cfssl

Show certificate information of a host

$ cfssl certinfo -domain [www.google.com]

$ cfssl certinfo -cert [path/to/certificate.pem]

$ cfssl scan [host1 host2 ...]

$ cfssl [genkey|gencsr|certinfo|sign|gencrl|ocspdump|ocsprefresh|ocspsign|ocspserve|scan|bundle|crl|print-defaults|revoke|gencert|serve|version|selfsign|info] -h

cfssl [global options] command [command options] [arguments...]

Examples:
cfssl gencert -initca config.json | cfssljson -bare ca
cfssl sign -ca ca.pem -ca-key ca-key.pem server.csr | cfssljson -bare server

-h, --help
    Displays the help message for the command or subcommand, detailing available options and usage.

-v, --version
    Prints the cfssl version information, including the release number and build details.

cfssl is a comprehensive command-line tool and Go library developed by CloudFlare for managing Public Key Infrastructure (PKI) and TLS certificates. It simplifies various certificate operations, including generating private keys, creating Certificate Signing Requests (CSRs), issuing and signing certificates, and bundling certificates with their intermediate and root CAs. It also supports functions like generating Certificate Revocation Lists (CRLs), serving as a local or remote Certificate Authority (CA), and providing certificate information. Designed for automation and ease of use, cfssl offers a more streamlined approach to PKI compared to traditional tools like openssl, especially beneficial for large-scale deployments and automated certificate lifecycle management.

Managing private keys and certificate authority configurations with cfssl requires extreme care and adherence to security best practices. Misconfiguration can lead to security vulnerabilities or invalid certificates. Many operations depend on specific JSON configuration files, which require understanding their structure and schema. While simplifying common tasks, cfssl can still be complex for beginners due to its subcommand-based architecture and extensive options for each command.

cfssl primarily operates through a subcommand-based interface. Each major function (e.g., generating certificates, signing requests, bundling, serving as a CA) is encapsulated within a specific subcommand (e.g., gencert, sign, bundle, serve). Users should consult the help for individual subcommands (e.g., cfssl gencert -h) to understand their specific options and arguments, as most of cfssl's functionality resides within these subcommands rather than global options.

Many advanced operations and policy definitions within cfssl, such as certificate profiles, CA configurations, and signing policies, are specified using JSON configuration files. This allows for highly customizable and automatable workflows, but requires familiarity with the expected JSON schemas for each command to define certificate properties, extensions, and validity periods effectively.

cfssl was developed by CloudFlare to provide a modern, efficient, and robust toolkit for managing TLS certificates and PKI, addressing challenges encountered with traditional tools like openssl in large-scale, automated environments. Written in Go, it was open-sourced to contribute to the broader security community, promoting simpler and more secure certificate management practices. Its development focused on API-driven certificate services and automation.

openssl(1), keytool(1), certbot(1)