Skip to content
QPKI

CLI

CLI

Section titled “CLI”

Complete command reference for QPKI.

Command Tree

Section titled “Command Tree”
qpki [--audit-log PATH]
├── ca                        # Certificate Authority → CA.md
│   ├── init                  # Initialize CA (root or subordinate)
│   ├── info                  # Display CA information
│   ├── export                # Export CA certificates
│   ├── list                  # List CAs in directory
│   ├── rotate                # Rotate CA with new keys
│   ├── activate              # Activate pending CA version
│   └── versions              # List CA versions
├── cert                      # Certificate operations → CA.md
│   ├── issue                 # Issue certificate from CSR
│   ├── list                  # List issued certificates
│   ├── info                  # Display certificate info
│   ├── revoke                # Revoke a certificate
│   └── verify                # Verify certificate validity
├── credential                # Credentials → CREDENTIALS.md
│   ├── enroll                # Create new credential
│   ├── list                  # List credentials
│   ├── info                  # Credential details
│   ├── rotate                # Rotate credential
│   ├── activate              # Activate pending version
│   ├── versions              # List credential versions
│   ├── revoke                # Revoke credential
│   └── export                # Export credential
├── key                       # Key management → KEYS.md
│   ├── generate              # Generate key pair (alias: gen)
│   ├── pub                   # Extract public key
│   ├── list                  # List keys
│   ├── info                  # Key information
│   └── convert               # Convert key format
├── csr                       # CSR operations → KEYS.md
│   ├── gen                   # Generate CSR
│   ├── info                  # Display CSR info
│   └── verify                # Verify CSR signature
├── crl                       # CRL operations → CA.md
│   ├── gen                   # Generate CRL
│   ├── info                  # Display CRL info
│   ├── verify                # Verify CRL signature
│   └── list                  # List CRLs
├── profile                   # Certificate profiles → PROFILES.md
│   ├── list                  # List available profiles
│   ├── info                  # Profile details
│   ├── vars                  # Show profile variables
│   ├── show                  # Display YAML content
│   ├── export                # Export profile to file
│   ├── lint                  # Validate profile YAML
│   └── install               # Install default profiles
├── tsa                       # Timestamping → TSA.md
│   ├── sign                  # Create timestamp token
│   ├── verify                # Verify timestamp token
│   └── serve                 # Start TSA HTTP server
├── cms                       # CMS signatures → CMS.md
│   ├── sign                  # Create CMS signature
│   ├── verify                # Verify CMS signature
│   ├── encrypt               # Encrypt with CMS
│   ├── decrypt               # Decrypt CMS
│   └── info                  # Display CMS info
├── ocsp                      # OCSP responder → OCSP.md
│   ├── sign                  # Create OCSP response
│   ├── verify                # Verify OCSP response
│   ├── request               # Create OCSP request
│   ├── info                  # Display OCSP response info
│   └── serve                 # Start OCSP HTTP server
├── hsm                       # HSM integration → HSM.md
│   ├── list                  # List HSM slots/tokens
│   ├── test                  # Test HSM connectivity
│   ├── info                  # Display HSM token info
│   └── mechanisms            # List supported PKCS#11 mechanisms
├── ssh                       # SSH Certificates → SSH.md
│   ├── ca-init               # Initialize SSH CA
│   ├── ca-info               # Display SSH CA information
│   ├── issue                 # Issue SSH certificate
│   ├── inspect               # Inspect SSH certificate
│   ├── list                  # List issued SSH certificates
│   ├── revoke                # Revoke SSH certificate
│   └── krl                   # Generate Key Revocation List (KRL)
├── audit                     # Audit logging → AUDIT.md
│   ├── verify                # Verify audit log integrity
│   └── tail                  # Show recent audit events
├── serve                     # REST API Server → api/SERVER.md
│   [--port PORT]             # Port for all services (default: 8443)
│   [--api-port PORT]         # Port for REST API
│   [--ocsp-port PORT]        # Port for OCSP responder
│   [--tsa-port PORT]         # Port for TSA responder
│   [--services LIST]         # Services: api,ocsp,tsa,all
│   [--ca-dir DIR]            # CA directory
│   [--tls-cert FILE]         # TLS certificate
│   [--tls-key FILE]          # TLS private key
└── inspect                   # Auto-detect and display file info

