Configuration Reference
SPORK CA can be configured through CLI flags, environment variables, and a TOML configuration file. This page documents every option.
Configuration Methods
Settings are resolved in the following order of precedence (highest first):
- CLI flags — Override everything. Passed directly on the command line.
- Environment variables — Override config file and defaults.
- Config file —
/etc/spork/config.toml(or path set by--config). - Built-in defaults — Sensible values that work for development and simple deployments.
Tip: For production deployments, use the config file for base settings and environment variables for secrets (such as
SPORK_KEYSTORE_PASSPHRASE).
Environment Variables
Core
| Variable | Description | Default |
|---|---|---|
SPORK_DATA_DIR | Root directory for CA data, keys, and certificates | /opt/spork-acme/data |
SPORK_DB_PATH | Path to the SQLite database file | $SPORK_DATA_DIR/spork.db |
SPORK_LOG_LEVEL | Log verbosity: trace, debug, info, warn, error | info |
SPORK_LOG_FORMAT | Log format: text or json | text |
RUST_BACKTRACE | Enable Rust backtraces: 1 or full | 0 |
Server Ports
| Variable | Description | Default |
|---|---|---|
SPORK_BIND_ADDR | IP address to bind all listeners to | 0.0.0.0 |
SPORK_ACME_PORT | ACME server HTTPS port | 6446 |
SPORK_EST_PORT | EST server port | 8443 |
SPORK_OCSP_PORT | OCSP responder port | 8888 |
SPORK_CRL_PORT | CRL distribution point HTTP port | 8889 |
SPORK_API_PORT | REST API port (mTLS-protected) | 9443 |
TLS
| Variable | Description | Default |
|---|---|---|
SPORK_TLS_CERT | Path to the server TLS certificate (PEM) | Auto-generated self-signed |
SPORK_TLS_KEY | Path to the server TLS private key (PEM) | Auto-generated |
SPORK_TLS_CA | Path to the CA certificate for client verification | Uses the CA's own certificate |
SPORK_TLS_REQUIRE_CLIENT_CERT | Require mTLS client certificates: true or false | false |
HSM (PKCS#11)
| Variable | Description | Default |
|---|---|---|
SPORK_HSM_MODULE | Path to the PKCS#11 shared library | — |
SPORK_HSM_SLOT | HSM slot number | 0 |
SPORK_HSM_PIN | HSM PIN (use env var, never config file) | — |
ACME-Specific
| Variable | Description | Default |
|---|---|---|
SPORK_KEYSTORE_PASSPHRASE | Passphrase for the encrypted keystore. Required for non-interactive (service) mode. In interactive mode, the passphrase is prompted. | — |
Security: Never place
SPORK_KEYSTORE_PASSPHRASE or SPORK_HSM_PIN in a config file. Use environment variables or a secrets manager. For systemd services, set them via EnvironmentFile= with restricted permissions.
Environment File
SPORK ACME is configured via CLI flags and environment variables. For systemd deployments,
use an EnvironmentFile to store sensitive values outside the service file:
# /opt/spork-acme/spork-acme.env
# Keystore passphrase (encrypts CA private keys at rest)
SPORK_LOCKBOX_PASSPHRASE=your-secure-passphrase
# Admin dashboard credentials
SPORK_ADMIN_USER=admin
SPORK_ADMIN_PASSWORD=your-admin-password
# Log level (trace, debug, info, warn, error)
RUST_LOG=spork_acme=infoReference it from the systemd service file:
[Service]
EnvironmentFile=/opt/spork-acme/spork-acme.env
ExecStart=/usr/local/bin/spork-acme -s /opt/spork-acme --auto-validate
Security: Set restrictive permissions on the environment file:
chmod 600 /opt/spork-acme/spork-acme.env. Never store passphrases in
the service file itself or in CLI arguments (visible in /proc).
Prefer --admin-password-file over the SPORK_ADMIN_PASSWORD
environment variable on systems where /proc/*/environ is readable.
CLI Flags
Common flags for spork-acme:
| Flag | Description | Example |
|---|---|---|
-s, --state-dir | Path to the state/data directory | spork-acme -s /opt/spork-acme |
--host | IP address to bind to | spork-acme --host 127.0.0.1 |
--port | HTTPS port for the ACME server | spork-acme --port 443 |
--cdp-url | CRL Distribution Point URL embedded in issued certificates | --cdp-url http://crl.quantumnexus.com/spork.crl |
--aia-base-url | Authority Information Access base URL for CA certificate and OCSP | --aia-base-url http://aia.quantumnexus.com/ |
--log-level | Log level (trace, debug, info, warn, error) | spork-acme --log-level debug |
--domain-policy-file | Path to domain-policy.toml file | --domain-policy-file /opt/spork-acme/domain-policy.toml |
--allow-domain | Allow a domain pattern (additive with policy file) | --allow-domain "*.quantumnexus.com" |
--deny-domain | Deny a domain pattern (additive with policy file) | --deny-domain "*.evil.com" |
--no-rate-limit | Disable built-in rate limiting | --no-rate-limit |
Domain Policy
SPORK ACME uses a deny-by-default domain policy to control which domains can receive certificates. The policy is configured via a TOML file in the state directory.
