Trinity Authority

The offline-first, high-security Certificate Authority. A single Go binary for air-gapped PKI operations.

Overview

Trinity Authority is a purpose-built CLI for managing the entire certificate lifecycle from an air-gapped environment. It handles key generation, CSR signing, certificate revocation, and CRL management through a zero-dependency binary.

Commands

`trinity init`

Initialize a new Root CA with Ed25519 signing keys and Kyber-1024 transport keys.

trinity init --name "My Root CA" --org "My Organization" --out safe/

Flag	Default	Description
`--name`	(required)	Common Name for the Root CA certificate
`--org`	`""`	Organization name
`--out`	`safe/`	Output directory for generated keys

Generated files:

root.key — Ed25519 private key (AES-256 encrypted, chmod 0400)
root.crt — Self-signed Root CA certificate (10-year validity)
transport.pub — Kyber-1024 public key (PEM)
transport.key — Kyber-1024 private key (AES-256 encrypted)

`trinity sign`

Sign a Certificate Signing Request. Supports interactive TUI mode, headless piped mode, and encrypted Blind Drop mode.

# Interactive (launches TUI)
trinity sign

# Headless
cat request.csr | trinity sign > cert.crt

# Blind Drop (encrypted)
cat drop.enc | trinity sign --transport-key safe/transport.key > response.enc

Flag	Default	Description
`--transport-key`	`safe/transport.key`	Path to Kyber transport private key (for Blind Drops)

`trinity verify`

Verify a certificate against the Root CA and CRL.

trinity verify --cert user.crt

`trinity revoke`

Revoke a certificate by serial number and update the CRL.

trinity revoke --serial 123456789

`trinity inspect`

Display human-readable details of a certificate or CRL.

trinity inspect --cert safe/root.crt
trinity inspect --crl safe/crl.pem

`trinity export`

Generate a static public website containing the Root CA certificate, transport key, and CRL for distribution.

trinity export --out ../public

Safety: The export command includes a built-in security check that aborts if any exported file contains a private key.

`trinity serve`

Start a local OCSP responder (reads CRL only, does not require private keys).

trinity serve

`trinity dev`

Local development server that auto-signs pending requests. Useful for testing the full workflow without manual signing.

trinity dev

Security Model

Ed25519 — Modern, fast, compact signing algorithm for the Root CA.
Kyber-1024 — Post-quantum key encapsulation for Blind Drop transport.
AES-256 encrypted keys — All private keys are passphrase-protected at rest.
Strict file permissions — Refuses to load keys unless file mode is 0400 or 0600.
SubjectKeyId — Certificates include cryptographic key identifiers for chain validation.

Project Structure

Path	Description
`cmd/trinity/`	CLI entry point and command definitions (Cobra)
`pkg/ca/`	Core CA operations: signing, verification, CRL
`internal/tui/`	Interactive terminal UI for manual signing
`internal/drop/`	Blind Drop encryption/decryption logic