← spork

CLI reference

The spork command handles certificates, keys, CSRs, CRLs, and protocol enrollment. Auto-detection identifies PEM/DER files, certificates, keys, CSRs, and CRLs without requiring you to specify the type explicitly. All commands accept -f json for script-friendly output.

Global options

File operations

spork show

Auto-detect and display any PKI file (certificates, keys, CSRs, CRLs). PKCS#12 detection is planned.

spork show <FILE> [OPTIONS]

Options:
  --all           Show all fields including extensions
  --fingerprint   Show certificate fingerprints
  --chain         Show full certificate chain

# Examples
spork show server.crt
spork show myca.crl
spork show request.csr
spork show private.key

spork cert show

Show certificate details with full analysis.

spork cert show <FILE> [OPTIONS]

Options:
  --all       Show all extensions and fields
  --chain     Show full certificate chain
  --verify    Verify against system trust store
  --lint      Run security linting checks

# Full analysis
spork cert show server.crt --all --lint

spork cert expires

Check certificate expiration dates across one or more files.

spork cert expires <FILES...> [OPTIONS]

Options:
  --within <DURATION>   Show only certs expiring within duration (e.g. 30d, 2w)
  --format <FMT>        Output format: text, json

# Show certs expiring within 30 days
spork cert expires /etc/ssl/certs/*.crt --within 30d

spork key gen

Generate private keys. Supported algorithms: ECDSA (P-256, P-384, P-521), RSA (2048, 3072, 4096), and Ed25519.

spork key gen <ALGORITHM> [OPTIONS]

Algorithms:
  ec        Elliptic curve (--curve: p256, p384, p521)
  rsa       RSA (--bits: 2048, 3072, 4096)
  ed25519   Ed25519

Options:
  --curve <CURVE>     EC curve [default: p384]
  --bits <BITS>       RSA key size [default: 4096]
  -o, --out <FILE>    Output file [default: stdout]
  --passphrase        Encrypt with passphrase

# Generate EC P-384 key
spork key gen ec --curve p384 -o private.key

# Generate RSA 4096 key with encryption
spork key gen rsa --bits 4096 --passphrase -o private.key

# Generate Ed25519 key
spork key gen ed25519 -o private.key

spork csr create

Create a certificate signing request.

spork csr create [OPTIONS]

Options:
  --key <FILE>        Private key file (generates new key if omitted)
  --subject <DN>      Subject distinguished name
  --san <SAN>         Subject Alternative Name (repeatable)
  -o, --out <FILE>    Output CSR file

# Create CSR with existing key
spork csr create \
  --key private.key \
  --subject "CN=example.com,O=Example Org" \
  --san DNS:example.com \
  --san DNS:www.example.com \
  -o request.csr

spork convert

Convert between PEM, DER, and Base64 formats.

spork convert <FILE> --to <FORMAT> [OPTIONS]

Formats: pem, der, base64

# Convert DER to PEM
spork convert cert.der --to pem -o cert.pem

CA management

spork init

Create a new CA directory. The --type flag controls whether it is self-signed (root) or cross-signed by an existing CA (subordinate). Algorithm names are undashed: mldsa44, mldsa65, mldsa87, ecdsa-p384, etc.

spork init [OPTIONS]

Options:
  --type <TYPE>           root | subordinate
  --algorithm <ALG>      Signature algorithm
  --subject <DN>         Subject distinguished name
  --validity-years <N>   CA certificate validity in years
  --issuer <DIR>          Signing CA directory (subordinate only)
  --out <DIR>             Output CA directory

# Root CA with ML-DSA-87
spork init \
  --type root \
  --algorithm mldsa87 \
  --subject "CN=Root CA,O=Example Org,C=US" \
  --validity-years 20 \
  --out ./pki/root

# Subordinate CA signed by root
spork init \
  --type subordinate \
  --algorithm mldsa65 \
  --subject "CN=Issuing CA,O=Example Org,C=US" \
  --validity-years 10 \
  --issuer ./pki/root \
  --out ./pki/issuing

spork issue

Issue a certificate from a CSR using an existing CA.

spork issue [OPTIONS]

