← spork

Spork docs.

Working notes on installing, configuring, and operating a Spork-based post-quantum CA. Documentation lands incrementally alongside the binaries.

What's documented

install         binary install on Linux x86_64
configure       spork.toml schema and example configs
init            generate root + issuing CAs
issue           manual cert issuance via `spork issue`
acme            run the ACME server (RFC 8555)
est             run the EST server (RFC 7030)
scep            run the SCEP server
ocsp            run the OCSP responder
crl             generate full + delta CRLs
shell           interactive `spork-shell repl` workflows
backup          back up CA private material safely
hsm             SoftHSM and PKCS#11 integration notes

Quick orientation

If you just want to see Spork issue a certificate, the fastest path is:

spork init   --root-algorithm ml-dsa-87 \
             --issuing-algorithm ml-dsa-65 \
             --org "Your Org" \
             --output ./pki

spork-shell repl ./pki
> ca list
> cert issue --profile tls --san example.com
> cert list

That gives you a working private PQ CA with one root and one issuing tier, in two commands.

Reading order for production

1. install (get the binary on a server)
2. configure (decide on algorithms and hierarchy)
3. init (generate the CAs and store private material)
4. backup (before anything else — if you lose root keys, the whole hierarchy is gone)
5. acme / est / scep (pick whichever enrollment protocol your clients understand)
6. crl + ocsp (so revocation works)

Status

Most of the above is drafted internally but not yet published here. If you're early-adopting Spork, ask for the doc you need by name at support@quantumnexum.com — doc requests jump the publishing queue.