Infrastructure-focused research lab building at the intersection of enterprise PKI, post-quantum cryptography, and security engineering.
Certificate authority infrastructure, cryptographic tooling, and security engineering — focused on real-world deployment at scale. Background spans enterprise CA management and Federal PKI operations, including Federal Bridge cross-certification.
On the consumer side we're building HomePKI — a private CA for the home network, delivered as a single static Linux binary with post-quantum algorithms available today.
We're also exploring AI-driven project ideation with Project Forge, an autonomous think-tank engine that generates, scores, and scaffolds security-focused project ideas.
quantumnexum.com — the flagship of this lab.
Post-quantum cryptography is no longer theoretical — NIST finalized ML-DSA, ML-KEM, and SLH-DSA in 2024. Most organizations aren't ready. Quantum Nexum is a post-quantum PKI platform, software stack, and educational resource built to close that gap.
-blueviolet){kind=icon}
- PKI — coming soon, being refactored. The previous post-quantum CA hierarchy is on hold; a clean rebuild around ML-DSA-87 (root) and ML-DSA-65 (policy + issuing) is in flight. AIA, CRL, and OCSP endpoints at pki.quantumnexum.com will return once the new hierarchy lands.
- ACME — coming soon, gated on the PKI refactor. Will be an RFC 8555 endpoint at acme.quantumnexum.com issuing post-quantum certs against the QN trust anchor.
- Forge — in development. Hands-on PQ tooling: keygen, signatures, hybrid TLS, algorithm compare, OpenSSL 3.5 walkthroughs, cert inspector, migration decision tree, signature size calculator. At /forge/.
- Vault — in development. Reference library covering FIPS 203/204/205, the IETF LAMPS PQ RFCs, OpenSSL 3.5 LTS, liboqs 0.11.0+, and the CNSA 2.0 / NSM-10 timelines. At /vault/.
- Spork — pure-Rust post-quantum certificate authority. ML-DSA + SLH-DSA signing, ACME/EST/SCEP enrollment, OCSP, CRLs. Will power the QN PKI once the refactor lands; self-hostable today against your own private trust anchor. Single static binary, BSL 1.1. Public site: /spork/.
- Parcl — S/MIME certificate manager and encryption add-in for Microsoft Outlook. Native S/MIME, LDAP directory lookup, RFC 5751/7508 compliant. Repo: parcl.
spork-acme-installer— self-extracting installer for the standalone Spork ACME server.
Your own Certificate Authority for your home network. One static Linux binary (musl, x86_64 + aarch64), post-quantum ready today, no cloud, no account. Issue real TLS certificates for routers, NAS, cameras, Home Assistant, and any device on your LAN — signed by a CA that belongs to you alone.
Pure Rust code signing engine supporting Authenticode (PE/CAB/MSI), PKCS#7/CMS, RFC 3161 timestamping, and PowerShell script signing. Default algorithms: RSA (2048-4096), ECDSA (P-256/P-384/P-521), Ed25519. Post-quantum ML-DSA (44/65/87) is experimental — opt-in via --features pq-experimental, depends on the pre-1.0 ml-dsa = 0.0.4 crate; not suitable for production yet. REST API for CI/CD integration, built-in RFC 3161 TSA server, PFX/PKCS#12 import.
View Repository → | API Docs →
Modern PKI CLI for certificate inspection, key management, TLS probing, compliance validation (FIPS 140-3, NIST SP 800-57, Federal Bridge), DANE/TLSA, and declarative CA hierarchy building. Pure Rust, no OpenSSL dependency, single static musl binary. Five output formats (text / json / compact / forensic / openssl). Post-quantum ML-DSA is opt-in via --features pqc (uses Spork's vendored PQ machinery). Enrollment protocols removed in v0.9.0 — ACME / EST / SCEP are out of scope; pin v0.8.1 or wait for the separate pki-enroll tool.
Self-hosted web frontend for Claude Code CLI — access Claude Code from any browser, any device, anywhere on your network. Zero external dependencies beyond Python and a running Claude Code instance.
| Repo | What It Does | Status |
|---|---|---|
| parcl | S/MIME Certificate Manager & Encryption Add-in for Microsoft Outlook — encryption, signing, LDAP lookup, RFC 5751/7508 compliant |   |
| project-forge | Autonomous IT project think-tank engine — generates, scores, synthesizes, and scaffolds project ideas into GitHub repos with CI/CD |  |
| issue-reporter | Drop a feedback button on any web page. Reports become GitHub issues. No backend required. No dependencies. One file. |  |
| gh-tracker | Self-hosted GitHub analytics dashboard — archives traffic, referrers, issues, and workflows before the 14-day API expiry |  |
| shadowtrap | Multi-protocol network honeypot for threat intelligence and attack pattern analysis | |
We take security seriously across all projects:
- Signed commits required — all commits must have verified signatures
- 2FA enforced — all org members
- Dependency scanning — Dependabot enabled across all repositories
- Code scanning — CodeQL and custom security workflows
- Responsible disclosure — see our Security Policy
Found a vulnerability? Email root@quantumnexum.com or use GitHub's private vulnerability reporting.
We build in the open where we can. Contributions, issues, and discussions are welcome on any of our public repositories.
- Read our Contributing Guide
- Review our Code of Conduct
- Open a Discussion on any repo
Web — quantumnexum.com | Email — root@quantumnexum.com
Building in the open.