CKG is a linkable library of routines that can be used to instrument CertAgent or a third-party X.509 certificate authority. It supports the automation of PKI enrollment (keypair generation/PKCS#10 submission/certificate retrieval) via CMP, as well as credential archival activities (with or without private key escrow). Included are methods for generating RSA keypairs and creating/parsing PKCS#10 certificate requests, PKCS#7/#8/#12 PDUs, certificates, and certificate chains. It can generate and submit enrollment, certificate revocation, and credential recovery requests to a CMP server (e.g., CCMS) via TCP, HTTP, or HTTPS. Critical cryptographic operations may be performed in software (using ISC's FIPS 140-2 validated CDK) or on an auxiliary HSM (via PKCS#11).