Trinity is a sovereign PKI designed for teams that demand absolute control over their Root of Trust. Air-gapped signing, quantum-safe encryption, zero dependencies on public CAs.
Built for developers and security teams who refuse to trust the black-box CAs of the internet.
Root keys never touch the internet. The Authority CLI runs entirely offline โ sign certificates from an air-gapped machine, a USB stick, or a Raspberry Pi in a vault.
The "Blind Drop" protocol uses Kyber-1024 (ML-KEM) for key exchange, ensuring your certificate requests survive the quantum computing era.
Trinity Passport is a native desktop app (Windows, macOS, Linux) that manages your private keys locally. Keys never leave your device.
Trinity Spirit is a Cloudflare Worker that relays encrypted requests at the edge. Zero-trust by design โ the gateway cannot read your data.
Ed25519 for signing, XChaCha20-Poly1305 for vault encryption, AES-256-GCM for transport, Blake2b for key derivation. No legacy baggage.
Free for individual developers and small teams. Enterprise tier available for organizations needing audit logs, SSO integration, and SLA support.
Each component is independently deployable, with clear separation of concerns.
The offline Root CA. Generates keys, signs certificates, manages CRLs. Designed for air-gapped environments.
Desktop identity vault. Manages private keys, generates CSRs, and handles the certificate lifecycle.
Edge gateway on Cloudflare. Relays encrypted CSRs and certificates via D1 database.
Universal server for on-premise deployments. SQLite + Litestream. Runs anywhere Linux runs.
Our security model assumes the transport layer is compromised. Every phase adds a layer of protection.
Client encrypts a CSR with the Authority's Kyber-1024 public key and drops it into the server's mailbox. The server acts as a blind courier โ it cannot read the payload.
Once the client has a signed certificate, it opens a private mTLS tunnel inside the standard HTTPS connection. The connection trusts only the Trinity Root CA โ not public CAs.
The Authority manually pulls encrypted drops, decrypts and signs them offline, and pushes the sealed response back. Root keys never touch the internet.
Initialize your Root CA and sign your first certificate with three commands.
# Build the Authority CLI $ make build # Initialize Root CA (passphrase-protected Ed25519 + Kyber-1024) $ ./trinity init --name "My Root CA" --org "My Org" # Sign a CSR interactively $ ./trinity sign # Or sign an encrypted Blind Drop $ cat drop.enc | ./trinity sign --transport-key safe/transport.key
Trinity is open source. Start building your sovereign PKI today.