SPORK Downloads
Pure Rust Certificate Authority engine and ACME server with post-quantum cryptography support.
Linux x86_64 (static musl) + Windows x86_64 | SHA3-256 verified
SPORK CA Engine
v0.3.0-beta.11 | 5,285 tests passing | 0 warnings | 0 clippy warnings
The CA engine is a standalone project (split from the spork-ca monorepo). ACME and WebUI are separate projects. The CA engine provides OCSP, CRL, EST, SCEP, CMP, Shell, API, Sign, TSA, TUI, and the setup wizard.
| Package | Description | Size | License |
|---|---|---|---|
| spork-ca | Full CA server suite (12 binaries: OCSP, CRL, EST, SCEP, CMP, Shell, API, Sign, TSA, TUI) | 34 MB | BSL-1.1 |
| spork-est-server | EST enrollment server (RFC 7030/8295) | 4.0 MB | BSL-1.1 |
| spork-scep-server | SCEP enrollment server (RFC 8894) | 3.9 MB | BSL-1.1 |
| spork-sign | Code signing service (CMS/PKCS#7, Authenticode) | 4.4 MB | BSL-1.1 |
| spork-tsa-server | RFC 3161 time-stamp authority server | 4.4 MB | BSL-1.1 |
Client Packages
| Package | Platform | Size | License |
|---|---|---|---|
| spork-client (Linux) | Linux x86_64 | 4.7 MB | Apache-2.0 |
| spork-client (Windows) | Windows x86_64 | 11 MB | Apache-2.0 |
Update Package
| Package | Description | Size | License |
|---|---|---|---|
| spork-update | Binary update for existing CA installations (stops services, replaces binaries, restarts) | 34 MB | BSL-1.1 |
Quick Install
# Full CA suite
curl -sSLO https://rayketcham.com/CRLs/sp0rk/static/spork-ca-0.3.0-beta.11-linux-x86_64-installer
chmod +x spork-ca-0.3.0-beta.11-linux-x86_64-installer
sudo ./spork-ca-0.3.0-beta.11-linux-x86_64-installer
# CLI client only
curl -sSLO https://rayketcham.com/CRLs/sp0rk/static/spork-client-0.3.0-beta.11-linux-x86_64-installer
chmod +x spork-client-0.3.0-beta.11-linux-x86_64-installer
./spork-client-0.3.0-beta.11-linux-x86_64-installerVerify Integrity
# Self-verification (SHA3-256)
./spork-ca-0.3.0-beta.11-linux-x86_64-installer --verify
# Manual checksum verification
curl -sSL https://rayketcham.com/CRLs/sp0rk/static/SHA3SUMS | grep spork-caChecksums: SHA3SUMS | SHA256SUMS
What's New in 0.3.0-beta.11
- Project split — spork-web (Admin WebUI) and spork-acme (ACME server) extracted to standalone repositories; CA engine is now 25 crates
- Enrollment module relocated — admin bootstrap and PFX handling moved from spork-web to spork-shell
- Metrics cleanup — removed acme_orders and spork_acme_* Prometheus metrics from CA engine
- Installer cleanup — removed ACME/Web binary discovery, systemd units, and setup paths from installer
- Smaller packages — CA installer dropped from 49 MB to 34 MB (no more ACME/Web binaries)
- 5,285 tests, 0 clippy warnings, 48 ignored (external deps)
Previous: 0.3.0-beta.9
- FIPS test cfg gates — tests using Ed25519/RSA-2048 gated with
#[cfg(not(feature = "fips"))] - Health page improvements — short-lived certs excluded from CRITICAL alerts, system resource metrics
- CI hardening — PostgreSQL setup no longer requires sudo
- 6,070 tests, 0 clippy warnings
SPORK ACME Server (Standalone)
v0.4.0-beta.9 | 1,468 tests passing | 0 warnings | 0 clippy warnings | CI green
The ACME server is a standalone project (split from the spork-ca monorepo). RFC 8555-compliant, certbot-compatible out of the box, with built-in micro-CA, admin dashboard, and interactive setup wizard. FIPS 140-3 enabled by default (aws-lc-rs, NIST Cert #4816). 5 deployment modes: 2-tier, 3-tier, subordinate to Windows CA, WinRM bridge, import PFX.
| Package | Description | Size | License |
|---|---|---|---|
| spork-acme (Linux) | Standalone ACME server binary — static musl, FIPS 140-3 default, no dependencies | 18 MB | BSL-1.1 |
Quick Install (ACME Standalone)
# Download the standalone ACME binary
curl -fSL -o spork-acme \
https://rayketcham.com/CRLs/sp0rk/static/spork-acme-0.4.0-beta.9-linux-x86_64
chmod +x spork-acme
# Run the interactive setup wizard (requires root)
sudo ./spork-acme
# Or install to /opt/spork-acme and start as a service
sudo cp spork-acme /usr/local/bin/
sudo spork-acmeWhat's New in 0.4.0-beta.9
- RSA 3072 detection fix — CA certificates with RSA 3072 keys are now correctly identified (was misdetected as RSA 2048 due to raw byte-length guessing instead of DER modulus parsing)
- RSA-PSS & Ed25519 detection —
detect_algorithm_from_cert()now handles RSA-PSS (id-RSASSA-PSS) and Ed25519 (RFC 8410) CA certificates - Algorithm parser expansion —
--algorithmflag now acceptsrsa3072,rsa3072pss,rsa4096pss, anded25519 - 1,468 tests, 0 clippy warnings, CI green
Previous: 0.4.0-beta.8
- Wildcard cert matching — wildcard certificate requests (e.g.