Policy File Format
Create domain-policy.toml in your state directory (e.g., /opt/spork-acme/domain-policy.toml):
# /opt/spork-acme/domain-policy.toml
[policy]
mode = "deny-by-default" # or "allow-by-default"
[[allow]]
pattern = "*.quantumnexus.com"
[[allow]]
pattern = "quantumnexus.com"
[[deny]]
pattern = "*.evil.com"CLI Integration
The policy file is loaded via --domain-policy-file. You can also add patterns
additively from the command line:
# Load policy file and add extra patterns
spork-acme -s /opt/spork-acme \
--domain-policy-file /opt/spork-acme/domain-policy.toml \
--allow-domain "*.lab.local" \
--deny-domain "*.test.invalid"CLI patterns (--allow-domain, --deny-domain) are merged with the
policy file. Deny rules always take precedence over allow rules.
Pattern Syntax
| Pattern | Matches | Does Not Match |
|---|---|---|
** | Everything | — |
**.quantumnexus.com | a.quantumnexus.com, b.c.quantumnexus.com | quantumnexus.com |
*.quantumnexus.com | a.quantumnexus.com | b.c.quantumnexus.com |
quantumnexus.com | quantumnexus.com | www.quantumnexus.com |
Deny-by-default: If no
--allow-domain patterns and no policy file are configured, the server rejects all certificate requests. The setup wizard prompts you to configure allowed domains during initial setup.
mTLS Setup
SPORK CA uses mutual TLS (mTLS) with admin certificates to authenticate destructive operations. Certificates contain a Policy OID that determines the access level:
Admin Certificate Hierarchy
| Level | Policy OID | Created Via | Capabilities |
|---|---|---|---|
| SuperAdmin | .1.20.4 | Initial setup (inception) | Full control: factory reset, issue admin certs, all operations |
| Admin | .1.20.3 | WebUI (by SuperAdmin) | Revoke certs, manage CRLs, issue end-entity certs |
| Operator | .1.20.2 | WebUI | Issue certs, view logs |
| Viewer | .1.20.1 | WebUI | View-only access (status, certificates, logs) |
Importing PFX in Your Browser
To access the admin web UI, import the admin PFX certificate into your browser:
- Chrome/Edge: Settings → Privacy and Security → Security → Manage certificates → Import. Select the
.pfxfile and enter the passphrase. - Firefox: Settings → Privacy & Security → View Certificates → Your Certificates → Import. Select the
.pfxfile and enter the passphrase. - Safari: Double-click the
.pfxfile to add it to Keychain Access. Enter the passphrase when prompted.
Once imported, navigate to the admin UI (e.g., https://your-server:6446/admin). The browser will prompt you to select the client certificate. Choose the SPORK admin certificate.
Note: The admin UI also supports Basic Auth + session cookies as an alternative to mTLS. Log in at
/admin/login and log out at /admin/logout. mTLS remains the recommended method for high-security environments. The admin UI is view-only by design. All destructive operations (revocation, CRL signing, admin cert management) must be performed via the mTLS-authenticated REST API or the CLI with an admin PFX.
Production Checklist
Before deploying SPORK CA in production, verify the following:
| Item | Action | Why |
|---|---|---|
| Bind address | Set SPORK_BIND_ADDR to a specific interface (not 0.0.0.0) |
Limit network exposure |
| mTLS enforcement | Set SPORK_TLS_REQUIRE_CLIENT_CERT=true for admin endpoints |
Prevent unauthenticated access to destructive operations |
| systemd service | Install the spork-acme.service unit file and enable it |
Automatic startup, restart on failure, resource limits |
| Log rotation | Configure [logging] section or use logrotate for /var/log/spork/ |
Prevent disk exhaustion |
| Keystore passphrase | Set SPORK_KEYSTORE_PASSPHRASE via EnvironmentFile= with mode 0600 |
Non-interactive startup without exposing secrets in process list |
| Domain policy | Create domain-policy.toml with allowed domain patterns |
Prevent unauthorized certificate issuance |
| CRL timer | Enable spork-acme-crl.timer for periodic CRL regeneration (6-hour interval) |
Ensure clients can check revocation status offline |
| Backup schedule | Configure automated backups via spork-acme → Backup → Schedule |
Disaster recovery |
| Firewall | Allow only required ports (6446 for ACME, 8888 for OCSP, 8889 for CRL) | Minimize attack surface |
| File permissions | Ensure /opt/spork-acme/data/ is owned by the service user with mode 0700 |
Protect private keys and database |
Important: Run the security audit from the auto-detect menu (
sudo spork-acme → Security → Audit) to verify your deployment meets hardening requirements.