v0.7.0 · Pure Rust · Apache-2.0

Modern PKI operations,
made human

Certificate inspection, key management, TLS probing, compliance validation, DANE, chain building — no OpenSSL required. Single static binary.

Install GitHub
17
Subcommands
4
Output Formats
PQC
Post-Quantum Ready
0
Git Dependencies
Features

The PKI Swiss Army knife

Everything you need for certificate operations, from inspection to issuance.

Certificate Inspection

Decode, verify, fingerprint, and check expiry for any X.509 certificate. Auto-detects PEM, DER, and PKCS#12.

Key Management

Generate RSA, ECDSA (P-256, P-384), and Ed25519 key pairs. Inspect existing keys.

TLS Probing

Connect to any TLS server, inspect the handshake, protocols, cipher suites, and lint the configuration.

DANE & Compliance

TLSA record generation and verification (RFC 6698). Validate against FIPS 140-3, NIST, and Federal Bridge policies.

Compliance & FIPS

Validate against FIPS 140-3, NIST guidelines, and Federal Bridge policies. Restrict to approved algorithms.

Post-Quantum Ready

ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) support behind the pqc feature flag.

Live Demos

Watch it in action

Six real-world scenarios — from auditing expired certs to building a post-quantum PKI from scratch. Full demos or 15-second TL;DRs.

The Audit
Expired RSA, hybrid, PQC certs
The Renewal
Full cert renewal workflow
The Migration
RSA to post-quantum roadmap
The Build
PQC hierarchy from TOML
The Handoff
Onboarding a new engineer
The Vision
MD5 to ML-DSA to 2050
View All Demos
Examples

See the output

Human-readable output with security grades, or pipe to JSON for automation.

Quick Start
# Inspect any PKI file (auto-detects type) $ pki show server.pem # Probe a live TLS server $ pki probe server github.com:443 # Generate key + CSR in one flow $ pki key gen ec --curve p256 -o server.key $ pki csr create --key server.key --cn "My Server" -o server.csr # Build a 3-tier CA hierarchy from TOML $ pki pki build hierarchy.toml # Compare two certs side-by-side $ pki diff old.pem new.pem --side-by-side # Run a batch of commands from file $ pki batch commands.txt # Generate DANE/TLSA record for a certificate $ pki dane generate --cert server.pem
Forensic Output
Certificate Summary: Type: End Entity (DV) Grade: A Purpose: Server CA: Let's Encrypt IDENTITY ──────────────────── Subject: CN=example.com Issuer: CN=R3, O=Let's Encrypt CRYPTOGRAPHIC STRENGTH ────── Signature: ecdsa-with-SHA256 STRONG Key: EC 256-bit (P-256) STRONG SECURITY ASSESSMENT ───────── PASS Strong signature PASS Key meets minimum PASS SAN extension present PASS Revocation configured
Commands

16 subcommands + interactive shell

Every local PKI operation in one tool — certificate inspection, key management, TLS probing, compliance, DANE, and chain building.

CommandDescription
showAuto-detect and display any PKI file (cert, key, CSR, CRL, PKCS#12)
certCertificate operations — show, verify, fingerprint, expires
keyKey generation (RSA, EC, Ed25519, ML-DSA, SLH-DSA) and inspection
chainCertificate chain building and verification
csrCSR creation and inspection (classical + PQC)
crlCRL viewing and revocation checking
revokeOCSP and CRL revocation status lookups
probeTLS server inspection with security linting
acmeACME / Let's Encrypt certificate enrollment
estEST protocol enrollment (RFC 7030)
scepSCEP enrollment (RFC 8894) — automated certificate issuance
pkiDeclarative PKI hierarchy builder (TOML → cert tree)
batchRun commands from a script file (skip errors, comments)
complianceFIPS 140-3, NIST, and Federal Bridge validation
daneTLSA record generation (RFC 6698)
diffSide-by-side certificate comparison
convertFormat conversion (PEM / DER / PKCS#12)
completionsShell completion scripts (bash, zsh, fish)
manpagesGenerate man pages
shellInteractive REPL session
Output Formats

Five ways to see your data

Every command supports five output modes via --format.

text
-f text (default)
Human-readable with colors, concise layout
json
-f json
Machine-readable for scripting and automation
compact
-f compact
One line per cert — status dashboards
forensic
-f forensic
Deep-dive — hex dumps, security grades, RFC refs
openssl
-f os
Matches openssl x509 -text -noout + lifetime/trust extensions
Install

Get started

One command to install. Zero runtime dependencies.

From source (via Cargo)

cargo install --git https://github.com/rayketcham-lab/PKI-Client.git

Pre-built binary (recommended)

# Install (sudo on bash, not curl)
curl -fsSL https://raw.githubusercontent.com/rayketcham-lab/PKI-Client/main/install.sh | sudo bash

# Upgrade
curl -fsSL https://raw.githubusercontent.com/rayketcham-lab/PKI-Client/main/install.sh | sudo bash -s -- upgrade

# Uninstall
curl -fsSL https://raw.githubusercontent.com/rayketcham-lab/PKI-Client/main/install.sh | sudo bash -s -- uninstall

With post-quantum support

cargo install --git https://github.com/rayketcham-lab/PKI-Client.git --features pqc

Shell completions

# Bash
pki completions bash > /etc/bash_completion.d/pki

# Zsh
pki completions zsh > ~/.zfunc/_pki

# Fish
pki completions fish > ~/.config/fish/completions/pki.fish
Architecture

Four crates, clean separation

Modular workspace design with a shared CA engine.

CrateRole
pki-clientBinary — CLI entry point, 19 subcommands + interactive shell
pki-client-outputLibrary — certificate formatting, OID registry, display
pki-probeLibrary — TLS inspection, cipher analysis, security linting
pki-hierarchyLibrary — declarative PKI hierarchy builder
spork-coreVendored — CA crypto engine (path dep under vendor/spork-core/)

Ready to modernize your PKI workflow?

Pure Rust, no OpenSSL, human-friendly output. The PKI tool you've been waiting for.

Install Now Star on GitHub
v0.8.1 Command Status

What Works

CommandStatusNotes
show✓ StableAuto-detects cert, key, CSR, CRL, PKCS#7, PKCS#12
cert (show, expires, fingerprint)✓ Stable
key (gen, show, match)✓ StableRSA, EC P-256/P-384, Ed25519. PQC (ML-DSA, SLH-DSA) behind --features pqc.
csr (create, show)✓ Stable
chain (build, show, verify)✓ Stable
diff✓ StableCompares any two certs or CSRs
convert⚠ Known IssuePEM↔DER↔Base64 works for certs/CSRs. DER key auto-detect fails (#59)
compliance (levels, check, cps, bridge)✓ StableFIPS 140-3, NIST SP 800-57, Federal Bridge
dane (generate, verify)✓ StableTLSA record generation (RFC 6698)
probe (server, check, lint, fetch)✓ StableTLS inspection, certificate linting, chain fetch
revoke (check, crl-show)✓ StableOCSP + CRL checking
pki (preview, build, export)✓ StableDeclarative PKI hierarchy from TOML
acme🚧 Beta17 sub-commands. Directory fetch works. Full flow requires ACME server.
est🚧 BetaRFC 7030. Requires EST server for enrollment.
scep🚧 BetaRFC 8894. Requires SCEP server for enrollment.
batch✓ StableRun commands from script file
shell✓ StableInteractive REPL
completions, manpages✓ StableBash/Zsh/Fish completions, man page generation

Note: convert is format conversion (PEM ↔ DER ↔ Base64), not algorithm conversion. To migrate from RSA to PQC, use key gencsr createpki build.