ACME server.

Coming soon. Gated on the PKI refactor — the ACME endpoint can't issue against a CA that's mid-rebuild.

What it will be: an RFC 8555 ACME server issuing post-quantum certificates from the Quantum Nexum PKI. Default signing algorithm FIPS 204 ML-DSA-65; ML-DSA-44 / ML-DSA-87 and classical algorithms (ECDSA, RSA, Ed25519) also on offer for transition deployments.

Validation methods will be the standard set: http-01 (HTTP challenge), dns-01 (DNS TXT challenge), tls-alpn-01 (RFC 8737, TLS-ALPN-01).

Planned endpoints

directory       /acme/directory
new-nonce       /acme/new-nonce
new-account     /acme/new-acct
new-order       /acme/new-order
revoke-cert     /acme/revoke-cert
key-change      /acme/key-change

Trust model

This will be a private CA — the Quantum Nexum root won't be in any browser's default trust store, so issued certs are useful for internal/lab/research deployments where you control which roots are trusted.

Want early access?

If you have a concrete use case that depends on this endpoint being up, email hello@quantumnexum.com. Concrete asks get prioritized.

Meanwhile

The CA software that will eventually run this endpoint — Spork — is in alpha and you can run it yourself to issue ML-DSA certs against your own private trust anchor today.