{"id":37218725,"url":"https://github.com/databus23/cfssl","last_synced_at":"2026-01-15T01:12:22.948Z","repository":{"id":34376770,"uuid":"38302534","full_name":"databus23/cfssl","owner":"databus23","description":"CFSSL: CloudFlare's PKI toolkit","archived":false,"fork":true,"pushed_at":"2015-06-30T10:34:56.000Z","size":1673,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-06-19T04:26:39.199Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://blog.cloudflare.com/introducing-cfssl","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"cloudflare/cfssl","license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/databus23.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-06-30T10:17:57.000Z","updated_at":"2015-06-30T10:17:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/databus23/cfssl","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/databus23/cfssl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databus23%2Fcfssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databus23%2Fcfssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databus23%2Fcfssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databus23%2Fcfssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/databus23","download_url":"https://codeload.github.com/databus23/cfssl/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/databus23%2Fcfssl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28441019,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T00:55:22.719Z","status":"ssl_error","status_checked_at":"2026-01-15T00:55:20.945Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-15T01:12:22.286Z","updated_at":"2026-01-15T01:12:22.940Z","avatar_url":"https://github.com/databus23.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CFSSL\n\n[![Build Status](https://travis-ci.org/cloudflare/cfssl.png?branch=master)](https://travis-ci.org/cloudflare/cfssl)\n[![Coverage Status](https://coveralls.io/repos/cloudflare/cfssl/badge.svg?branch=master)](https://coveralls.io/r/cloudflare/cfssl?branch=master)\n[![GoDoc](https://godoc.org/github.com/cloudflare/cfssl?status.png)](https://godoc.org/github.com/cloudflare/cfssl)\n## CloudFlare's PKI/TLS toolkit\n\nCFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line\ntool and an HTTP API server for signing, verifying, and bundling TLS\ncertificates. It requires Go 1.4 to build.\n\nNote that certain linux distributions have certain algorithms removed\n(RHEL-based distributions in particular), so the golang from the\nofficial repositories will not work. Users of these distributions should\n[install go manually](//golang.org) to install CFSSL.\n\n### Installation\n\nInstallation requires a [working Go\ninstallation](http://golang.org/doc/install) and a properly set `GOPATH`.\n\n```\n$ go get -u github.com/cloudflare/cfssl/cmd/cfssl\n```\n\nwill download and build the CFSSL tool, installing it in\n`$GOPATH/bin/cfssl`. To install the other utility programs that are in\nthis repo:\n\n```\n$ go get -u github.com/cloudflare/cfssl/cmd/...\n```\n\nThis will download, build, and install `cfssl`, `cfssljson`, and\n`mkbundle` into `$GOPATH/bin/`.\n\n\n### Using the Command Line Tool\n\nThe command line tool takes a command to specify what operation it\nshould carry out:\n\n       sign             signs a certificate\n       bundle           build a certificate bundle\n       genkey           generate a private key and a certificate request\n       gencert          generate a private key and a certificate\n       serve            start the API server\n       version          prints out the current version\n       selfsign         generates a self-signed certificate\n\nUse \"cfssl [command] -help\" to find out more about a command.\nThe version command takes no arguments.\n\n#### Signing\n\n```\ncfssl sign [-ca cert] [-ca-key key] [-hostname comma,separated,hostnames] csr [subject]\n```\n\nThe csr is the client's certificate request. The `-ca` and `-ca-key`\nflags are the CA's certificate and private key, respectively. By\ndefault, they are \"ca.pem\" and \"ca_key.pem\". The `-hostname` is\na comma separated hostname list that overrides the DNS names and\nIP address in the certificate SAN extension.