# PKI Client — Examples

## Inspect a live TLS server

```bash
$ pki probe server google.com:443
TLS Server Probe: google.com:443

  Protocol:       TLSv1.3
  Cipher Suite:   TLS_AES_256_GCM_SHA384
  Key Exchange:   X25519Kyber768Draft00 (PQ hybrid)

  Certificate Chain:
    [0] CN=*.google.com (EC P-256, 89 days)
    [1] CN=GTS CA 1C3 (RSA 2048, 1826 days)
    [2] CN=GTS Root R1 (RSA 4096, self-signed)

  Security Grade: A
```

## Build a 3-tier corporate PKI from TOML

```bash
$ cat corp-pki.toml
[hierarchy]
name = "Corp PKI"
output_dir = "./pki-output"

[hierarchy.defaults]
organization = "Acme Corp"
country = "US"

[[ca]]
id = "root"
type = "root"
algorithm = "rsa-4096"
common_name = "Acme Corp Root CA"
validity_years = 20
path_length = 2

[[ca]]
id = "policy"
type = "intermediate"
parent = "root"
algorithm = "rsa-4096"
common_name = "Acme Corp Policy CA"
validity_years = 10
path_length = 1

[[ca]]
id = "issuing"
type = "intermediate"
parent = "policy"
algorithm = "ecdsa-p384"
common_name = "Acme Corp Issuing CA"
validity_years = 5
path_length = 0

$ pki pki build corp-pki.toml
→ Building hierarchy 'Corp PKI'...
✓ Built 3 CAs
✓ Exported 12 files to ./pki-output
  • root (1612 bytes)
  • policy (1661 bytes)
  • issuing (1264 bytes)
```

## Build a post-quantum PKI

```bash
$ cat pqc-pki.toml
[hierarchy]
name = "Quantum-Safe PKI"
output_dir = "./pqc-output"

[[ca]]
id = "root"
type = "root"
algorithm = "ml-dsa-87"
common_name = "PQC Root CA [ML-DSA-87]"
validity_years = 25
path_length = 1

[[ca]]
id = "issuing"
type = "intermediate"
parent = "root"
algorithm = "ml-dsa-65"
common_name = "PQC Issuing CA [ML-DSA-65]"
validity_years = 10
path_length = 0

$ pki pki build pqc-pki.toml
→ Building hierarchy 'Quantum-Safe PKI'...
✓ Built 2 CAs
✓ Exported 8 files to ./pqc-output
  • root (7825 bytes)
  • issuing (7230 bytes)
```

## Compare RSA vs PQC root certificates

```bash
$ pki diff corp-root.pem pqc-root.pem
Certificate Comparison:
    File 1:         corp-root.pem
    File 2:         pqc-root.pem

Key:
    Cert 1:         RSA 4096-bit
    Cert 2:         ML-DSA-87 (NIST Level 5)  ✗ DIFFERS

Signature:
    Cert 1:         sha256WithRSAEncryption
    Cert 2:         ML-DSA-87  ✗ DIFFERS

Summary:
    Matches:        1 fields
    Differs:        6 fields
```

## Generate keys and CSRs

```bash
# EC P-384 (recommended for most use cases)
$ pki key gen ec --curve p384 -o server.key
✓ Key saved to server.key (mode 0600)
  Algorithm: EC P-384
  Security:  Very Strong (192-bit equivalent)

# Create a CSR with SANs
$ pki csr create --key server.key --cn "www.example.com" \
    --san "dns:www.example.com" --san "dns:example.com" \
    -o server.csr
✓ CSR saved to server.csr
  Subject: CN=www.example.com
  SANs: dns:www.example.com, dns:example.com

# Verify key matches a certificate
$ pki key match server.key server.crt
  ✓ Algorithm types match (EC)
  ✓ Public key match confirmed (SPKI pin)
```

## Check certificate expiration

```bash
$ pki cert expires *.pem --within 30d
web-server.pem:  EXPIRING | 2026-04-15 | 22 days
api-server.pem:  OK | 2027-01-15 | 297 days
root-ca.pem:     OK | 2046-03-24 | 7304 days
```

## Convert formats

```bash
# PEM to DER
$ pki convert cert.pem --to der -o cert.der

# DER to PEM
$ pki convert cert.der --to pem -o cert.pem

# PEM to Base64 (no headers)
$ pki convert cert.pem --to base64
```

## Check CRL

```bash
$ pki crl show company.crl
Certificate Revocation List (CRL):
    Issuer:     CN=Company CA
    Status:     ✓ CURRENT
    Revoked:    3 certificates

$ pki crl check company.crl 01AB
✓ OK Certificate 01AB is NOT REVOKED in this CRL
```

## Compliance checking

```bash
# Show all FIPS/NIST compliance levels
$ pki compliance levels

# Check if your config meets Level 2
$ pki compliance check --level 2 --algo ecdsa-p384 --ocsp --auto-crl --audit

# Generate a CP/CPS document skeleton
$ pki compliance cps --level 2
```

## Batch automation

```bash
$ cat audit.txt
# Weekly certificate audit
cert expires /etc/ssl/certs/*.pem --within 30d
probe check api.example.com:443
probe check web.example.com:443
crl show /var/lib/pki/company.crl

$ pki batch audit.txt
[1] cert expires ... 2 certificates expiring within 30d
[2] probe check api.example.com:443 ... TLS OK
[3] probe check web.example.com:443 ... TLS OK
[4] crl show ... 3 revoked certificates
Batch complete: 4 succeeded, 0 failed
```

## DANE/TLSA records

```bash
$ pki dane generate -c server.pem
DANE TLSA Record
  _443._tcp.example.com. IN TLSA 3 1 1 (
    ab3c8f2e...
  )
```