Quick Reference

Section titled “Quick Reference”
CategoryCommandDescriptionDocumentation
Keyskey generateGenerate a private keyKEYS
key pubExtract public keyKEYS
key listList keys in directoryKEYS
key infoDisplay key detailsKEYS
key convertConvert key formatKEYS
CAca initInitialize a certificate authorityCA
ca infoDisplay CA informationCA
ca exportExport CA certificatesCA
ca listList CAs in directoryCA
ca rotateRotate CA with new keysCA
ca activateActivate a pending versionCA
ca versionsList CA versionsCA
CSRcsr genGenerate a certificate signing requestKEYS
csr infoDisplay CSR detailsKEYS
csr verifyVerify CSR signatureKEYS
Certificatescert issueIssue certificate from CSRCertificates
cert listList certificates in CACertificates
cert infoDisplay certificate detailsCertificates
cert revokeRevoke a certificateCRL
cert verifyVerify a certificateCertificates
Credentialscredential enrollIssue key(s) + certificate(s)Credentials
credential listList credentialsCredentials
credential infoCredential detailsCredentials
credential rotateRotate a credentialCredentials
credential activateActivate pending versionCredentials
credential versionsList credential versionsCredentials
credential revokeRevoke a credentialCredentials
credential exportExport credentialCredentials
CRLcrl genGenerate a CRLCRL
crl infoDisplay CRL detailsCRL
crl verifyVerify a CRLCRL
crl listList CRLs in CACRL
Profilesprofile listList available profilesProfiles
profile infoDisplay profile detailsProfiles
profile varsList profile variablesProfiles
profile showDisplay profile YAMLProfiles
profile exportExport a profileProfiles
profile lintValidate profile YAMLProfiles
profile installInstall default profilesProfiles
InspectioninspectAuto-detect and display file infoinspect
CMScms signCreate CMS signatureCMS
cms verifyVerify CMS signatureCMS
cms encryptEncrypt with CMSCMS
cms decryptDecrypt CMSCMS
cms infoDisplay CMS message detailsCMS
TSAtsa signTimestamp a fileTSA
tsa verifyVerify timestamp tokenTSA
tsa serveStart TSA HTTP serverTSA
OCSPocsp signCreate OCSP responseOCSP
ocsp verifyVerify OCSP responseOCSP
ocsp requestCreate OCSP requestOCSP
ocsp infoDisplay OCSP response infoOCSP
ocsp serveStart OCSP HTTP serverOCSP
HSMhsm listList HSM slots/tokensHSM
hsm testTest HSM connectivityHSM
hsm infoDisplay HSM token infoHSM
hsm mechanismsList supported PKCS#11 mechanismsHSM
SSHssh ca-initInitialize SSH CASSH
ssh ca-infoDisplay SSH CA infoSSH
ssh issueIssue SSH certificateSSH
ssh inspectInspect SSH certificateSSH
ssh listList SSH certificatesSSH
ssh revokeRevoke SSH certificateSSH
ssh krlGenerate KRL fileSSH
Auditaudit verifyVerify audit log integrityAudit
audit tailShow recent audit eventsAudit
ServerserveStart REST API serverAPI Server

Global Flags

Section titled “Global Flags”
FlagEnvironment VariableDescription
--audit-log PATHPKI_AUDIT_LOGEnable audit logging to file

Supported Algorithms

Section titled “Supported Algorithms”

Classical:

  • ecdsa-p256, ecdsa-p384, ecdsa-p521
  • ed25519
  • rsa-2048, rsa-4096

Post-Quantum (FIPS 204/205/203):

  • ml-dsa-44, ml-dsa-65, ml-dsa-87 (signature)
  • slh-dsa-128s, slh-dsa-192s, slh-dsa-256s (signature, hash-based)
  • ml-kem-512, ml-kem-768, ml-kem-1024 (key encapsulation)

Hybrid modes:

  • Catalyst (ITU-T X.509 Section 9.8)
  • Composite (IETF draft-13)

See Post-Quantum for algorithm details.

Exit Codes

Section titled “Exit Codes”
CodeMeaning
0Success
1Error (invalid input, operation failed, etc.)

inspect

Section titled “inspect”

Auto-detect and display information about PKI files.

Terminal window
qpki inspect <file>

Supported file types:

TypeExtensionsDescription
Certificate.crt, .pem, .cerX.509 certificates (classical and PQC)
CSR.csrCertificate Signing Requests
Private Key.key, .pemPrivate keys (shows algorithm, encryption status)
CRL.crlCertificate Revocation Lists
Timestamp Token.tsrRFC 3161 timestamp tokens
CMS SignedData.p7s, .p7mCMS signatures and encrypted data
SSH Certificate*-cert.pubOpenSSH certificates

Examples:

Terminal window
# Inspect a certificate (shows subject, issuer, validity, extensions)
qpki inspect server.crt


# Inspect a CSR (shows subject, signature algorithm, verification)
qpki inspect request.csr


# Inspect a private key (shows algorithm, encryption status)
qpki inspect key.pem


# Inspect a CRL (shows issuer, revoked certificates)
qpki inspect ca.crl


# Inspect a timestamp token
qpki inspect document.tsr


# Inspect CMS SignedData
qpki inspect signature.p7s

Output includes:

  • For certificates: Version, serial, subject, issuer, validity period, key usage, SANs, hybrid extension info
  • For CSRs: Subject, signature algorithm, signature verification result
  • For private keys: Algorithm, key size, encryption status
  • For CRLs: Issuer, this/next update, revoked certificate list
  • For timestamp tokens: Time, policy OID, hash algorithm, signer info
  • For CMS: Content type, signers/recipients, embedded certificates

See Also

Section titled “See Also”
  • CA - CA and certificate operations
  • Certificates - Certificate issuance
  • CRL - Certificate revocation
  • Keys - Key and CSR operations
  • Credentials - Credential lifecycle
  • Profiles - Certificate profiles
  • OCSP - OCSP responder
  • TSA - Timestamping
  • CMS - CMS signatures and encryption
  • Audit - Audit logging
  • SSH - SSH certificates
  • HSM - HSM integration