Options:
  --ca <DIR>              CA directory
  --csr <FILE>            Certificate signing request
  --profile <NAME>        Certificate profile (e.g. tls-server, tls-client)
  --validity-days <N>     Certificate validity in days
  --san <SAN>             Subject Alternative Name (repeatable; overrides CSR)
  -o, --out <FILE>        Output certificate file

spork issue \
  --ca ./pki/issuing \
  --csr server.csr \
  --profile tls-server \
  --validity-days 365 \
  --out server.crt

spork revoke

Revoke a certificate and record the reason in the CA database.

spork revoke [OPTIONS]

Options:
  --ca <DIR>          CA directory
  --cert <FILE>       Certificate to revoke
  --reason <CODE>     Revocation reason (keyCompromise, cessationOfOperation, etc.)

spork revoke \
  --ca ./pki/issuing \
  --cert server.crt \
  --reason keyCompromise

spork crl gen

Generate or update a Certificate Revocation List.

spork crl gen [OPTIONS]

Options:
  --ca <DIR>        CA directory
  -o, --out <FILE>  Output CRL file

spork crl gen --ca ./pki/issuing -o issuing-ca.crl

spork status

Display CA status: certificate count, expiry of the CA certificate, CRL next-update, and a summary of issued and revoked certificates.

spork status --ca <DIR>

Server probing

spork probe server

Inspect a live TLS server. Detects PQC hybrid key exchange (e.g. X25519MLKEM768) and reports TLS version, cipher suite, certificate chain details, and any security warnings.

spork probe server <HOST> [OPTIONS]

Options:
  --port <PORT>       Port [default: 443]
  --sni <NAME>        Server Name Indication
  --timeout <SECS>    Connection timeout [default: 10]

# Example
spork probe server example.com
spork probe server example.com --port 8443

spork probe fetch

Fetch the certificate chain from a live TLS server and save it as a PEM file.

spork probe fetch <HOST> [OPTIONS]

Options:
  --port <PORT>      Port [default: 443]
  -o, --out <FILE>   Output file (PEM chain)

spork probe fetch example.com -o chain.pem

Certificate linting

spork lint

Run security checks against a certificate. Checks include: weak key algorithms (RSA < 2048, SHA-1), expiration, missing SANs, incorrect key usage / EKU, path length constraints, name constraint violations, and deprecated extensions. 11+ checks total.

spork lint <FILE> [OPTIONS]

Options:
  --strict    Treat warnings as errors
  -f json     JSON output for CI integration

spork lint server.crt
spork lint server.crt -f json

Protocol clients

spork acme

ACME client (RFC 8555). Compatible with any RFC-8555 server. Supports http-01, dns-01, and tls-alpn-01 challenges.

The Quantum Nexum ACME endpoint is not live yet — use example.com placeholders replaced with your own ACME server URL.

spork acme <COMMAND>

Commands:
  register    Register ACME account
  order       Request new certificate
  renew       Renew existing certificate (manual; automated renewal is planned)
  revoke      Revoke certificate

Challenges: http-01, dns-01, tls-alpn-01

# Register account
spork acme register \
  --email admin@example.com \
  --server https://acme.example.com/directory

# Order certificate (http-01)
spork acme order example.com www.example.com \
  --challenge http-01 \
  --out cert.pem

# Order certificate (tls-alpn-01)
spork acme order example.com \
  --challenge tls-alpn-01 \
  --out cert.pem

spork est

EST client (RFC 7030) for enterprise enrollment.

spork est <COMMAND>

Commands:
  cacerts     Fetch CA certificates
  enroll      Simple enrollment
  reenroll    Re-enrollment (renewal)

Options:
  --server <URL>        EST server URL
  --auth <METHOD>       Authentication: basic, cert
  --username            HTTP Basic username
  --client-cert         TLS client certificate

# Enroll with HTTP Basic auth
spork est enroll \
  --server https://est.example.com/.well-known/est \
  --auth basic --username device01 \
  --csr request.csr -o cert.pem

spork scep

SCEP client (RFC 8894) for legacy device support.

spork scep <COMMAND>

Commands:
  getcacert   Fetch CA certificate
  enroll      PKCSReq enrollment
  poll        Poll for pending certificate

# SCEP enrollment
spork scep enroll \
  --server https://scep.example.com/scep \
  --challenge <challenge-password> \
  --csr request.csr -o cert.pem

Planned commands

Exit codes