SPORK Downloads
Pure Rust Certificate Authority engine and ACME server with post-quantum cryptography support.
Linux x86_64 (static musl) + Windows x86_64 | SHA3-256 verified
SPORK CA Engine
v0.3.0-beta.15 | 5,285 tests passing | 0 warnings | 0 clippy warnings
The CA engine is a standalone project (split from the spork-ca monorepo). ACME and WebUI are separate projects. The CA engine provides OCSP, CRL, Shell, API, TUI, and the setup wizard. EST, SCEP, Sign, and TSA are now separate repos.
| Package | Description | Size | License |
|---|---|---|---|
| spork-ca | Full CA server suite (8 binaries: OCSP, CRL, Shell, API, TUI, Setup, DB) | 19 MB | BSL-1.1 |
Client Packages
| Package | Platform | Size | License |
|---|---|---|---|
| spork-client (Linux) | Linux x86_64 | 4.5 MB | Apache-2.0 |
| spork-client (Windows) | Windows x86_64 | 11 MB | Apache-2.0 |
Update Package
| Package | Description | Size | License |
|---|---|---|---|
| spork-update | Binary update for existing CA installations (stops services, replaces binaries, restarts) | 19 MB | BSL-1.1 |
Quick Install
# Full CA suite
curl -sSLO https://rayketcham.com/CRLs/sp0rk/static/spork-ca-0.3.0-beta.15-linux-x86_64-installer
chmod +x spork-ca-0.3.0-beta.15-linux-x86_64-installer
sudo ./spork-ca-0.3.0-beta.15-linux-x86_64-installer
# CLI client only
curl -sSLO https://rayketcham.com/CRLs/sp0rk/static/spork-client-0.3.0-beta.15-linux-x86_64-installer
chmod +x spork-client-0.3.0-beta.15-linux-x86_64-installer
./spork-client-0.3.0-beta.15-linux-x86_64-installerVerify Integrity
# Self-verification (SHA3-256)
./spork-ca-0.3.0-beta.15-linux-x86_64-installer --verify
# Manual checksum verification
curl -sSL https://rayketcham.com/CRLs/sp0rk/static/SHA3SUMS | grep spork-caChecksums: SHA3SUMS | SHA256SUMS
What's New in 0.3.0-beta.15
- Repo split complete — enrollment, services (EST/SCEP/Sign/TSA), and signing extracted to separate repos; CA engine is now a focused core
- Entropy hardening — 4096-byte entropy samples, 6-sigma distribution threshold for FIPS preflight
- Smaller installers — CA installer dropped from 34 MB to 19 MB (split-out binaries removed)
- CI improvements — cargo-deny, cargo-audit, workspace-scoped clippy, failure auto-issue tracking
- APT/DNF packaging — .deb and .rpm package builds for spork-ca (beta.12+)
- 5,285 tests, 0 clippy warnings
Previous: 0.3.0-beta.11
- Project split — spork-web (Admin WebUI) and spork-acme (ACME server) extracted to standalone repositories; CA engine is now 25 crates
- Enrollment module relocated — admin bootstrap and PFX handling moved from spork-web to spork-shell
- Metrics cleanup — removed acme_orders and spork_acme_* Prometheus metrics from CA engine
- Installer cleanup — removed ACME/Web binary discovery, systemd units, and setup paths from installer
- Smaller packages — CA installer dropped from 49 MB to 34 MB (no more ACME/Web binaries)
- 5,285 tests, 0 clippy warnings, 48 ignored (external deps)
Previous: 0.3.0-beta.9
- FIPS test cfg gates — tests using Ed25519/RSA-2048 gated with
#[cfg(not(feature = "fips"))] - Health page improvements — short-lived certs excluded from CRITICAL alerts, system resource metrics
- CI hardening — PostgreSQL setup no longer requires sudo
- 6,070 tests, 0 clippy warnings
SPORK ACME Server (Standalone)
v0.5.2 | 2,855 tests passing | 0 warnings | 0 clippy warnings | CI green (17/17 jobs)
Multi-protocol certificate server: ACME (RFC 8555), EST (RFC 7030), and SCEP (RFC 8894) in one binary. certbot-compatible, built-in micro-CA, admin dashboard, interactive setup wizard. FIPS 140-3 enabled by default (aws-lc-rs, NIST Cert #4816). Three signing backends: micro-CA (local), Windows CA (WinRM bridge), NDES (SCEP bridge). 5 deployment modes: 2-tier, 3-tier, subordinate to Windows CA, WinRM bridge, import PFX.
