Skip to content
QPKI

Certificates

Certificates

Section titled “Certificates”

This guide covers certificate operations: issuance, listing, inspection, and verification.

1. What is a Certificate?

Section titled “1. What is a Certificate?”

A certificate is a digitally signed document that binds a public key to an identity. X.509 certificates contain:

  • Subject: The entity the certificate identifies
  • Issuer: The CA that signed the certificate
  • Validity: Not Before / Not After dates
  • Public Key: The subject’s public key
  • Extensions: Key usage, SANs, constraints
  • Signature: CA’s digital signature

2. CLI Commands

Section titled “2. CLI Commands”

cert issue

Section titled “cert issue”

Issue a certificate from a Certificate Signing Request (CSR).

Terminal window
qpki cert issue [flags]

Note: This command requires a CSR file (--csr). For direct issuance with automatic key generation, use qpki credential enroll instead. See Credentials.

Flags:

FlagShortDefaultDescription
--ca-dir-d./caCA directory
--profile-PrequiredCertificate profile (e.g., ec/tls-server)
--csrrequiredCSR file
--cn""Override common name from CSR
--dns""DNS SANs (comma-separated)
--ip""IP SANs (comma-separated)
--out-o""Output certificate file
--days0Validity period (overrides profile default)
--attest-cert""Attestation cert for ML-KEM CSR (RFC 9883)
--ca-passphrase""CA key passphrase

Examples:

Terminal window
# From classical CSR (ECDSA, RSA)
qpki cert issue --ca-dir ./myca --profile ec/tls-server \
  --csr server.csr --out server.pem


# From PQC CSR (ML-DSA)
qpki cert issue --ca-dir ./myca --profile ml/tls-server \
  --csr mldsa.csr --out server.pem


# From ML-KEM CSR (requires attestation certificate)
qpki cert issue --ca-dir ./myca --profile ml-kem/client \
  --csr kem.csr --attest-cert sign.pem --out kem.pem


# From hybrid CSR (created with 'csr gen --hybrid')
# The PQC key is automatically extracted from the CSR
qpki cert issue --ca-dir ./myca --profile hybrid/catalyst/tls-server \
  --csr hybrid.csr --out server.pem

Hybrid certificates: When using a hybrid CSR (created with csr gen --hybrid), the PQC public key is automatically extracted from the CSR’s SubjectAltPublicKeyInfo attribute. No additional flag is needed — the profile determines the certificate mode (Catalyst or Composite). See Hybrid Migration for details.

cert list

Section titled “cert list”

List certificates in a CA.

Terminal window
qpki cert list [flags]

Flags:

FlagShortDefaultDescription
--ca-dir-d./caCA directory
--statusallFilter by status (valid, revoked, expired, all)

Examples:

Terminal window
# List all certificates
qpki cert list --ca-dir ./myca


qpki cert list --ca-dir ./myca --status valid


qpki cert list --ca-dir ./myca --status revoked

cert info

Section titled “cert info”

Display information about a certificate.

Terminal window
qpki cert info <serial> [flags]

Flags:

FlagShortDefaultDescription
--ca-dir-d./caCA directory

Example:

Terminal window
qpki cert info 0x03 --ca-dir ./myca

inspect

Section titled “inspect”

Display information about certificates or keys.

Terminal window
qpki inspect <file> [flags]

Examples:

Terminal window
# Show certificate details
qpki inspect certificate.pem


qpki inspect private.key


qpki inspect ./myca/versions/v1/certs/ca.ecdsa-p256.pem

cert verify

Section titled “cert verify”

Verify a certificate’s validity and revocation status.

Terminal window
qpki cert verify <certificate> [flags]

Flags:

FlagShortDefaultDescription
--carequiredCA certificate (PEM)
--crlCRL file for revocation check (PEM/DER)
--ocspOCSP responder URL

Checks performed:

  • Certificate signature (signed by CA)
  • Validity period (not before / not after)
  • Critical extensions
  • Revocation status (if —crl or —ocsp provided)

Examples:

Terminal window
# Basic validation
qpki cert verify server.pem --ca ca.pem


qpki cert verify server.pem --ca ca.pem --crl ca/crl/ca.crl


qpki cert verify server.pem --ca ca.pem --ocsp http://localhost:8080

Exit codes:

  • 0: Certificate is valid
  • 1: Certificate is invalid, expired, or revoked

3. Certificate Profiles

Section titled “3. Certificate Profiles”

See Profiles for the complete list of certificate profiles. Common end-entity profiles:

ProfileAlgorithmValidityDescription
ec/tls-serverEC P-2561 yearTLS server certificate
ec/tls-clientEC P-2561 yearTLS client certificate
ml/tls-serverML-DSA-651 yearPQC TLS server
hybrid/catalyst/tls-serverEC + ML-DSA1 yearHybrid TLS server

See Also

Section titled “See Also”
  • CA - Certificate Authority management
  • CRL - Certificate revocation and CRL management
  • Credentials - Credential lifecycle
  • Keys & CSR - Key generation and CSR operations
  • Profiles - Certificate profile templates