Spork Documentation

Installation guides, configuration reference, and API documentation.

Installation

Requirements

  • Linux x64 (glibc 2.17+)
  • No runtime dependencies

Download

Spork is distributed as a single static binary. Downloads coming soon.

# Extract and install
tar xzf spork-pki-0.3.0-alpha.2-linux-x86_64.tar.gz
cd spork-pki-0.3.0-alpha.2
./spork-shell --version

Quick Start

Initialize a new CA with ML-DSA-65 (NIST security level 3):

# Initialize Root CA
spork init \
--type root \
--algorithm mldsa65 \
--subject "CN=My Root CA,O=Example,C=US" \
--validity-years 20

See the Quick Start tab for a complete walkthrough.

Configuration

Spork uses TOML for configuration. See the Configuration tab for full details.

# spork.toml

[ca]
path = "./pki/issuing"
algorithm = "ecdsa-p384"

[database]
type = "sqlite"
path = "spork.db"

[logging]
level = "info"
format = "json"

Root CA Setup

Initialize a post-quantum Root CA with ML-DSA-87 (NIST security level 5) for maximum longevity.

# Initialize Root CA with ML-DSA-87
spork init \
--type root \
--algorithm mldsa87 \
--subject "CN=Root CA,O=Example,C=US" \
--validity-years 20

Issuing CA Setup

Create an Issuing CA signed by your Root CA. Issuing CAs handle day-to-day certificate operations.

# Create Issuing CA signed by Root
spork init \
--type subordinate \
--algorithm mldsa65 \
--issuer ./pki/root \
--subject "CN=Issuing CA,O=Example,C=US" \
--validity-years 10

ACME Server

Spork includes a built-in ACME server compatible with certbot and other ACME clients. Standalone ACME server available in v0.3.0-alpha.2.

# Start ACME server
spork-acme --ca ./pki/issuing --bind 0.0.0.0:8443

EST Enrollment

RFC 7030 Enrollment over Secure Transport for enterprise certificate enrollment.

# Start EST server
spork-est --ca ./pki/issuing --bind 0.0.0.0:8444

SPORK CLI

The spork command is a modern replacement for OpenSSL certificate operations.

# View any PKI file (auto-detects type)
spork show server.crt
spork show myca.crl

# Probe TLS server (detects PQC hybrids)
spork probe server quantumnexum.com

# Certificate linting
spork lint server.crt

See the SPORK CLI tab for complete command reference.

ACME Client

Request certificates from any ACME CA (Let's Encrypt, SPORK ACME, etc.).

# Register ACME account
spork acme register \
--email admin@quantumnexum.com \
--server https://acme.quantumnexum.com/directory

# Order certificate
spork acme order quantumnexum.com www.quantumnexum.com

EST Client

Enterprise certificate enrollment via EST (RFC 7030).

# Enroll with HTTP Basic auth
spork est enroll \
--server https://est.quantumnexum.com/.well-known/est \
--auth basic --username device01 \
--csr request.csr -o cert.pem

More Documentation Coming

Additional guides and API reference are in progress. See the main Spork page for current feature documentation.