# PKI Client

Modern PKI CLI tool — certificate inspection, key management, TLS probing, and enrollment protocols.

**Version:** 0.7.0 | **Binary:** `pki` | **License:** Apache-2.0

## Overview

PKI Client is a single static binary that handles the entire certificate lifecycle from the command line. No OpenSSL required. Pure Rust. Post-quantum native.

### What it does

- **Inspect** any PKI file — certs, keys, CSRs, CRLs, PKCS#7, PKCS#12
- **Generate** RSA, EC, and ML-DSA (post-quantum) keys
- **Build** entire CA hierarchies from TOML configuration
- **Probe** live TLS servers with security grading
- **Enroll** via ACME (Let's Encrypt), EST (RFC 7030), SCEP (RFC 8894)
- **Lint** certificates against RFC/CA-Browser Forum profiles
- **Compare** two certificates side-by-side
- **Convert** between PEM, DER, and Base64 formats

### Key features

| Feature | Description |
|---------|-------------|
| 20 subcommands | Full PKI operations in one binary |
| 4 output formats | text, json, compact, forensic |
| Post-quantum | ML-DSA-44/65/87, SLH-DSA (FIPS 204/205) |
| FIPS 140-3 | `--fips` flag restricts to approved algorithms |
| Interactive shell | `pki shell` with tab completion and history |
| Batch mode | `pki batch script.txt` for automation |
| Zero dependencies | Single static musl binary |

## Installation

### One-line install

```bash
curl -fsSL https://raw.githubusercontent.com/rayketcham-lab/PKI-Client/main/install.sh | sudo bash
```

### Manual install

Download from [GitHub Releases](https://github.com/rayketcham-lab/PKI-Client/releases) and place in your PATH:

```bash
sudo cp pki /usr/local/bin/pki
sudo chmod +x /usr/local/bin/pki
pki --version
```

### Build from source

```bash
git clone https://github.com/rayketcham-lab/PKI-Client.git
cd PKI-Client
cargo build --release
# With post-quantum support:
cargo build --release --features pqc
```

## Quick start

```bash
# Enter interactive shell
pki

# Or run commands directly:
pki show server.pem              # Inspect any PKI file
pki key gen ec --curve p384      # Generate EC P-384 key
pki probe server google.com:443  # Probe TLS endpoint
pki compliance levels            # Show FIPS/NIST compliance levels
```