\nFor example, assuming the CA's private key is in\n`/etc/ssl/private/cfssl_key.pem` and the CA's certificate is in\n`/etc/ssl/certs/cfssl.pem`, to sign the `cloudflare.pem` certificate\nfor cloudflare.com:\n\n```\ncfssl sign -ca /etc/ssl/certs/cfssl.pem \\\n           -ca-key /etc/ssl/private/cfssl_key.pem \\\n           -hostname cloudflare.com ./cloudflare.pem\n```\n\nIt is also possible to specify csr through '-csr' flag. By doing so,\nflag values take precedence and will overwrite the argument.\n\nThe subject is an optional file that contains subject information that\nshould be used in place of the information from the CSR. It should be\na JSON file with the type:\n\n```\n{\n    \"CN\": \"example.com\",\n    \"names\": [\n        {\n            \"C\": \"US\",\n            \"L\": \"San Francisco\",\n            \"O\": \"Internet Widgets, Inc.\",\n            \"OU\": \"WWW\",\n            \"ST\": \"California\"\n        }\n    ]\n}\n```\n\n#### Bundling\n\n```\ncfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \\\n             [-metadata metadata_file] [-flavor bundle_flavor] \\\n             -cert certificate_file [-key key_file]\n```\n\nThe bundles are used for the root and intermediate certificate\npools. In addition, platform metadata is specified through '-metadata'\nThe bundle files, metadata file (and auxiliary files) can be\nfound at [cfssl_trust](https://github.com/cloudflare/cfssl_trust)\n\n\nSpecify PEM-encoded client certificate and key through '-cert' and\n'-key' respectively. If key is specified, the bundle will be built\nand verified with the key. Otherwise the bundle will be built\nwithout a private key. Instead of file path, use '-' for reading\ncertificate PEM from stdin. It is also acceptable the certificate\nfile contains a (partial) certificate bundle.\n\nSpecify bundling flavor through '-flavor'. There are three flavors:\n'optimal' to generate a bundle of shortest chain and most advanced\ncryptographic algorithms, 'ubiquitous' to generate a bundle of most\nwidely acceptance across different browsers and OS platforms, and\n'force' to find an acceptable bundle which is identical to the\ncontent of the input certificate file.\n\nAlternatively, the client certificate can be pulled directly from\na domain. It is also possible to connect to the remote address\nthrough '-ip'.\n\n```\ncfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \\\n             [-metadata metadata_file] [-flavor bundle_flavor] \\\n             -domain domain_name [-ip ip_address]\n```\n\nThe bundle output form should follow the example\n\n```\n{\n    \"bundle\": \"CERT_BUNDLE_IN_PEM\",\n    \"crt\": \"LEAF_CERT_IN_PEM\",\n    \"crl_support\": true,\n    \"expires\": \"2015-12-31T23:59:59Z\",\n    \"hostnames\": [\"example.com\"],\n    \"issuer\": \"ISSUER CERT SUBJECT\",\n    \"key\": \"KEY_IN_PEM\",\n    \"key_size\": 2048,\n    \"key_type\": \"2048-bit RSA\",\n    \"ocsp\": [\"http://ocsp.example-ca.com\"],\n    \"ocsp_support\": true,\n    \"root\": \"ROOT_CA_CERT_IN_PEM\",\n    \"signature\": \"SHA1WithRSA\",\n    \"subject\": \"LEAF CERT SUBJECT\",\n    \"status\": {\n        \"rebundled\": false,\n        \"expiring_SKIs\": [],\n        \"untrusted_root_stores\": [],\n        \"messages\": [],\n        \"code\": 0\n    }\n}\n```\n\n\n#### Generating certificate signing request and private key\n\n```\ncfssl genkey csrjson\n```\n\nTo generate a private key and corresponding certificate request, specify\nthe key request as a JSON file. This file should follow the form\n\n```\n{\n    \"hosts\": [\n        \"example.com\",\n        \"www.example.com\"\n    ],\n    \"key\": {\n        \"algo\": \"rsa\",\n        \"size\": 2048\n    },\n    \"names\": [\n        {\n            \"C\": \"US\",\n            \"L\": \"San Francisco\",\n            \"O\": \"Internet Widgets, Inc.\",\n            \"OU\": \"WWW\",\n            \"ST\": \"California\"\n        }\n    ]\n}\n```\n\n#### Generating self-signed root CA certificate and private key\n\n```\ncfssl genkey -initca csrjson | cfssljson -bare ca\n```\n\nTo generate a self-signed root CA certificate, specify the key request as\nthe JSON file in the same format as in 'genkey'. Three PEM-encoded entities\nwill appear in the output: the private key, the csr, and the self-signed\ncertificate.