cfssl

Show certificate information of a host

$ cfssl certinfo -domain [www.google.com]

$ cfssl certinfo -cert [path/to/certificate.pem]

$ cfssl scan [host1 host2 ...]

$ cfssl [genkey|gencsr|certinfo|sign|gencrl|ocspdump|ocsprefresh|ocspsign|ocspserve|scan|bundle|crl|print-defaults|revoke|gencert|serve|version|selfsign|info] -h

cfssl [flags]

-ca
    Path to the CA certificate.

-ca-key
    Path to the CA key.

-config
    Path to the configuration file.

-domain
    Domain name for the certificate. Often required by `gencert` command.

-hostname
    Comma-separated list of hostnames; often synonym for `domain` but command specific.

-profile
    Certificate profile to use.

-csr
    Path to the Certificate Signing Request (CSR) file.

-initca
    Initialize a new CA.

-gencert
    Generate a certificate.

-bundle
    Bundle certificate chains into a single file.

-cert
    Path to the certificate to be bundled.

-int-root
    Path to intermediate root certificate for bundle.

-flavour
    Specifies the type of bundle (default, optimized, forced).

CFSSL (CloudFlare's SSL) is a toolkit for everything TLS. It's both a command line tool and an HTTP-based API server for signing, verifying, and bundling TLS certificates. It's designed with automation in mind and supports various backends for certificate storage and key management. CFSSL simplifies the process of creating and managing certificates, particularly in large-scale environments. It allows for building custom Certificate Authorities (CAs) tailored to specific needs and supports various certificate extensions and profiles. CFSSL is widely used in Kubernetes and other cloud-native environments for managing TLS certificates. Its modular design enables easy integration with existing infrastructure and tools. It provides tools for generating Certificate Signing Requests (CSRs), signing CSRs with a CA, verifying certificates, and bundling certificates into chains. It can be used for generating self-signed certificates, root CAs, and intermediate CAs. Overall CFSSL is a great tool when you need to manage and create certificates for internal or external clients.

CFSSL relies on configuration files for specifying certificate profiles and CA settings. It's important to carefully configure these files to ensure the generated certificates meet the desired requirements. Incorrectly configured profiles can lead to insecure certificates. Securing the CA key is crucial to prevent unauthorized certificate issuance. Always protect the CA key with strong access controls and consider using hardware security modules (HSMs) for key storage.

CFSSL includes several subcommands for different tasks. cfssl gencert generates a certificate, cfssl sign signs a CSR, cfssl bundle creates a certificate bundle, cfssl gencsr generates a CSR from a configuration file and cfssl serve runs the CFSSL HTTP API server.
Use cfssl -help for specific help on each command.

CFSSL uses JSON configuration files to define CA settings, certificate profiles, and other parameters. These files allow for fine-grained control over certificate generation and signing. Configuration can control the key algorithm, expiry and subject. Consult the CFSSL documentation for detailed information on the configuration file format.

CFSSL was developed by Cloudflare to address their internal certificate management needs. It was open-sourced to provide a robust and scalable solution for managing TLS certificates. It is widely adopted by several cloud platforms, with significant use cases in Kubernetes and other distributed systems to simplify the TLS certificate management

openssl(1)