CLI Reference

Complete command reference for the Spork CLI. All CA operations are performed through these commands.

Global Options

`--config <path>`	Path to spork.toml configuration file
`--verbose, -v`	Increase output verbosity (can repeat: -vv, -vvv)
`--quiet, -q`	Suppress non-error output
`--json`	Output in JSON format for scripting

spork init

Initialize a new Certificate Authority.

spork init [OPTIONS]

Options:
  --type <TYPE>         CA type: root, subordinate, policy [default: root]
  --algorithm <ALG>     Signature algorithm (see below)
  --subject <DN>        Subject distinguished name (RFC 4514)
  --validity-years <N>  Certificate validity in years [default: 10]
  --issuer <PATH>       Parent CA directory (required for subordinate)
  --out <PATH>          Output directory [default: ./ca]
  --passphrase          Prompt for key encryption passphrase

Algorithms:
  # Classical
  ecdsa-p384            ECDSA with NIST P-384
  rsa-2048, rsa-4096    RSA with specified key size

  # Post-Quantum (FIPS 204)
  mldsa44               ML-DSA-44 (NIST Level 2)
  mldsa65               ML-DSA-65 (NIST Level 3)
  mldsa87               ML-DSA-87 (NIST Level 5)

  # Hybrid (classical + post-quantum)
  ecdsa-p384+mldsa65    ECDSA P-384 with ML-DSA-65 composite

Example: Create Classical Root CA

spork init \
  --type root \
  --algorithm ecdsa-p384 \
  --subject "CN=Example Root CA,O=Example Inc,C=US" \
  --validity-years 20

Example: Create Post-Quantum Root CA

spork init \
  --type root \
  --algorithm mldsa87 \
  --subject "CN=PQ Root CA,O=Example Inc,C=US" \
  --validity-years 20

spork issue

Issue a certificate from a Certificate Signing Request.

spork issue [OPTIONS] --csr <FILE>

Options:
  --ca <PATH>           CA directory [default: ./ca]
  --csr <FILE>          Certificate Signing Request file
  --profile <NAME>      Certificate profile: tls-server, tls-client, code-sign
  --validity-days <N>   Certificate validity [default: 365]
  --out <FILE>          Output certificate file [default: stdout]
  --san <SAN>           Additional Subject Alternative Name (can repeat)
  --copy-extensions     Copy extensions from CSR (use with caution)

Example: Issue TLS Server Certificate

spork issue \
  --ca ./pki/issuing \
  --csr server.csr \
  --profile tls-server \
  --san DNS:www.example.com \
  --san DNS:example.com \
  --out server.crt

spork revoke

Revoke a certificate by serial number or file.

spork revoke [OPTIONS] <CERT|SERIAL>

Options:
  --ca <PATH>           CA directory [default: ./ca]
  --reason <REASON>     Revocation reason code [default: unspecified]
  --date <DATE>         Invalidity date (ISO 8601)

Reason Codes:
  unspecified           No specific reason
  keyCompromise         Private key was compromised
  caCompromise          CA was compromised (only for CA certs)
  affiliationChanged    Subject name or affiliation changed
  superseded            Certificate replaced by newer one
  cessationOfOperation  Subject no longer operates
  certificateHold       Temporary suspension (can be unrevoked)

Example: Revoke Certificate

# Revoke by serial number
spork revoke --ca ./pki/issuing --reason keyCompromise 01:A3:4F:8B

# Revoke by certificate file
spork revoke --ca ./pki/issuing --reason superseded ./old-cert.crt

spork crl

Generate or update Certificate Revocation List.

spork crl [OPTIONS]

Options:
  --ca <PATH>           CA directory [default: ./ca]
  --out <FILE>          Output CRL file [default: ca.crl]
  --validity-days <N>   CRL validity [default: 7]
  --delta               Generate delta CRL (v0.2.0+)
  --number <N>          Override CRL number

Example: Generate CRL

spork crl --ca ./pki/issuing --validity-days 7 --out issuing-ca.crl
CRL generated: issuing-ca.crl
  CRL Number: 42
  This Update: 2026-01-09T00:00:00Z
  Next Update: 2026-01-16T00:00:00Z
  Entries: 3 revoked certificates

spork verify

Verify a certificate chain.

spork verify [OPTIONS] --cert <FILE>

Options:
  --cert <FILE>         Certificate to verify
  --chain <FILE>        Intermediate certificates (can repeat)
  --trust <FILE>        Trust anchor(s) (root CA)
  --crl <FILE>          CRL for revocation checking (can repeat)
  --purpose <PURPOSE>   Verify for specific purpose: serverAuth, clientAuth, codeSigning
  --at <DATE>           Verify at specific date (ISO 8601)

Example: Full Chain Verification

spork verify \
  --cert server.crt \
  --chain ./pki/issuing/ca.crt \
  --trust ./pki/root/ca.crt \
  --crl issuing-ca.crl \
  --purpose serverAuth
Certificate valid for serverAuth

spork list

List issued certificates.

spork list [OPTIONS]

Options:
  --ca <PATH>           CA directory [default: ./ca]
  --status <STATUS>     Filter: valid, revoked, expired, all [default: valid]
  --subject <PATTERN>   Filter by subject (glob pattern)
  --limit <N>           Maximum entries [default: 100]
  --format <FMT>        Output format: table, json, csv

Exit Codes

`0`	Success
`1`	General error
`2`	Invalid arguments
`3`	CA not found or inaccessible
`4`	Certificate/CSR parsing error
`5`	Verification failed
`6`	Cryptographic operation failed
`7`	Database error