\n\n#### Generating a remote-issued certificate and private key.\n\n```\ncfssl gencert -remote=remote_server [-hostname=comma,separated,hostnames] csrjson\n```\n\nThis is calls genkey, but has a remote CFSSL server sign and issue\na certificate. You may use `-hostname` to override certificate SANs.\n\n#### Generating a local-issued certificate and private key.\n\n```\ncfssl gencert -ca cert -ca-key key [-hostname=comma,separated,hostnames] csrjson\n```\n\nThis is generates and issues a certificate and private key from a local CA\nvia a JSON request. You may use `-hostname` to override certificate SANs.\n\n### Starting the API Server\n\nCFSSL comes with an HTTP-based API server; the endpoints are\ndocumented in `doc/api.txt`. The server is started with the \"serve\"\ncommand:\n\n```\ncfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \\\n            [-ca-key key] [-int-bundle bundle] [-port port]   \\\n            [-remote remote_server]\n```\n\nAddress and port default to \"127.0.0.1:8888\". The `-ca` and `-ca-key`\narguments should be the PEM-encoded certificate and private key to use\nfor signing; by default, they are \"ca.pem\" and \"ca_key.pem\". The\n`-ca-bundle` and `-int-bundle` should be the certificate bundles used\nfor the root and intermediate certificate pools, respectively. These\ndefault to \"ca-bundle.crt\" and \"int-bundle.\" If the \"remote\" option is\nprovided, all signature operations will be forwarded to the remote CFSSL.\n\nThe amount of logging can be controlled with the `-loglevel` option. This\ncomes *before* the serve command:\n\n```\ncfssl -loglevel 2 serve\n```\n\nThe levels are:\n\n* 0. DEBUG\n* 1. INFO (this is the default level)\n* 2. WARNING\n* 3. ERROR\n* 4. CRITICAL\n\n\n### The mkbundle Utility\n\n`mkbundle` is used to build the root and intermediate bundles used in\nverifying certificates. It can be installed with\n\n```\ngo get -u github.com/cloudflare/cfssl/cmd/mkbundle\n```\n\nIt takes a collection of certificates, checks for CRL revocation (OCSP\nsupport is planned for the next release) and expired certificates, and\nbundles them into one file. It takes directories of certificates and\ncertificate files (which may contain multiple certificates). For example,\nif the directory `intermediates` contains a number of intermediate\ncertificates,\n\n```\nmkbundle -f int-bundle.crt intermediates\n```\n\nwill check those certificates and combine valid ones into a single\n`int-bundle.crt` file.\n\nThe `-f` flag specifies an output name; `-loglevel` specifies the verbosity\nof the logging (using the same loglevels above), and `-nw` controls the\nnumber of revocation-checking workers.\n\n### The cfssljson Utility\n\nMost of the output from `cfssl` is in JSON. The `cfssljson` will take\nthis output and split it out into separate key, certificate, CSR, and\nbundle files as appropriate. The tool takes a single flag, `-f`, that\nspecifies the input file, and an argument that specifies the base name for\nthe files produced. If the input filename is \"-\" (which is the default),\n`cfssljson` reads from standard input. It maps keys in the JSON file to\nfilenames in the following way:\n\n* if there is a \"cert\" (or if not, if there's a \"certificate\") field, the\n  file \"basename.pem\" will be produced.\n* if there is a \"key\" (or if not, if there's a \"private_key\") field, the\n  file \"basename-key.pem\" will be produced.\n* if there is a \"csr\" (or if not, if there's a \"certificate_request\") field,\n  the file \"basename.csr\" will be produced.\n* if there is a \"bundle\" field, the file \"basename-bundle.pem\" will\n  be producd.\n\n### Additional Documentation\n\nAdditional documentation can be found in the \"doc/\" directory:\n\n* `api.txt`: documents the API endpoints\n* `bootstrap.txt`: a walkthrough from building the package to getting\n  up and running\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatabus23%2Fcfssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatabus23%2Fcfssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatabus23%2Fcfssl/lists"}