cfssl
PKI/TLS certificate authority toolkit
TLDR
Initialize a new CA
SYNOPSIS
cfssl command [options] [arguments]
DESCRIPTION
cfssl is CloudFlare's PKI/TLS toolkit for signing, verifying, and bundling TLS certificates. It provides both a command-line tool and an HTTP API server for running a complete certificate authority.
The toolkit handles the full certificate lifecycle: generating root and intermediate CAs, signing certificate requests, creating self-signed certificates, and building certificate bundles for deployment. Configuration files define signing profiles with specific expiry periods, key usages, and authentication requirements.
The companion tool cfssljson extracts certificates and keys from cfssl's JSON output into PEM files. The multirootca component allows running a CA server with multiple signing keys for different purposes.
PARAMETERS
-ca file
CA certificate file (default: ca.pem)-ca-key file
CA private key file (default: ca_key.pem)-config file
Path to configuration file-hostname names
Comma-separated hostnames for SAN-initca
Initialize new CA-remote host
Remote CFSSL server address
CONFIGURATION
ca-csr.json
Certificate Signing Request defaults (key algorithm, size, names, hosts).config.json
Signing profiles defining certificate expiry, usages, and auth keys for the CA.
COMMANDS
gencert
Generate new key and signed certificatesign
Sign a certificate signing requestselfsign
Generate self-signed certificatebundle
Build certificate bundlegenkey
Generate private key and CSRserve
Start HTTP API serverinfo
Get info about remote signerprint-defaults
Print default configurationsversion
Print version
API SERVER
Default address: 127.0.0.1:8888
COMPANION TOOLS
cfssljson
Write certificates/keys from JSON outputmultirootca
Multi-signing-key CA servermkbundle
Build certificate bundles
CAVEATS
Requires Go 1.20+ to build from source. Private keys should be protected. Use configuration files for complex signing policies.