| Package | Description | Size | License |
|---|---|---|---|
| spork-acme (Linux) | Multi-protocol cert server (ACME + EST + SCEP) — self-extracting installer, static musl, FIPS 140-3 default, SHA3-256 integrity verification | 9 MB | BSL-1.1 (Apache-2.0 conversion) |
Quick Install (ACME Standalone)
# Download the installer
curl -fSL -o spork-acme-installer \
https://rayketcham.com/CRLs/sp0rk/static/spork-acme-server-0.5.2-linux-x86_64-installer
chmod +x spork-acme-installer
# Verify integrity (SHA3-256)
./spork-acme-installer --verify
# Run the interactive setup wizard (requires root)
sudo ./spork-acme-installerThe installer verifies its own integrity, extracts the binary to /opt/spork-acme/bin/,
and launches the interactive setup wizard. See setup wizard screenshots.
What's New in 0.5.2
- OCSP stapling — server TLS certificate automatically staples OCSP responses for CA-issued certs with background refresh
- OCSP responder — full RFC 6960 responder with POST and GET endpoints, SHA-1/SHA-256 issuer hash, nonce echo, TTL caching, 3 Prometheus metrics
- SCEP EnvelopedData — RFC 5652 §6 AES-256-CBC content encryption with RSA PKCS#1 v1.5 key transport for SCEP request/response envelopes
- Security hardening — constant-time EST authentication, /health split (public vs authenticated), /metrics auth required, domain policy enforcement for EST and SCEP, rate limiting (600/min per-IP, 300/min per-account)
- Self-extracting installer — new packaging format with SHA3-256 integrity verification, down from 19 MB to 9 MB
Previous: 0.5.0
- Three protocols, one binary — ACME (RFC 8555) + EST (RFC 7030) + SCEP (RFC 8894) all served from a single process
- SCEP frontend — full RFC 8894 endpoint with CMS SignedData envelope processing, Microsoft NDES client compatibility
- EST enrollment — RFC 7030
/.well-known/est/endpoints: cacerts, simpleenroll, simplereenroll, csrattrs - Windows CA bridge — certificate-based WinRM authentication for AD CS subordinate mode
- First GitHub Release — automated release pipeline with SBOM, checksums, .deb/.rpm packages
- 2,855 tests, 0 clippy warnings, FIPS 140-3 default
Previous: 0.4.0-beta.9
- RSA 3072 detection fix — CA certificates with RSA 3072 keys correctly identified
- RSA-PSS & Ed25519 detection — handles RSA-PSS and Ed25519 CA certificates
- Algorithm parser expansion —
--algorithmflag acceptsrsa3072,rsa3072pss,rsa4096pss,ed25519
Previous: 0.4.0-beta.8
- Wildcard cert matching — wildcard certificate requests correctly match wildcard allow-domain patterns
- Email domain policy — account contact emails must match allowed domain patterns
Previous: 0.4.0-beta.5
- File-based persistence — orders and certificates survive server restarts
Enterprise CA Trust Hierarchy
3-tier PKI: 23 Certificate Authorities across 5 policy domains. FIPS 204/205 compliant. DC-style LDAP Distinguished Names.
