skip to content
QUANTUM NEXUM

← spork

ACME server.

Spork ships a standalone ACME server, spork-acme, for automating certificate issuance inside private PKI environments. It implements the core RFC 8555 flows — directory, nonce, account, order, finalize, revoke, key-change — and supports the http-01, dns-01, and tls-alpn-01 (RFC 8737) challenge types. The focus of this page is self-hosted operation.

The Quantum Nexum hosted ACME endpoint is planned, gated on the PKI refactor. It is not live yet. See /acme/ for status.

Interactive setup

The --setup flag launches an interactive wizard that walks through CA configuration, TLS certificate generation, and bind address selection.

# Interactive setup — creates CA, configures TLS, sets bind address
spork-acme --setup

Starting the server

# Basic startup with existing CA
spork-acme \
  -s /opt/spork-acme \
  --port 8443 \
  --external-url https://acme.example.com

# With explicit host binding
spork-acme \
  -s /var/lib/spork/acme \
  --host 0.0.0.0 \
  --port 443 \
  --external-url https://acme.example.com

Server options

FlagDescription
-s, --state-dir <PATH>CA storage directory
--port <PORT>Listen port [default: 8080]
--host <ADDR>Bind address [default: 0.0.0.0]
--external-url <URL>Public URL used in ACME responses
--tls-cert <FILE>Enable HTTPS (certificate file)
--tls-key <FILE>Enable HTTPS (private key file)
--cdp-url <URL>CRL distribution point URL
--aia-base-url <URL>Base URL for AIA/OCSP pointers
--caa-identity <NAME>CAA identity for this server instance (repeatable)
--log-level <LEVEL>trace, debug, info, warn, error
--setupForce interactive setup wizard

Validation methods

TypeDescription
http-01 Place a token file at /.well-known/acme-challenge/ over HTTP
dns-01 DNS TXT record — supports wildcard certificates
tls-alpn-01 RFC 8737 — serve a special certificate on port 443 with ALPN protocol acme-tls/1

CAA validation

Before every issuance, spork-acme checks DNS CAA records per RFC 8659. If a CAA record exists and does not include the server's configured identity in an issue or issuewild property, issuance is denied.

Detail
StandardRFC 8659 — DNS Certification Authority Authorization
No CAA recordIssuance proceeds (RFC 8659 Section 3)
ConfigurationCAA identity set via --caa-identity; repeatable for multiple identities

Admin dashboard

A web-based admin interface is available at /admin on the running server. It provides operational visibility without CLI access.

SectionShows
CA StatusAlgorithm, key size, validity period, issuer chain
Certificate MetadataAlgorithm, key size, validity, fingerprint, friendly OID names
Operational ControlsServer status, CRL state, account overview

CRL lifecycle

CRL generation is automated and persists across server restarts.

ParameterValue
CRL validity7 days
RegenerationEvery 6 hours via systemd timer
Overlap~6.75-day buffer ensures continuous coverage
PersistenceCRL state survives server restarts

Contact enforcement

The Spork ACME server requires a valid mailto: contact during account registration — a policy choice stricter than RFC 8555, where contact is optional (ยง7.1.2). Accounts missing a valid contact are rejected with error type invalidContact.

CA lockdown

After initial setup, the server creates a CA_LOCKED flag. While locked, the CA rejects structural changes (new subordinates, algorithm changes). Manual admin unlock is required for reconfiguration.

Terms of Service

The server presents a 14-section subscriber agreement at account registration. Users must explicitly accept with I ACCEPT (case-insensitive) before account creation proceeds. The agreement includes an alpha notice stating that production use is not yet recommended.

RFC 8555 endpoints

EndpointPath
Directory/directory
New Nonce/acme/new-nonce
New Account/acme/new-acct
New Order/acme/new-order
Revoke Cert/acme/revoke-cert
Key Change/acme/key-change

Client configuration

Using certbot

# Register account
certbot register \
  --server https://acme.example.com/directory \
  --agree-tos \
  --email admin@example.com

# Request certificate (standalone mode)
certbot certonly --standalone \
  --server https://acme.example.com/directory \
  -d example.com -d www.example.com

# Request certificate (webroot mode)
certbot certonly --webroot \
  --server https://acme.example.com/directory \
  -w /var/www/html \
  -d example.com

Using the Spork CLI

# Register account
spork acme register \
  --email admin@example.com \
  --server https://acme.example.com/directory

# Order certificate
spork acme order example.com www.example.com

CA setup options

Option 1 — test CA hierarchy (self-signed)

Quick setup for testing and development:

# Create a root CA
spork init --type root \
  --algorithm mldsa65 \
  --subject "CN=Test Root CA" \
  --out ./pki/root

# Create an issuing CA signed by the root
spork init --type subordinate \
  --algorithm mldsa65 \
  --subject "CN=ACME Issuing CA" \
  --issuer ./pki/root \
  --out ./pki/issuing

Option 2 — Windows CA cross-signing (enterprise)

Integrate with existing Windows AD CS infrastructure:

# Generate CSR for Windows CA to sign
spork init --type subordinate \
  --algorithm ecdsa-p384 \
  --subject "CN=ACME Issuing CA,O=Example Org" \
  --csr-only \
  --out ./pki/issuing

# After Windows CA signs the CSR, import the signed certificate
spork import-cert \
  --ca ./pki/issuing \
  --cert signed-by-windows-ca.crt

Trust configuration

Clients must trust your root CA for issued certificates to validate.

Linux

sudo cp your-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

macOS

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain your-root-ca.crt

Windows

certutil -addstore -f "ROOT" your-root-ca.crt

Standalone package

The ACME server (spork-acme) ships as part of the Spork package. The installer is a self-extracting archive verified with SHA3-256 checksums and Ed25519 signatures. Builds are distributed individually — see Download & install.

Tested platforms

PlatformStatus
Ubuntu 24.04 LTS (x86_64)Tested
Rocky Linux 9 (x86_64)Tested