Home of Quantum Nexum — post-quantum trust infrastructure: a certificate-authority program, a software stack, and an engineering resource built for the real world.
We build certificate-authority infrastructure, cryptographic tooling, and security software — with an emphasis on real-world deployment and the migration to post-quantum cryptography. Background spans enterprise CA management and Federal PKI operations, including Federal Bridge cross-certification.
Our flagship is Quantum Nexum. Alongside it we ship open tooling for PKI operators and developers, and we're building HomePKI — a private certificate authority for the home network (currently in private beta).
Post-quantum cryptography is no longer theoretical — NIST finalized ML-DSA, ML-KEM, and SLH-DSA (FIPS 203/204/205) in 2024. Most organizations aren't ready. Quantum Nexum is post-quantum trust infrastructure built to close that gap — redesigned and relaunched June 2026.
Platform status — what's live and what's in flight
- PKI — a 22-CA ML-DSA hierarchy (ML-DSA-87 root; ML-DSA-65 policy + issuing across seven policy branches), currently being rebuilt. The landing at pki.quantumnexum.com is live; AIA, CRL, and OCSP publication return as the new chain lands. Design: /pki/.
- ACME — an RFC 8555 directory at acme.quantumnexum.com, issuing post-quantum certs against the QN trust anchor. Landing live; the directory opens once the PKI rebuild lands. Details: /acme/.
- Forge — hands-on PQ tooling, live and growing: keygen, signatures, algorithm compare, OpenSSL 3.5 recipes. At /forge/.
- Vault — reference library, live and growing: FIPS 203/204/205, the IETF LAMPS PQ RFCs, OpenSSL 3.5 LTS, liboqs, and the CNSA 2.0 / NSM-10 timelines. At /vault/.
Platform software (alpha — early builds on request via quantumnexum.com):
- Spork — post-quantum certificate authority written in Rust. ML-DSA + SLH-DSA alongside classical ECDSA/RSA/Ed25519; ACME, EST, and SCEP enrollment; OCSP and CRLs. Single static binary (Linux x86_64), RustCrypto primitives — no OpenSSL dependency. BSL 1.1. Public site: /spork/.
- HomePKI — your own CA for the home network: one static Linux binary, post-quantum ready, no cloud, no account. Issue real TLS certificates for routers, NAS, cameras, and Home Assistant — signed by a CA that belongs to you alone. Private beta.
- tailnumber went public — a detached hash-signing service (dHSaaS) proof-of-concept with an open live demo: sign and verify in two
curlcommands - quantumnexum.com relaunched on the new dark engineering theme (June 2026)
- QN PKI hierarchy rebuild underway — AIA/CRL/OCSP publication and the ACME directory follow it
Open code you can use today. Release, CI, and license badges read straight from each repository, so they never go stale.
| Project | What it does | Status |
|---|---|---|
| tailnumber · live demo | Detached Hash-Signing as a Service (dHSaaS) — send a hash, get back a portable signed proof. ML-DSA and hybrid classical+PQ signatures, HSM-held non-extractable keys, 50-year trust chain, offline verification with nothing but OpenSSL. Public overview + open live demo; source private. | |
| PKI-Client · docs | Pure-Rust PKI CLI — inspect certificates, generate keys, probe TLS, validate FIPS 140-3 / NIST SP 800-57 / Federal Bridge compliance, and build CA hierarchies. No OpenSSL; one static musl binary. Opt-in post-quantum (ML-DSA, SLH-DSA) via --features pqc. |
|
| PKI-Signing-Service · docs | Pure-Rust code-signing engine — Authenticode (PE/CAB/MSI), PKCS#7/CMS, RFC 3161 timestamping, PowerShell SIP, detached CMS. Runs as CLI, REST API, or a standalone TSA server; batch signing and PFX import. ML-DSA opt-in via --features pq-experimental. |
|
| parcl | S/MIME encryption, signing, and certificate management add-in for Microsoft Outlook — LDAP directory lookup, AES-256, RFC 5751/7508 compliant. |
| Project | What it does | Status |
|---|---|---|
| shadowtrap | Multi-protocol network honeypot — 21 emulated services (SSH, HTTP, MySQL, Redis, RDP, SMB, and more), honeytokens that fire on access, full payload capture with GeoIP and threat scoring, and a real-time HTTPS dashboard. |
| Project | What it does | Status |
|---|---|---|
| qn-claude-web | Self-hosted web UI for the Claude Code CLI — full xterm.js terminal, persistent tmux sessions, chat, and multi-agent orchestration from any browser or device on your network. Pure Python, no build step. | |
| issue-reporter | Drop a feedback button on any web page — reports become GitHub issues. One file, zero dependencies, no backend. Auto-captures console errors, recent API calls, and DOM context; strict CSP and SRI supply-chain pinning. | |
| project-forge | Autonomous idea-generation engine — scores every idea on feasibility, fundability, and ambition across 19 categories, then human-gates one-click promotion to GitHub issues. FastAPI + SQLite; ~$2–3/mo on Haiku 4.5 (or free via the Claude Code CLI). | |
| gh-tracker | Self-hosted GitHub analytics dashboard — archives traffic, referrers, people, issues, and self-hosted runner state to SQLite before GitHub's 14-day API wipe. FastAPI backend, React dashboard. |
Licensing varies by project — each badge above reflects that repository's own
LICENSE. Most tooling is Apache-2.0; shadowtrap is MIT; tailnumber is proprietary with the demo open for evaluation. A couple of early-stage repos aren't licensed for reuse yet (the badge will say so).
We take security seriously across all repositories:
- Signed commits required — every commit must carry a verified signature
- 2FA enforced — for all organization members
- Dependency scanning — Dependabot enabled across repositories
- Code scanning — CodeQL and custom security workflows
- Responsible disclosure — see our Security Policy
Found a vulnerability? Email root@quantumnexum.com or use GitHub's private vulnerability reporting.
We build in the open where we can. Contributions and issues are welcome on any of our public repositories.
- Read our Contributing Guide
- Review our Code of Conduct
- Spot something? Open an issue on the relevant repository above
Web — quantumnexum.com | Email — root@quantumnexum.com