SPORK Root CA (P-384, 25 year, pathlen=2)
├── TLS Policy CA (P-384, 10 year, pathlen=1)
│ ├── TLS Web Server Issuing CA (P-256, 5 year)
│ ├── TLS API Issuing CA (P-256, 5 year)
│ ├── TLS VPN Issuing CA (P-256, 5 year)
│ └── TLS Client Auth Issuing CA (P-256, 5 year)
├── Code Signing Policy CA (P-384, 10 year, pathlen=1)
│ ├── Software Signing Issuing CA (P-256, 5 year)
│ ├── Driver Signing Issuing CA (P-256, 5 year)
│ └── Timestamp Authority CA (P-256, 5 year)
├── S/MIME Policy CA (P-384, 10 year, pathlen=1)
│ ├── Corporate Email Issuing CA (P-256, 5 year)
│ ├── Partner Email Issuing CA (P-256, 5 year)
│ └── Executive Email Issuing CA (P-256, 5 year)
├── Device Policy CA (P-384, 10 year, pathlen=1)
│ ├── Workstation Issuing CA (P-256, 5 year)
│ ├── Mobile Device Issuing CA (P-256, 5 year)
│ └── Network Equipment Issuing CA (P-256, 5 year)
└── Identity Policy CA (P-384, 10 year, pathlen=1)
├── Employee Identity Issuing CA (P-256, 5 year)
├── Contractor Identity Issuing CA (P-256, 5 year)
├── Service Account Issuing CA (P-256, 5 year)
└── Federation Partner Issuing CA (P-256, 5 year)Root CA
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Root CA | ECDSA P-384 | 2026-02-15 to 2051-02-15 | PEM | CRT |
TLS Domain (5 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK TLS Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK TLS Web Server Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK TLS API Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK TLS VPN Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK TLS Client Auth Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Code Signing Domain (4 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Code Signing Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Software Signing Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Driver Signing Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Timestamp Authority CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Code Signing domain chain bundle (P7B)
S/MIME Domain (4 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK S/MIME Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Corporate Email Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Partner Email Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Executive Email Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
S/MIME domain chain bundle (P7B)
Device Domain (4 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Device Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Workstation Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Mobile Device Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Network Equipment Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Device domain chain bundle (P7B)
Identity Domain (5 CAs)
| Certificate Authority | Algorithm | Validity | Download |
|---|---|---|---|
| SPORK Identity Policy CA | ECDSA P-384 | 2026-02-15 to 2036-02-15 | PEM | CRT |
| SPORK Employee Identity Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Contractor Identity Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Service Account Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
| SPORK Federation Partner Issuing CA | ECDSA P-256 | 2026-02-15 to 2031-02-15 | PEM | CRT |
Identity domain chain bundle (P7B)
CA Bundles
| Bundle | Contents | Download |
|---|---|---|
| Full CA Bundle | All 23 CAs (Root + 5 Policy + 17 Issuing) | PEM | P7B |
| TLS Chain | Root + TLS Policy + 4 TLS Issuing CAs | P7B |
| Code Signing Chain | Root + Code Signing Policy + 3 Issuing CAs | P7B |
| S/MIME Chain | Root + S/MIME Policy + 3 Issuing CAs | P7B |
| Device Chain | Root + Device Policy + 3 Issuing CAs | P7B |
| Identity Chain | Root + Identity Policy + 4 Issuing CAs | P7B |
CRL Distribution
| CRL | Download |
|---|---|
| Root CA | DER |
| TLS Policy CA | DER |
| TLS Web Server Issuing CA | DER |
| TLS API Issuing CA | DER |
| TLS VPN Issuing CA | DER |
| TLS Client Auth Issuing CA | DER |
| Code Signing Policy CA | DER |
| Software Signing Issuing CA | DER |
| Driver Signing Issuing CA | DER |
| Timestamp Authority CA | DER |
| S/MIME Policy CA | DER |
| Corporate Email Issuing CA | DER |
| Partner Email Issuing CA | DER |
| Executive Email Issuing CA | DER |
| Device Policy CA | DER |
| Workstation Issuing CA | DER |
| Mobile Device Issuing CA | DER |
| Network Equipment Issuing CA | DER |
| Identity Policy CA | DER |
| Employee Identity Issuing CA | DER |
| Contractor Identity Issuing CA | DER |
| Service Account Issuing CA | DER |
| Federation Partner Issuing CA | DER |
Cryptography
| Category | Algorithms |
|---|---|
| Classical | ECDSA P-256/P-384, RSA 2048/3072/4096, RSA-PSS 3072/4096, Ed25519 |
| Post-Quantum (FIPS 204) | ML-DSA-44, ML-DSA-65, ML-DSA-87 |
| Post-Quantum (FIPS 205) | SLH-DSA-SHA2-128s, 192s, 256s |
| Hybrid | ML-DSA + ECDSA composite signatures |
Previous Versions
v0.5.0 ACME | v0.4.0-beta.9 ACME | v0.4.0-beta.8 ACME | v0.4.0-beta.5 ACME | v0.4.0-beta.4 ACME | v0.3.0-beta.11 CA | v0.3.0-beta.9 CA | v0.3.0-beta.9 Client