Quickstart

Root CA — subordinate CA — first certificate in five minutes.

Prerequisites

Requirement	Notes
Platform	Linux x86_64. macOS and Windows builds depend on demand.
Runtime	None — single static binary.
OpenSSL	Optional, for independent verification.

1. Install

Spork is alpha; public downloads aren't available yet. If you have a concrete use case and want an early build, email hello@quantumnexum.com with a short description.

Once you have the binary, extract and place it on your PATH:

tar xzf spork-linux-x86_64.tar.gz
sudo install -m 755 spork /usr/local/bin/spork

2. Initialize a root CA

Use spork init to create a new CA directory. The example below uses ML-DSA-87 (NIST category 5):

spork init \
  --type root \
  --algorithm mldsa87 \
  --subject "CN=My Root CA,O=Example Org,C=US" \
  --validity-years 20 \
  --out ./pki/root

Spork creates the CA directory, generates the key pair, and writes a self-signed certificate. Files produced:

./pki/root/ca.crt        self-signed root certificate
./pki/root/ca.key        encrypted private key
./pki/root/spork.db      certificate database

To use ECDSA instead, pass --algorithm ecdsa-p384. See the configuration reference for all supported algorithms.

3. Create a subordinate CA

A subordinate (issuing) CA signs end-entity certificates. Sign it with the root CA you just created:

spork init \
  --type subordinate \
  --algorithm mldsa65 \
  --subject "CN=Issuing CA,O=Example Org,C=US" \
  --validity-years 10 \
  --issuer ./pki/root \
  --out ./pki/issuing

4. Issue a certificate

Generate a key and CSR for your server, then issue a certificate using the issuing CA:

# Generate a key and CSR (using OpenSSL)
openssl ecparam -name secp384r1 -genkey -out server.key
openssl req -new -key server.key -out server.csr \
  -subj "/CN=example.com/O=Example Org/C=US"

# Issue the certificate
spork issue \
  --ca ./pki/issuing \
  --csr server.csr \
  --profile tls-server \
  --validity-days 365 \
  --out server.crt

The tls-server profile sets serverAuth EKU and requires a Subject Alternative Name. If your CSR lacks a SAN, add --san DNS:example.com to the spork issue call.

5. Verify the chain

Use Spork's built-in verification:

spork verify \
  --cert server.crt \
  --chain ./pki/issuing/ca.crt \
  --trust ./pki/root/ca.crt

Or independently with OpenSSL:

openssl verify \
  -CAfile ./pki/root/ca.crt \
  -untrusted ./pki/issuing/ca.crt \
  server.crt

Next steps

CLI reference — full command documentation
Configuration — customize spork.toml for your environment
ACME server — automate enrollment with RFC 8555