{"id":13724095,"url":"https://github.com/cloudflare/cfssl_trust","last_synced_at":"2025-05-15T01:06:16.075Z","repository":{"id":877658,"uuid":"21633655","full_name":"cloudflare/cfssl_trust","owner":"cloudflare","description":"CFSSL's CA trust store repository","archived":false,"fork":false,"pushed_at":"2025-05-12T19:38:19.000Z","size":126452,"stargazers_count":276,"open_issues_count":3,"forks_count":46,"subscribers_count":31,"default_branch":"master","last_synced_at":"2025-05-12T20:48:19.572Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudflare.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2014-07-09T00:21:35.000Z","updated_at":"2025-05-12T19:38:25.000Z","dependencies_parsed_at":"2023-07-06T14:31:34.668Z","dependency_job_id":"f5cd64a4-b411-446d-8296-46902442ae7b","html_url":"https://github.com/cloudflare/cfssl_trust","commit_stats":{"total_commits":245,"total_committers":29,"mean_commits":8.448275862068966,"dds":0.7836734693877551,"last_synced_commit":"f5a55d82c020d95b48223765ccffd12eec9f24ab"},"previous_names":[],"tags_count":173,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfssl_trust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfssl_trust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfssl_trust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fcfssl_trust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudflare","download_url":"https://codeload.github.com/cloudflare/cfssl_trust/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254254040,"owners_count":22039792,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T01:01:50.051Z","updated_at":"2025-05-15T01:06:11.066Z","avatar_url":"https://github.com/cloudflare.png","language":"Go","readme":"## CFSSL TRUST\n\nThis is the trust stores Cloudflare uses for\n[CFSSL](https://github.com/cloudflare/cfssl). It also includes the\nsources of the trust chain that can be built using the `mkbundle`\nutility from CFSSL.\n\nFiles:\n\n```\n.\n├── ca-bundle.crt\n├── ca-bundle.crt.metadata\n├── certdata\n│   └── trusted_roots\n│       ├── froyo.pem\n│       ├── gingerbread.pem\n│       ├── honeycomb.pem\n│       ├── ics.pem\n│       ├── ios.pem\n│       ├── kitkat.pem\n│       ├── nss.pem\n│       ├── osx.pem\n│       ├── ubuntu.pem\n│       └── windows.pem\n├── int-bundle.crt\n├── README.md\n```\n\nThe `ca-bundle.crt` file contains the trusted roots. CFSSL uses the\n`ca-bundle.crt.metadata` when building bundles to assist in building\nbundles that need to verified in the maximum number of trust stores\non different systems. The `int-bundle.crt` file contains a number of\nknown intermediates; these are preloaded for performance reasons and\noccasionally updated as CFSSL finds more intermediates. If an intermediate\nisn't in this bundle, but can be found through following the AIA `CA\nIssuers` fields, it will be downloaded and eventually merged into here.\n\nThe `trusted_roots` directory contains the root stores from a number of\nsystems. Currently, we have trust stores from\n\n* NSS (Firefox, Chrome)\n* OS X\n* Windows\n* Android 2.2 (Frozen Yogurt)\n* Android 2.3 (Gingerbread)\n* Android 3.x (Honeycomb)\n* Android 4.0 (Ice Cream Sandwich)\n* Android 4.4 (KitKat)\n\n### Release\n\n#### Prerequisites\n\n```\n$ go get -u github.com/kisom/goutils/cmd/certdump\n$ go get -u github.com/cloudflare/cfssl/cmd/...\n$ go get -u github.com/cloudflare/cfssl_trust/...\n```\n\n#### Build\n\nThe final bundles (i.e. `ca-bundle.crt` and `int-bundle.crt`) may be\nbuilt as follows:\n\n```\n$ ./release.sh\n```\n\nThis command automatically removes expiring certificates, and pushes the\nchanges to a new release branch.\n\nThe content of 'ca-bundle.crt.metadata' is crucial to building\nubiquitous bundle. Feel free to tune its content. Make sure the paths to\nindividual trust root stores are correctly specified.\n\n#### Adding new roots or intermediates\n\nNew roots and intermediates can be added using the same command, just by\nproviding values for the `NEW_ROOTS` and `NEW_INTERMEDIATES` variables:\n\n```\n$ NEW_ROOTS=\"/path/to/root1 /path/to/root2\" NEW_INTERMEDIATES=\"/path/to/int1 /path/to/int22\" ./release.sh\n```\n\n#### Check for expiring roots or intermediates\n\nTo verify that an intermediate or root certificate is expiring or revoked without creating a release, the `expiring` command can be used from the project root directory.\n\nTo check for expiring or revoked intermediate certificates in the database provided in this repo:\n```\n$ cfssl-trust -d ./cert.db -b int expiring\n```\nTo check for expiring or revoked root certificates:\n```\n$ cfssl-trust -d ./cert.db -b ca expiring\n```\n\n`./cert.db` which is specified as the database using the `-d` flag, contains both intermediate and root certificates.\nAny certificate database can be used here in place of `./cert.db`\n\nThese calls to the `expiring` command will provide an output showing if there are any expiring or revoked certificates.\n```\n...\n1 certificates expiring.\n0 certificates revoked.\n```\n","funding_links":[],"categories":["Go","General"],"sub_categories":["Secure Sharing"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fcfssl_trust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudflare%2Fcfssl_trust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fcfssl_trust/lists"}