Convert Figma logo to code with AI

cloudflare logocfssl

CFSSL: Cloudflare's PKI and TLS toolkit

8,649
1,096
8,649
307
View on GitHub

Top Related Projects

smallstep's avatar

certificates

6,580

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

FiloSottile's avatar

mkcert

48,328

A simple zero-config tool to make locally trusted development certificates with any names you'd like.

square's avatar

certstrap

2,265

Tools to bootstrap CAs, certificate requests, and signed certificates.

hashicorp's avatar

vault

31,032

A tool for secrets management, encryption as a service, and privileged access management

letsencrypt's avatar

boulder

5,173

An ACME-based certificate authority, written in Go.

OpenVPN's avatar

easy-rsa

4,030

easy-rsa - Simple shell based CA utility

Quick Overview

CFSSL (Cloudflare's SSL/TLS toolkit) is an open-source project that provides a complete PKI/TLS toolkit for managing and deploying TLS/SSL certificates. It offers a set of tools and libraries for certificate bundling, signing, verification, and other PKI operations, making it easier to manage SSL/TLS infrastructure at scale.

Pros

  • Comprehensive PKI toolkit with support for various certificate operations
  • Highly scalable and suitable for large-scale certificate management
  • Provides both command-line tools and an HTTP API for flexibility
  • Actively maintained by Cloudflare and the open-source community

Cons

  • Steeper learning curve compared to some simpler certificate management tools
  • Documentation can be sparse or outdated in some areas
  • May be overkill for small-scale or simple certificate management needs
  • Requires some understanding of PKI concepts for effective use

Code Examples

  1. Generating a self-signed certificate:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

This command generates a self-signed CA certificate using the configuration in ca-csr.json.

  1. Signing a certificate with a CA:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=server server.json | cfssljson -bare server

This signs a new certificate for a server using the CA certificate and key, with configuration from config.json and server.json.

  1. Starting the CFSSL API server:
cfssl serve -address=0.0.0.0 -port=8888 -ca=ca.pem -ca-key=ca-key.pem -config=config.json

This starts the CFSSL API server, listening on all interfaces on port 8888, using the specified CA certificate and key.

Getting Started

  1. Install CFSSL:

    go install github.com/cloudflare/cfssl/cmd/cfssl@latest
go install github.com/cloudflare/cfssl/cmd/cfssljson@latest

  2. Create a CA configuration file (ca-csr.json):

    {
  "CN": "My Root CA",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "San Francisco",
      "O": "My Organization",
      "OU": "My Unit",
      "ST": "California"
    }
  ]
}

  3. Generate the CA certificate:

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca

This will create ca.pem (the CA certificate) and ca-key.pem (the CA private key). You can now use these to sign other certificates using CFSSL.

Competitor Comparisons

smallstep logo

certificates

6,580

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

Pros of certificates

  • More active development with frequent updates and releases
  • Comprehensive documentation and tutorials for easier adoption
  • Built-in support for ACME protocol and automated certificate management

Cons of certificates

  • Smaller community and ecosystem compared to cfssl
  • Less mature project with potentially fewer production deployments
  • Limited language support (primarily Go) compared to cfssl's multi-language bindings

Code comparison

certificates:

ca, err := ca.New(config)
if err != nil {
    return err
}
cert, err := ca.Sign(csr)

cfssl:

signer, err := universal.NewSigner(root, policy)
if err != nil {
    return err
}
cert, err := signer.Sign(csr)

Both projects offer similar functionality for certificate signing, but certificates provides a more streamlined API with built-in configuration management. cfssl's approach is more flexible but requires more setup code.

FiloSottile logo

mkcert

48,328

A simple zero-config tool to make locally trusted development certificates with any names you'd like.

