Day 21: Final Challenge — Demo + Phase 2 Reflection

Phase 2 · July 7, 2026 · Phase 2 Complete

Agenda (2–3 hours)

• Polish (60 min): Fix rough edges, improve error messages, clean up CLI output
• Demo (45 min): Run the full workflow end-to-end from a clean state
• Reflect (45 min): Write the Phase 2 reflection document

Phase 2 State Check

Before the demo, verify every module is complete:

• [ ] ca.rs: new_root, new_intermediate, save, load
• [ ] issue.rs: issue_server_cert, issue_client_cert
• [ ] validate.rs: validate_chain with all 6 RFC 5280 §6 checks + revocation policy
• [ ] revoke.rs: CrlStore, generate_crl, parse_ocsp_request, build_ocsp_response, Axum handler
• [ ] store.rs: CertStore, CertRecord, atomic save/load, serial generation
• [ ] tls.rs: server_config, client_config
• [ ] main.rs: all 7 CLI subcommands working

The Demo Script

Run this from a clean directory with no prior state:

cd /tmp && rm -rf pki-demo && mkdir pki-demo && cd pki-demo

pki init
pki issue server localhost --alt 127.0.0.1
pki issue client device-001
pki issue client device-002

pki list

pki serve-ocsp &
OCSP_PID=$!

pki echo-server --port 4433 &
SERVER_PID=$!

pki echo-client --host localhost --port 4433 --identity device-001 --msg "hello"
pki echo-client --host localhost --port 4433 --identity device-002 --msg "hello"

pki revoke $(pki list | grep device-002 | awk '{print $1}') --reason keyCompromise
pki echo-client --host localhost --port 4433 --identity device-002 --msg "hello"
# ^ should be rejected

pki list
kill $OCSP_PID $SERVER_PID

What toy-pki Demonstrates

When you return to Amazon Leo in October, this project shows:

1. X.509 certificate issuance — you built a CA hierarchy from scratch
2. Chain validation — you implemented RFC 5280 §6 checks
3. CRL generation — signed CRL with rcgen, verifiable by openssl
4. OCSP responder — live HTTP endpoint, tested end-to-end
5. mTLS — client identity extraction from cert subject
6. Rust async — tokio, Axum, tokio-rustls all wired together

This is a concrete answer to "what did you do on leave?"

Phase 2 Reflection

Write a 1–2 page document covering:

1. What took longer than expected? Where did you lose time, and why?
2. What surprised you about the Rust crate ecosystem? Any crates that were better or worse than expected?
3. What would you do differently in a production PKI service? Specifically:
   • What's missing from toy-pki that a real service needs?
   • How would you handle key management differently with an HSM? (preview of Phase 5)
4. How does what you built change your mental model of your team's provisioning service? What questions do you now want to ask your colleagues?

This feeds directly into your Phase 7 write-up.

Looking Ahead: Phase 3 (Jul 8 – Aug 4)

Next phase: Post-Quantum Cryptography

You now have the classical PKI foundation. Phase 3 will cover:

• Why RSA and ECDH break under Shor's algorithm
• ML-KEM, ML-DSA, SLH-DSA — the NIST PQC standards
• Hybrid key exchange: X25519 + ML-KEM-768 in TLS
• The migration challenge for a provisioning service like yours
• Hands-on with aws-lc-rs PQC APIs

Resources

• Your entire Phase 1 + Phase 2 notes and code
• toy-pki README — update it to accurately describe what the tool does
• Phase 3 schedule (already planned in learning_plan.md)