QuantumNexum PKI Suite

Enterprise PKI tools built entirely in Rust. Certificate inspection (PKI Client), certificate issuance (ACME + EST + SCEP), code signing (Authenticode, CMS, PowerShell), and timestamping (RFC 3161). No OpenSSL. Static binaries.

Getting Started

GuideDescriptionTime
PKI ClientCertificate CLI — inspect, lint, diff, probe, build PKI hierarchies5 min
PKI-CA-Engine InstallDownload and run the CA engine binary5 min
ACME Quick StartSetup wizard, certbot test, admin dashboard10 min
ArchitectureSingle binary, three protocols, three signers15 min
ConfigurationCLI flags, environment variables, domain policyReference
UpgradeUpgrade from a previous version5 min

PKI Client Documentation

GuideDescription
Overview & Quick StartFull guide: 20 subcommands, output formats, hierarchy builder
OverviewPKI Client architecture and capabilities
InstallationDownload, build, and deploy the pki binary
Command ReferenceAll 20 subcommands with usage examples
ExamplesReal-world PKI workflows: TLS probe, hierarchy build, PQC migration

ACME Server Documentation

GuideDescription
OverviewACME server architecture and capabilities
InstallationStandalone ACME server deployment
Quick StartGet ACME running in minutes
Integrationcertbot, win-acme, IIS, Apache, nginx integration
OperationsMonitoring, backup, scaling, troubleshooting
SecurityTLS configuration, access control, key management
PQC GuidePost-quantum cryptography with ACME
Windows CACross-certification and subordination with AD CS
WebUIAdmin dashboard configuration
TroubleshootingCommon issues and solutions

PKI Signing Service Documentation

GuideDescription
Overview & Quick StartFull guide: CLI signing, web service, TSA server, architecture
OverviewSigning service architecture and capabilities
InstallationDownload, build, and deploy the signing binary
Quick StartSign your first file in 2 minutes
API ReferenceREST API endpoints, request/response formats
ConfigurationTOML config, auth modes, certificate groups
SecurityCrypto stack, auth modes, audit logging, hardening
OperationsCertificate rotation, monitoring, troubleshooting
TroubleshootingCommon issues and solutions

Feature Highlights

PKI Client (Certificate CLI)

FeatureDescription
20 Subcommandsshow, cert, key, csr, chain, crl, revoke, probe, diff, convert, compliance, dane, acme, est, scep, pki, batch, shell, completions, manpages
Auto-DetectAutomatically identifies certs, keys, CSRs, CRLs, PKCS#7, PKCS#12
Hierarchy BuilderBuild entire CA hierarchies from declarative TOML configuration
TLS ProbingProbe live servers with security grading, chain fetch, certificate linting
Post-QuantumML-DSA-44/65/87 certificate display with NIST Security Level
4 Output Formatstext (human), json (scripting), compact (dashboards), forensic (hex dumps)
ComplianceFIPS 140-3, NIST SP 800-57, Federal Bridge validation
Interactive ShellTab completion, history, paste PEM directly
2,137+ TestsUnit tests + cross-validation interop suite against python3 cryptography
Static BinarySingle musl binary, no runtime dependencies, no OpenSSL

PKI-CA-Engine (Certificate Server)

FeatureDescription
Three ProtocolsACME (RFC 8555), EST (RFC 7030), SCEP (RFC 8894) -- all on a single port
Certbot CompatibleWorks with certbot, acme.sh, win-acme, and any RFC 8555 ACME client
FIPS 140-3Enabled by default via aws-lc-rs (NIST Cert #4816)
Post-QuantumML-DSA (FIPS 204), SLH-DSA (FIPS 205), hybrid composites
Encrypted LockboxCA private keys protected with AES-256-GCM + Argon2id key derivation
Domain PolicyGlob-pattern domain restrictions via domain-policy.toml, deny-by-default
Admin DashboardWeb UI at /admin with Basic Auth + session cookies
Three SignersMicro-CA (local), Windows CA (WinRM bridge), NDES (SCEP bridge)
Rate LimitingPer-IP (600/min) and per-account (300/min) rate limits
Zero DependenciesSingle static binary (musl), 256 MB RAM, no runtime deps

PKI Signing Service (Code Signing)

FeatureDescription
PE AuthenticodeSign EXE, DLL, SYS, OCX, SCR, CPL, DRV with embedded PKCS#7
Detached CMSSign any file with a .p7s detached PKCS#7 signature
PowerShell SigningPS1 scripts with Base64-encoded PKCS#7 signature blocks
RFC 3161 TSABuilt-in Time-Stamp Authority server (port 3318) and TSA client with failover
Post-QuantumML-DSA (FIPS 204), SLH-DSA (FIPS 205) signature algorithms
REST APICode Signing as a Service with LDAP auth, audit logging, cert hot-reload
No OpenSSLPure Rust crypto stack. cargo-deny blocks OpenSSL at build time.
No signtoolReplaces Microsoft signtool.exe entirely on Linux
531 TestsComprehensive unit tests with CI on every push
Static BinarySingle musl binary, no runtime dependencies

Platform Support

All tools ship as single statically linked binaries (musl). No runtime dependencies.

PlatformArchitectureStatus
Rocky Linux / RHEL / CentOS 8+x86_64Supported
Ubuntu 18.04+x86_64Supported
Debian 10+x86_64Supported
Amazon Linux 2+x86_64Supported
Alpine Linux 3.12+x86_64Supported (musl native)
SUSE / openSUSE 15+x86_64Supported

Cryptography

All pure Rust. No OpenSSL. No liboqs. FIPS 140-3 enabled by default (aws-lc-rs, NIST Cert #4816). Non-FIPS pure Rust mode via runtime toggle.

TypeAlgorithms
Classical ECDSAP-256, P-384
Classical RSARSA 2048/3072/4096, RSA-PSS 3072/4096
Classical EdDSAEd25519 (RFC 8410)
Post-Quantum (FIPS 204)ML-DSA-44, ML-DSA-65, ML-DSA-87
Post-Quantum (FIPS 205)SLH-DSA-SHA2-128s, 192s, 256s
Hybrid CompositesML-DSA-44+P-256, ML-DSA-65+P-256, ML-DSA-65+P-384, ML-DSA-87+P-384

Protocol Support

ProtocolRFCStatus
ACMERFC 8555Complete (HTTP-01, DNS-01, TLS-ALPN-01)
ESTRFC 7030, 8295Complete
SCEPRFC 8894Complete

Security