Infrastructure-focused research lab building at the intersection of enterprise PKI, post-quantum cryptography, and security engineering.
Certificate authority infrastructure, cryptographic tooling, and security engineering — focused on real-world deployment at scale. Background spans enterprise CA management and Federal PKI operations, including Federal Bridge cross-certification.
On the consumer side we're building HomePKI — a private CA for the home network, delivered as a single static Linux binary with post-quantum algorithms available today.
We're also exploring AI-driven project ideation with Project Forge, an autonomous think-tank engine that generates, scores, and scaffolds security-focused project ideas.
quantumnexum.com — the flagship of this lab.
Post-quantum cryptography is no longer theoretical — NIST finalized ML-DSA, ML-KEM, and SLH-DSA in 2024. Most organizations aren't ready. Quantum Nexum is a post-quantum PKI platform, software stack, and educational resource built to close that gap.
-blueviolet){kind=icon}
- PKI — coming soon, being refactored. The previous post-quantum CA hierarchy is on hold; a clean rebuild around ML-DSA-87 (root) and ML-DSA-65 (policy + issuing) is in flight. AIA, CRL, and OCSP endpoints at pki.quantumnexum.com will return once the new hierarchy lands.
- ACME — coming soon, gated on the PKI refactor. Will be an RFC 8555 endpoint at acme.quantumnexum.com issuing post-quantum certs against the QN trust anchor.
- Forge — in development. Hands-on PQ tooling: keygen, hybrid TLS, algorithm compare, OpenSSL 3.5 walkthroughs. At /forge/.
- Vault — in development. Reference library covering FIPS 203/204/205, the IETF LAMPS PQ RFCs, OpenSSL 3.5 LTS, liboqs 0.11.0+, and the CNSA 2.0 / NSM-10 timelines. At /vault/.
- Spork — pure-Rust post-quantum certificate authority. ML-DSA + SLH-DSA signing, ACME/EST/SCEP enrollment, OCSP, CRLs. Will power the QN PKI once the refactor lands; self-hostable today against your own private trust anchor. Single static binary, BSL 1.1. Public site: /spork/.
- Parcl — S/MIME certificate manager and encryption add-in for Microsoft Outlook. Native S/MIME, LDAP directory lookup, RFC 5751/7508 compliant. Repo: parcl.
spork-acme-installer— self-extracting installer for the standalone Spork ACME server.
Reference library, hands-on tools, and explainers covering NIST FIPS 203/204/205, the NSA CNSA 2.0 timeline (NSS exclusive use by 2033) vs. NSM-10 (broader 2035 goal), the IETF LAMPS PQ RFC stack (RFCs 9881, 9882, 9909, 9814, 9935, 9936, 9763), and implementation guidance for OpenSSL 3.5 LTS and liboqs 0.11.0+. All content stamped with qn-last-verified and CI-checked for drift.
Your own Certificate Authority for your home network. One static Linux binary (musl, x86_64 + aarch64), post-quantum ready today, no cloud, no account. Issue real TLS certificates for routers, NAS, cameras, Home Assistant, and any device on your LAN — signed by a CA that belongs to you alone.
Pure Rust code signing engine supporting Authenticode (PE/CAB/MSI), PKCS#7/CMS, RFC 3161 timestamping, and PowerShell script signing. Multi-algorithm support including RSA, ECDSA, Ed25519, and ML-DSA (post-quantum). REST API for integration into CI/CD pipelines.
View Repository → | API Docs →
Modern PKI operations tool for certificate inspection, key management, TLS probing, compliance validation, and DANE. Built as an openssl replacement for operators who need to debug and manage certificate infrastructure at scale.
Self-hosted web frontend for Claude Code CLI — access Claude Code from any browser, any device, anywhere on your network. Zero external dependencies beyond Python and a running Claude Code instance.
| Repo | What It Does | Status |
|---|---|---|
| parcl | S/MIME Certificate Manager & Encryption Add-in for Microsoft Outlook — encryption, signing, LDAP lookup, RFC 5751/7508 compliant |   |
| project-forge | Autonomous IT project think-tank engine — generates, scores, synthesizes, and scaffolds project ideas into GitHub repos with CI/CD |  |
| issue-reporter | Drop a feedback button on any web page. Reports become GitHub issues. No backend required. No dependencies. One file. |  |
| gh-tracker | Self-hosted GitHub analytics dashboard — archives traffic, referrers, issues, and workflows before the 14-day API expiry |  |
| shadowtrap | Multi-protocol network honeypot for threat intelligence and attack pattern analysis | |
We take security seriously across all projects:
- Signed commits required — all commits must have verified signatures
- 2FA enforced — all org members
- Dependency scanning — Dependabot enabled across all repositories
- Code scanning — CodeQL and custom security workflows
- Responsible disclosure — see our Security Policy
Found a vulnerability? Email root@quantumnexum.com or use GitHub's private vulnerability reporting.
We build in the open where we can. Contributions, issues, and discussions are welcome on any of our public repositories.
- Read our Contributing Guide
- Review our Code of Conduct
- Open a Discussion on any repo
Web — quantumnexum.com | Email — root@quantumnexum.com
Building in the open.