Pros of mkcert

  • Simpler and more user-friendly for local development environments
  • Automatically installs the generated root CA in the system trust store
  • Supports a wide range of platforms and browsers out of the box

Cons of mkcert

  • Limited to local development use cases, not suitable for production environments
  • Fewer customization options and advanced features compared to cfssl
  • Lacks support for complex PKI operations and certificate management

Code Comparison

mkcert:

mkcert example.com "*.example.com" localhost 127.0.0.1 ::1

cfssl:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json \
    -profile=server server-csr.json | cfssljson -bare server

mkcert focuses on simplicity and ease of use for local development, generating certificates with a single command. cfssl, on the other hand, provides more flexibility and control over the certificate generation process, making it suitable for more complex scenarios and production use cases.

While mkcert is ideal for developers who need quick and easy local HTTPS setup, cfssl offers a comprehensive toolkit for managing a complete PKI infrastructure, including features like certificate bundling, OCSP stapling, and custom certificate policies.

square logo

certstrap

2,265

Tools to bootstrap CAs, certificate requests, and signed certificates.

Pros of certstrap

  • Simpler and more lightweight tool focused specifically on certificate creation and management
  • Easier to use for basic certificate operations without extensive configuration
  • Designed for local development and testing environments

Cons of certstrap

  • Limited functionality compared to cfssl's broader feature set
  • Less suitable for production-grade PKI infrastructure
  • Fewer options for customization and advanced certificate management

Code comparison

certstrap:

certstrap init --common-name "CA"
certstrap request-cert --common-name "example.com"
certstrap sign example.com --CA "CA"

cfssl:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca ca.pem -ca-key ca-key.pem -config config.json -profile server server.json | cfssljson -bare server

Both tools provide command-line interfaces for certificate operations, but cfssl offers more complex configurations and options. certstrap focuses on simplicity, while cfssl provides a more comprehensive set of features for managing certificates and PKI infrastructure.

certstrap is better suited for developers who need a quick and easy way to generate certificates for local development or testing. cfssl, on the other hand, is more appropriate for organizations requiring a full-featured PKI toolkit with advanced customization options and production-ready capabilities.

hashicorp logo

vault

31,032

A tool for secrets management, encryption as a service, and privileged access management

Pros of Vault

  • Comprehensive secret management solution with dynamic secrets, encryption as a service, and more
  • Highly scalable and designed for enterprise use cases
  • Supports multiple authentication methods and access control policies

Cons of Vault

  • More complex setup and configuration compared to CFSSL
  • Higher resource requirements for running a full Vault cluster
  • Steeper learning curve for users and administrators

Code Comparison

CFSSL (Certificate Signing Request):

{
  "CN": "example.com",
  "hosts": ["example.com", "www.example.com"],
  "key": {
    "algo": "rsa",
    "size": 2048
  }
}

Vault (Certificate Signing Request):

path "pki/issue/example-dot-com" {
  capabilities = ["create", "update"]
  allowed_parameters = {
    "common_name" = ["example.com"]
    "alt_names" = ["www.example.com"]
  }
}

CFSSL focuses primarily on PKI and certificate management, while Vault offers a broader range of secret management features. CFSSL is lighter weight and easier to set up for simple certificate operations, but Vault provides more advanced functionality and scalability for complex environments. The code examples show the difference in approach: CFSSL uses a JSON-based configuration, while Vault employs HCL (HashiCorp Configuration Language) for defining policies and access controls.

letsencrypt logo

boulder

5,173

An ACME-based certificate authority, written in Go.

Pros of Boulder

  • Designed specifically for Let's Encrypt's ACME protocol implementation
  • Highly scalable and battle-tested in production for millions of certificates
  • Extensive documentation and community support

Cons of Boulder

  • More complex setup and configuration compared to CFSSL
  • Primarily focused on ACME protocol, less versatile for general PKI needs
  • Steeper learning curve for newcomers to certificate management

Code Comparison

Boulder (Go):

func (ra *RegistrationAuthorityImpl) NewAuthorization(ctx context.Context, request core.Authorization, regID int64) (core.Authorization, error) {
    identifier := request.Identifier
    if identifier.Type != core.IdentifierDNS {
        return core.Authorization{}, berrors.MalformedError("invalid identifier type")
    }
    // ... (additional code)
}

CFSSL (Go):

func NewSigner(priv crypto.Signer, cert *x509.Certificate, policy *config.Signing) (Signer, error) {
    if policy == nil {
        policy = &config.Signing{
            Default:  config.DefaultConfig(),
            Profiles: nil,
        }
    }
    // ... (additional code)
}

Both repositories use Go and focus on certificate management, but Boulder is tailored for the ACME protocol, while CFSSL offers a more general-purpose PKI toolkit. Boulder's code tends to be more specific to ACME operations, whereas CFSSL provides broader certificate signing and management functionalities.

