDSA + ML-DSA | Unknown | Unknown | Unknown |
| ACME | Yes (RFC 8555) | Unknown | Unknown | Yes |
| EST | Yes (RFC 7030) | Unknown | Unknown | Unknown |
| SCEP | Yes | Unknown | Unknown | Unknown |
| OCSP | Yes (RFC 6960) | Unknown | Unknown | Unknown |
| CRL / Delta CRL | Yes / Yes | Yes / Yes | Yes / Yes | Unknown |
| CLI Client Tool | Yes (spork) | Unknown | Unknown | Unknown |
| ACME EAB | Yes | Unknown | Unknown | Yes |
| Web Installer | Self-extracting | Unknown | Yes | Unknown |
| Deployment | Single binary | Windows Server | Complex | Single binary |
| Language | Rust | C/C++ | Java | Go |
v0.2.1 β January 22, 2026 β Compliance Release
100% RFC 8555 ACME, web installer, External Account Binding (EAB), SPORK CLI
β Next: v0.4.0-beta.14 adds ACME server product, CAA, admin dashboard
| Feature | Spork v0.4.0-beta.14 | AD CS | Keyfactor | step-ca |
|---|---|---|---|---|
| PQC Support | ML-DSA + SLH-DSA | Unknown | Unknown | Unknown |
| Hybrid Signatures | ECDSA + ML-DSA | Unknown | Unknown | Unknown |
| ACME | Yes (RFC 8555) | Unknown | Unknown | Yes |
| CAA Validation | Yes (RFC 8659) | Unknown | Unknown | Unknown |
| TLS-ALPN-01 | Planned | Unknown | Unknown | Yes |
| EST | Yes (RFC 7030) | Unknown | Unknown | Unknown |
| SCEP | Enrollment Only | Unknown | Unknown | Unknown |
| OCSP | Yes (RFC 6960) | Unknown | Unknown | Unknown |
| CRL Lifecycle | 7-day, auto-regen | Unknown | Unknown | Unknown |
| Delta CRL | Yes | Unknown | Unknown | Unknown |
| Admin Dashboard | Yes (web UI) | MMC snap-in | Yes | Unknown |
| HA Clustering | No | Unknown | Unknown | Unknown |
| HSM Support | SoftHSM | Unknown | Unknown | Unknown |
| Security Audit | No | Unknown | Unknown | Unknown |
| Platform | Linux | Windows only | Cross-platform | Cross-platform |
| Deployment | Single binary | Windows Server | Complex (Java) | Single binary |
| Language | Rust | C/C++ | Java | Go |
| License | BSL 1.1 | Windows CAL | Commercial | Apache 2.0 |
| CLI Client Tool | Yes (spork) |
Unknown | Unknown | Unknown |
| TLS Probing (PQC) | Yes | Unknown | Unknown | Unknown |
| Certificate Linting | 11+ checks | Unknown | Unknown | Unknown |
| Protocol Clients | ACME, EST, SCEP | Unknown | Unknown | ACME only |
| ACME EAB | Yes | Unknown | Unknown | Yes |
| Installer | Self-extracting, Ed25519 signed | Unknown | Yes | Unknown |
v0.4.0-beta.14 β February 2026 β ACME Server Release
ACME server product, CRL lifecycle, admin dashboard, CAA validation, contact enforcement, CA lockdown, Terms of Service
| Feature | Spork v1.0 | AD CS | Keyfactor | step-ca |
|---|---|---|---|---|
| PQC Support | ML-DSA + SLH-DSA | Unknown | Unknown | Unknown |
| Hybrid Signatures | ECDSA + ML-DSA | Unknown | Unknown | Unknown |
| ACME | Yes (RFC 8555) | Unknown | Unknown | Yes |
| EST | Yes (RFC 7030) | Unknown | Unknown | Unknown |
| SCEP | Yes | Unknown | Unknown | Unknown |
| OCSP | Yes (RFC 6960) | Unknown | Unknown | Unknown |
| CRL Generation | Yes | Unknown | Unknown | Unknown |
| Delta CRL | Yes | Unknown | Unknown | Unknown |
| HA Clustering | Yes | Unknown | Unknown | Unknown |
| HSM Support | PKCS#11 | Unknown | Unknown | Unknown |
| Web Admin | Yes | Unknown | Unknown | Unknown |
| Security Audit | Third-party | Unknown | Unknown | Unknown |
| Platform | Linux | Windows only | Cross-platform | Cross-platform |
| Deployment | Single binary | Windows Server | Complex (Java) | Single binary |
| Language | Rust | C/C++ | Java | Go |
| License | BSL 1.1 | Windows CAL | Commercial | Apache 2.0 |
v1.0.0 Target β Production-ready release
AD CS: Microsoft Active Directory Certificate Services. Keyfactor: Enterprise PKI platform (owns EJBCA). step-ca: Smallstep open-source CA.