PKI Client v0.7.0

Modern PKI CLI tool — certificate inspection, key management, TLS probing, and enrollment protocols. 20 subcommands in a single static binary. No OpenSSL. Pure Rust. Post-quantum native.

GitHub · Releases · Live Demos

Overview

Stat	Value
Subcommands	20
Output Formats	text, json, compact, forensic
PQC Algorithms	ML-DSA-44/65/87, SLH-DSA, hybrids
Protocols	ACME (RFC 8555), EST (RFC 7030), SCEP (RFC 8894)
Dependencies	0 git deps, no OpenSSL (aws-lc-rs for FIPS crypto)
Tests	2,137+ (unit + interop cross-validation)

Installation

# One-line install
curl -fsSL https://raw.githubusercontent.com/rayketcham-lab/PKI-Client/main/install.sh | sudo bash

# Or download manually from GitHub Releases
# Or build from source:
git clone https://github.com/rayketcham-lab/PKI-Client.git
cd PKI-Client
cargo build --release --features pqc

Full install guide: INSTALL.md

Quick Start

# Enter interactive shell
$ pki

# Inspect a certificate
$ pki show server.pem

# Generate a key and CSR
$ pki key gen ec --curve p384 -o server.key
$ pki csr create --key server.key --cn "example.com" -o server.csr

# Build a PKI hierarchy from TOML
$ pki pki build hierarchy.toml

# Probe a live TLS server
$ pki probe server google.com:443

Command Reference

show

Auto-detect and display any PKI file. Supports certs, keys, CSRs, CRLs, PKCS#7, PKCS#12.

pki show server.pem                    # Auto-detect
pki show server.pem --lint             # Security linting
pki show server.pem -a                 # Full analysis (details + lint + revocation)
pki show server.pem --format forensic  # Deep-dive with hex dumps

cert

pki cert show server.pem               # Certificate details
pki cert expires server.pem            # Expiration check
pki cert expires *.pem --within 30d    # Find expiring certs
pki cert fingerprint server.pem        # SHA-256 fingerprint

key

pki key gen ec --curve p384 -o k.key   # EC P-384
pki key gen rsa --bits 4096 -o k.key   # RSA-4096
pki key show k.key                     # Inspect key
pki key match k.key cert.pem           # Verify key matches cert

csr

pki csr create --key k.key --cn "host" --san "dns:host" -o req.csr
pki csr show req.csr

chain

pki chain build server.pem             # Build chain from AIA
pki chain show chain.pem               # Display chain tree
pki chain verify chain.pem             # Verify integrity

crl

pki crl show myca.crl                  # Display CRL
pki crl check myca.crl 01AB           # Check serial revocation

revoke

pki revoke check server.pem            # OCSP + CRL check

diff

pki diff old.pem new.pem               # Compare certificates
pki diff old.csr new.csr               # Compare CSRs

convert

Format conversion: PEM ↔ DER ↔ Base64. Not algorithm conversion.

pki convert cert.pem --to der -o cert.der
pki convert cert.der --to pem -o cert.pem
pki convert cert.pem --to base64

probe

pki probe server google.com:443        # Full TLS probe
pki probe check google.com:443         # Quick check
pki probe lint server.pem              # Lint certificate
pki probe fetch google.com:443         # Fetch chain

pki (hierarchy builder)

Build entire CA hierarchies from declarative TOML configuration.

pki pki preview hierarchy.toml         # Preview tree
pki pki build hierarchy.toml           # Build all CAs
pki pki build hierarchy.toml --force   # Overwrite existing

compliance

pki compliance levels                  # Show FIPS/NIST levels
pki compliance check --level 2 --algo ecdsa-p384
pki compliance cps --level 2           # CP/CPS skeleton
pki compliance bridge --level 3 --dns .example.com

dane

pki dane generate -c server.pem        # Generate TLSA record
pki dane verify -c server.pem --rdata '3 1 1 ab..'

acme (Beta)

pki acme directory                     # Fetch ACME directory
pki acme certonly example.com          # Request certificate
pki acme renew example.com             # Renew certificate

est (Beta)

pki est cacerts https://est.example.com
pki est enroll https://est.example.com -c req.csr

scep (Beta)

pki scep cacaps https://scep.example.com/scep
pki scep enroll https://scep.example.com -s "CN=myhost"

batch

pki batch commands.txt

shell

pki shell    # or just: pki

Hierarchy TOML Reference

Field	Required	Description
`hierarchy.name`	Yes	Hierarchy name
`hierarchy.output_dir`	No	Output directory (default: ./pki-output)
`hierarchy.defaults.organization`	No	Default O= for all CAs
`hierarchy.defaults.country`	No	Default C= for all CAs
`ca.id`	Yes	Unique CA identifier
`ca.type`	Yes	"root" or "intermediate"
`ca.parent`	Intermediate only	Parent CA id
`ca.algorithm`	Yes	Key algorithm (see table above)
`ca.common_name`	Yes	CN= for the CA
`ca.validity_years`	Yes	Certificate validity in years
`ca.path_length`	No	Basic Constraints pathlen
`ca.ou`	No	Organizational Unit

Output Formats

Format	Flag	Use case
text	`--format text` (default)	Human-readable with colors
json	`--format json`	Scripting and automation
compact	`--format compact`	Status dashboards, one line per cert
forensic	`--format forensic`	Deep-dive: every field, hex dumps, security grades

Known Issues (v0.7.0)

Issue	Status	Workaround
convert: DER key auto-detect fails (#59)	Open	Use `--from key` flag
Ed25519 key generation	Not supported	Use EC P-384 instead
show: DER CRL auto-detect	Open	Use `pki crl show` explicitly
acme/est/scep	Beta	Help and directory work; enrollment requires servers

Documentation

Guide	Description
Overview	PKI Client architecture and capabilities
Installation	Download, build, and deploy
Command Reference	All 20 subcommands with examples
Examples	Real-world PKI workflows