ShrouDB Engine
Forge
Run an internal CA without running a PKI team.
Forge issues, renews, and revokes short-lived X.509 certificates with a handful of commands. The internal CA you needed yesterday — without a six-month PKI project.
ISSUE_CERTRENEWREVOKE_CERTCA_INFO
Features
- Lightweight internal CA for short-lived certificates
- Issue, renew, and revoke X.509 certs
- Supports ECDSA-P256, Ed25519, RSA-2048, RSA-4096
- CA rotation with overlap windows
- CRL and OCSP-style inspection
- HTTP sidecar for ACME-style issuance
Quickstart (standalone)
forge.toml
bind = ":7005"
[ca.internal]
common_name = "Acme Internal CA"
organization = "Acme Corp"
key_algorithm = "ecdsa-p256"
validity_days = 3650
max_cert_ttl = "720h"terminal
$ shroudb-forge --config forge.tomlCommand reference
| Command | Args | Description |
|---|---|---|
| CA_CREATE | <id> | Create a new CA |
| CA_INFO | <id> | Inspect a CA |
| CA_LIST | List all CAs | |
| CA_ROTATE | <id> | Rotate the CA key |
| ISSUE_CERT | <ca> <csr> | Issue a certificate |
| RENEW | <cert_id> | Renew a certificate |
| REVOKE_CERT | <cert_id> | Revoke a certificate |
| INSPECT | <cert_id> | Inspect certificate details |
Bundle into Moat
Drop Forge into a unified Moat process and it inherits the shared auth layer, storage, and telemetry — no extra wiring.
moat.toml
[engines.forge]
enabled = true
[engines.forge.ca.internal]
common_name = "Acme Internal CA"
key_algorithm = "ecdsa-p256"Run Forge in production today
Free on ShrouDB Cloud up to 10k ops/month — no card required.