*.rk.local) now correctly match wildcard allow-domain patterns - Email domain policy — account contact emails must match allowed domain patterns; rejects registration from unauthorized domains
- CI entropy fix — FIPS keygen preflight tests no longer depend on CI runner entropy quality
Previous: 0.4.0-beta.7
- DNS resolver fix — hickory-resolver no longer inherits search domains from resolv.conf, preventing FQDN mangling during challenge validation
- SSRF filter removal — removed non-RFC IP filtering that blocked internal domain validation on RFC1918 networks
- Verbose domain logging — structured tracing for domain policy decisions
Previous: 0.4.0-beta.5
- File-based persistence — orders and certificates now survive server restarts (JSON + DER on disk with in-memory cache)
Previous: 0.4.0-beta.4
- Installation manager menu persistence — Status, Configure, Backup, and Security actions now return to the menu instead of exiting
- Entropy health test resilience — SP 800-90B health check uses larger sample (4096 bytes) with retry logic
Enterprise CA Trust Hierarchy
3-tier PKI: 23 Certificate Authorities across 5 policy domains. FIPS 204/205 compliant. DC-style LDAP Distinguished Names.
SPORK Root CA (P-384, 25 year, pathlen=2)
├── TLS Policy CA (P-384, 10 year, pathlen=1)
│ ├── TLS Web Server Issuing CA (P-256, 5 year)
│ ├── TLS API Issuing CA (P-256, 5 year)
│ ├── TLS VPN Issuing CA (P-256, 5 year)
│ └── TLS Client Auth Issuing CA (P-256, 5 year)
├── Code Signing Policy CA (P-384, 10 year, pathlen=1)
│ ├── Software Signing Issuing CA (P-256, 5 year)
│ ├── Driver Signing Issuing CA (P-256, 5 year)
│ └── Timestamp Authority CA (P-256, 5 year)
├── S/MIME Policy CA (P-384, 10 year, pathlen=1)
│ ├── Corporate Email Issuing CA (P-256, 5 year)
│ ├── Partner Email Issuing CA (P-256, 5 year)
│ └── Executive Email Issuing CA (P-256, 5 year)
├── Device Policy CA (P-384, 10 year, pathlen=1)
│ ├── Workstation Issuing CA (P-256, 5 year)
│ ├── Mobile Device Issuing CA (P-256, 5 year)
│ └── Network Equipment Issuing CA (P-256, 5 year)
└── Identity Policy CA (P-384, 10 year, pathlen=1)
├── Employee Identity Issuing CA (P-256, 5 year)
├── Contractor Identity Issuing CA (P-256, 5 year)
├── Service Account Issuing CA (P-256, 5 year)
└── Federation Partner Issuing CA (P-256, 5 year)Root CA
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Root CA | ECDSA P-384 | 2026-02-15 to 2051-02-15 | PEM | CRT |
TLS Domain (5 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK TLS Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK TLS Web Server Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK TLS API Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK TLS VPN Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK TLS Client Auth Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Code Signing Domain (4 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Code Signing Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Software Signing Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Driver Signing Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Timestamp Authority CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Code Signing domain chain bundle (P7B)
S/MIME Domain (4 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK S/MIME Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Corporate Email Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Partner Email Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Executive Email Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
S/MIME domain chain bundle (P7B)
Device Domain (4 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Device Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Workstation Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Mobile Device Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Network Equipment Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Device domain chain bundle (P7B)
Identity Domain (5 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Identity Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Employee Identity Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Contractor Identity Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Service Account Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Federation Partner Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Identity domain chain bundle (P7B)
CA Bundles
| Bundle | Contents | Download |
|---|---|---|
| Full CA Bundle | All 23 CAs (Root + 5 Policy + 17 Issuing) | PEM | P7B |
| TLS Chain | Root + TLS Policy + 4 TLS Issuing CAs | P7B |
| Code Signing Chain | Root + Code Signing Policy + 3 Issuing CAs | P7B |
| S/MIME Chain | Root + S/MIME Policy + 3 Issuing CAs | P7B |
| Device Chain | Root + Device Policy + 3 Issuing CAs | P7B |
| Identity Chain | Root + Identity Policy + 4 Issuing CAs | P7B |
CRL Distribution
| CRL | Download |
|---|---|
| Root CA | DER |
| TLS Policy CA | DER |
| TLS Web Server Issuing CA | DER |
| TLS API Issuing CA | DER |
| TLS VPN Issuing CA | DER |
| TLS Client Auth Issuing CA | DER |
| Code Signing Policy CA | DER |
| Software Signing Issuing CA | DER |
| Driver Signing Issuing CA | DER |
| Timestamp Authority CA | DER |
| S/MIME Policy CA | DER |
| Corporate Email Issuing CA | DER |
| Partner Email Issuing CA | DER |
| Executive Email Issuing CA | DER |
| Device Policy CA | DER |
| Workstation Issuing CA | DER |
| Mobile Device Issuing CA | DER |
| Network Equipment Issuing CA | DER |
| Identity Policy CA | DER |
| Employee Identity Issuing CA | DER |
| Contractor Identity Issuing CA | DER |
| Service Account Issuing CA | DER |
| Federation Partner Issuing CA | DER |
Cryptography
| Category | Algorithms |
|---|---|
| Classical | ECDSA P-256/P-384, RSA 2048/3072/4096, RSA-PSS 3072/4096, Ed25519 |
| Post-Quantum (FIPS 204) | ML-DSA-44, ML-DSA-65, ML-DSA-87 |
| Post-Quantum (FIPS 205) | SLH-DSA-SHA2-128s, 192s, 256s |
| Hybrid | ML-DSA + ECDSA composite signatures |
Previous Versions
v0.4.0-beta.8 ACME | v0.4.0-beta.5 ACME | v0.4.0-beta.4 ACME | v0.3.0-beta.9 CA | v0.3.0-beta.9 Client