SPORK CA Documentation

Pure Rust Certificate Authority for post-quantum cryptography migration. Enterprise PKI without C dependencies.

Getting Started

GuideDescriptionTime
How It WorksArchitecture, PKI hierarchy, protocols, security model15 min
Install GuideDownload, verify, and install any SPORK package5 min
Quick StartInitialize a CA, issue a certificate, set up revocation10 min
ACME Install GuideFull install guide for the standalone ACME server15 min
ACME Server SetupRun your own Let's Encrypt-compatible CA with certbot10 min
Configuration ReferenceCLI flags, environment variables, config file, mTLSReference
Upgrade GuideUpgrade from a previous version5 min

ACME Server Documentation

GuideDescription
OverviewACME server architecture and capabilities
InstallationStandalone ACME server deployment
Quick StartGet ACME running in minutes
Integrationcertbot, win-acme, IIS, Apache, nginx integration
OperationsMonitoring, backup, scaling, troubleshooting
SecurityTLS configuration, access control, key management
PQC GuidePost-quantum cryptography with ACME
Windows CACross-certification and subordination with AD CS
WebUIAdmin dashboard configuration
TroubleshootingCommon issues and solutions

Packages

PackageDescriptionLicense
spork-clientCLI tool for PKI operations (probe, inspect, ACME client, TLS verify)Apache-2.0
spork-caFull CA server suite: shell, ACME, EST, SCEP, CMP, OCSP, CRL, API, TUI, WebUI, Sign, TSABSL-1.1
spork-acme-serverStandalone ACME/Let's Encrypt server with built-in CA and WebUIBSL-1.1
spork-est-serverRFC 7030/8295 EST enrollment serverBSL-1.1
spork-scep-serverRFC 8894 SCEP enrollment server for MDM/device enrollmentBSL-1.1
spork-signCode signing service (CMS/PKCS#7, Authenticode)BSL-1.1
spork-tsa-serverRFC 3161 time-stamp authority serverBSL-1.1
spork-updateIn-place binary update for existing CA installationsBSL-1.1

Platform Support

All packages are statically linked (musl). No runtime dependencies.

PlatformArchitecturePackages
Rocky Linux / RHEL / CentOS 8+x86_64All
Ubuntu 18.04+x86_64All
Debian 10+x86_64All
Amazon Linux 2+x86_64All
Alpine Linux 3.12+x86_64All
SUSE / openSUSE 15+x86_64All
Windows 10/11, Server 2019+x86_64spork-client only

Cryptography

All pure Rust. No OpenSSL. No liboqs. FIPS 140-3 enabled by default (aws-lc-rs, NIST Cert #4816). Non-FIPS pure Rust mode via runtime toggle.

TypeAlgorithms
Classical ECDSAP-256, P-384
Classical RSARSA 2048/3072/4096, RSA-PSS 3072/4096
Classical EdDSAEd25519 (RFC 8410)
Post-Quantum (FIPS 204)ML-DSA-44, ML-DSA-65, ML-DSA-87
Post-Quantum (FIPS 205)SLH-DSA-SHA2-128s, 192s, 256s
Hybrid CompositesML-DSA-44+P-256, ML-DSA-65+P-256, ML-DSA-65+P-384, ML-DSA-87+P-384

Protocol Support

ProtocolRFCStatus
ACMERFC 8555Complete (HTTP-01, DNS-01, TLS-ALPN-01)
ESTRFC 7030, 8295Complete
SCEPRFC 8894Complete
CMPRFC 9810Complete
OCSPRFC 6960Complete
CRLRFC 5280Complete
TSARFC 3161Complete
DANERFC 6698Complete

Security