LinuxCommandLibrary

cfssl

Issue, sign, and bundle TLS certificates

TLDR

Show certificate information of a host

$ cfssl certinfo -domain [www.google.com]
copy

Decode certificate information from a file
$ cfssl certinfo -cert [path/to/certificate.pem]
copy

Scan host(s) for SSL/TLS issues
$ cfssl scan [host1 host2 ...]
copy

Display help for a subcommand
$ cfssl [genkey|gencsr|certinfo|sign|gencrl|ocspdump|ocsprefresh|ocspsign|ocspserve|scan|bundle|crl|print-defaults|revoke|gencert|serve|version|selfsign|info] -h
copy

SYNOPSIS

cfssl {bundle|genkey|gencert|gennewcert|gensign|print-defaults|scan|selfsign|sign|split|version} [options] [args]

PARAMETERS

-ca file
    CA certificate PEM file

-ca-key file
    CA private key PEM file

-ca-bundle file
    CA certificate bundle file

-cert file
    Certificate file (with embedded key)

-config file
    JSON configuration file (default: /etc/cfssl/cfssl.json)

-hostname hosts
    Comma-separated list of SAN hostnames

-initca
    Initialize certificate as CA

-key file
    Private key input file (default: stdin)

-profile name
    Configuration profile name from JSON

-cn name
    Certificate common name (Subject)

-serial hex
    Certificate serial number

-pkcs12
    Output PKCS#12 format

-pkcs12-password pass
    PKCS#12 output password

-key-type type
    Key type (rsa|ecdsa|ed25519, default rsa)

-key-size bits
    Key size (default 2048)

DESCRIPTION

CFSSL is Cloudflare's open-source PKI/TLS toolkit for generating, signing, verifying, and managing X.509 certificates and keys. The cfssl command-line tool provides subcommands to handle the full certificate lifecycle, from key generation to bundling chains.

Key features include JSON-configurable certificate profiles supporting RSA/ECDSA/Ed25519 keys, custom extensions, SANs, key usages, and validity periods. It's scriptable, fast (Go-based), and ideal for automation in Kubernetes (used by kubeadm), CI/CD, service meshes like Istio, and containerized environments.

Typical workflow: Generate config with cfssl print-defaults, create CSR/key pair via genkey, sign with gencert or sign using a CA, parse JSON output with companion cfssljson to get PEM files. Supports self-signing, CA initialization, vulnerability scanning (scan), and PEM bundle operations.

Unlike openssl, CFSSL emphasizes declarative JSON configs for reproducibility and avoids interactive prompts, making it DevOps-friendly.

CAVEATS

Outputs JSON by default; pipe to cfssljson for PEM extraction. Config file may not exist by default. Subcommand-specific options vary; use cfssl <subcmd> -help. Not installed by default on most distros.

INSTALLATION

Install via go install github.com/cloudflare/cfssl/cmd/cfssl@latest or packages like Debian's cfssl (universe repo). Requires Go 1.18+.

EXAMPLE WORKFLOW

cfssl print-defaults config > ca-config.json
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem server-csr.json | cfssljson -bare server

HISTORY

Developed by Cloudflare, first released in March 2014 as part of the cfssl GitHub project (github.com/cloudflare/cfssl). Gained popularity for Kubernetes cert bootstrapping. Actively maintained with Go rewrites, Ed25519 support (v1.6+), and TLS scan features. Version 1.6.5 current as of 2023.

SEE ALSO

openssl(1), cfssljson(1), step(1)

Copied to clipboard