Quick Start

Get a Certificate Authority up and running in under five minutes. This guide walks you through initializing a CA, issuing your first certificate, and setting up revocation infrastructure.

Prerequisites

SPORK CA installed on your system (see the Install Guide)
Terminal access with the spork-shell binary on your PATH
OpenSSL (for certificate verification only — SPORK CA itself has no OpenSSL dependency)

Note: All SPORK CA binaries are statically linked. No runtime libraries or C dependencies are required.

1. Initialize a CA

Launch the interactive shell and run the CA initialization wizard:

$ spork-shell repl

 ____  ____   ___  ____  _  __   ____    _
/ ___||  _ \ / _ \|  _ \| |/ /  / ___|  / \
\___ \| |_) | | | | |_) | ' /  | |     / _ \
 ___) |  __/| |_| |  _ <| . \  | |___ / ___ \
|____/|_|    \___/|_| \_\_|\_\  \____/_/   \_\

spork> ca init

The wizard will prompt you for the following:

Enter CA Common Name: My Organization Root CA
Enter Organization: My Organization
Enter Country (2-letter code): US

Select signing algorithm:
  1. ECDSA P-256  (recommended)
  2. ECDSA P-384
  3. RSA 2048
  4. RSA 4096
  5. ML-DSA-65    (post-quantum)
  6. ML-DSA-87    (post-quantum)
Selection: 1

Generating CA key pair...
CA initialized successfully.
  Subject:  CN=My Organization Root CA, O=My Organization, C=US
  Algorithm: ECDSA P-256
  Serial:   A3:9F:01:...
  Not After: 2036-02-07T00:00:00Z
  Database:  /opt/spork-acme/data/spork.db

Algorithm guidance: Choose ECDSA P-256 for broad compatibility today. Choose ML-DSA-65 if you are testing post-quantum readiness. PQC algorithms require the pqc feature flag at build time.

2. Issue a Certificate

With the CA initialized, issue your first end-entity certificate:

spork> cert issue
Enter Common Name: test.example.com
Enter Subject Alternative Names (comma-separated, or blank):
  test.example.com, www.test.example.com
Validity (days) [365]:

Certificate issued successfully.
  Serial:    7B:2A:44:...
  Subject:   CN=test.example.com
  SANs:      DNS:test.example.com, DNS:www.test.example.com
  Not After: 2027-02-09T00:00:00Z

  Certificate written to: test.example.com.pem
  Private key written to: test.example.com-key.pem

Warning: The private key file is written with mode 0600. Keep it secure and never share it.

3. Verify the Certificate

Use OpenSSL to inspect the issued certificate:

$ openssl x509 -in test.example.com.pem -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7b:2a:44:...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=My Organization Root CA, O=My Organization, C=US
        Validity
            Not Before: Feb  9 00:00:00 2026 GMT
            Not After : Feb  9 00:00:00 2027 GMT
        Subject: CN=test.example.com
        ...
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:test.example.com, DNS:www.test.example.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

4. Set Up OCSP Responder

Start the built-in OCSP responder so clients can check certificate status in real time:

$ spork-ocsp --data-dir /opt/spork-acme/data --bind 0.0.0.0:8888

OCSP responder listening on 0.0.0.0:8888
Using CA: CN=My Organization Root CA

Test with OpenSSL:

$ openssl ocsp -issuer ca.pem -cert test.example.com.pem \
    -url http://localhost:8888 -resp_text

Response Status: successful (0x0)
    Cert Status: good

5. Generate a CRL

Generate a Certificate Revocation List for offline revocation checking:

$ spork-crl --data-dir /opt/spork-acme/data --output /var/lib/spork/crl.pem

CRL generated successfully.
  Issuer:      CN=My Organization Root CA
  This Update: 2026-02-09T12:00:00Z
  Next Update: 2026-02-16T12:00:00Z
  Entries:     0
  Written to:  /var/lib/spork/crl.pem

Note: In production, use a systemd timer or cron job to regenerate the CRL periodically. The ACME installer sets this up automatically via spork-acme-crl.timer.

6. Revoke a Certificate

Revocation requires an admin certificate for authentication. From the interactive shell:

spork> cert revoke
Enter certificate serial (hex): 7B:2A:44:...
Enter revocation reason:
  1. unspecified
  2. keyCompromise
  3. superseded
  4. cessationOfOperation
Selection: 2

Admin PFX path: /path/to/admin.pfx
Enter PFX password: ********

Certificate 7B:2A:44:... revoked (reason: keyCompromise).
CRL regeneration recommended.

Verify the revocation via OCSP:

$ openssl ocsp -issuer ca.pem -cert test.example.com.pem \
    -url http://localhost:8888 -resp_text

Response Status: successful (0x0)
    Cert Status: revoked
    Revocation Time: Feb  9 12:30:00 2026 GMT
    Revocation Reason: keyCompromise

7. Next Steps

ACME Server Quick Start — Set up automated certificate issuance with the ACME protocol
Configuration Reference — Environment variables, config file options, mTLS setup, and production checklist
Upgrade Guide — How to upgrade SPORK CA to a new version