OpenVPN logo

easy-rsa

4,030

easy-rsa - Simple shell based CA utility

Pros of easy-rsa

  • Simpler setup and usage, ideal for beginners
  • Specifically designed for OpenVPN, ensuring compatibility
  • Lightweight and requires fewer dependencies

Cons of easy-rsa

  • Limited functionality compared to cfssl
  • Less suitable for large-scale PKI management
  • Lacks advanced features like OCSP and CRL generation

Code Comparison

easy-rsa:

./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server

cfssl:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json \
    -profile=server server-csr.json | cfssljson -bare server

easy-rsa focuses on simplicity with straightforward commands, while cfssl offers more flexibility and control through JSON configuration files. cfssl provides a more comprehensive set of tools for managing a PKI infrastructure, including features like OCSP responders and CRL generation. However, easy-rsa's simplicity makes it an excellent choice for small-scale deployments or users new to PKI management, especially in the context of OpenVPN setups.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

CFSSL

Build Status Coverage Status GoDoc

CloudFlare's PKI/TLS toolkit

CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates. It requires Go 1.16+ to build.

Note that certain linux distributions have certain algorithms removed (RHEL-based distributions in particular), so the golang from the official repositories will not work. Users of these distributions should install go manually to install CFSSL.

CFSSL consists of:

  • a set of packages useful for building custom TLS PKI tools
  • the cfssl program, which is the canonical command line utility using the CFSSL packages.
  • the multirootca program, which is a certificate authority server that can use multiple signing keys.
  • the mkbundle program is used to build certificate pool bundles.
  • the cfssljson program, which takes the JSON output from the cfssl and multirootca programs and writes certificates, keys, CSRs, and bundles to disk.

Building

Building cfssl requires a working Go 1.16+ installation.

$ git clone git@github.com:cloudflare/cfssl.git
$ cd cfssl
$ make
$ make install

The resulting binaries will be in the bin folder:

$ tree bin
bin
├── cfssl
├── cfssl-bundle
├── cfssl-certinfo
├── cfssl-newkey
├── cfssl-scan
├── cfssljson
├── mkbundle
└── multirootca

0 directories, 8 files

Cross Compilation

You can set the GOOS and GOARCH environment variables to have Go cross compile for alternative platforms; however, cfssl requires cgo, and cgo requires a working compiler toolchain for the target platform.

Installation

Installation requires a working Go 1.16+ installation. Alternatively, prebuilt binaries are available

$ go get github.com/cloudflare/cfssl/cmd/cfssl

will download, build, and install the CFSSL tool.

To install any of the other utility programs that are in this repo (for instance cfssljson in this case):

$ go get github.com/cloudflare/cfssl/cmd/cfssljson

This will download, build, and install the CFSSLJSON tool.

And to simply install all of the programs in this repo:

$ go get github.com/cloudflare/cfssl/cmd/...

if you are above go 1.18:

$ go install github.com/cloudflare/cfssl/cmd/...@latest

This will download, build, and install all of the utility programs (including cfssl, cfssljson, and mkbundle among others).

Using the Command Line Tool

The cfssl command line tool takes a command to specify what operation it should carry out:

   sign             signs a certificate
   bundle           build a certificate bundle
   genkey           generate a private key and a certificate request
   gencert          generate a private key and a certificate
   serve            start the API server
   version          prints out the current version
   selfsign         generates a self-signed certificate
   print-defaults   print default configurations

Use cfssl [command] -help to find out more about a command. The version command takes no arguments.

Signing

cfssl sign [-ca cert] [-ca-key key] [-hostname comma,separated,hostnames] csr [subject]

The csr is the client's certificate request. The -ca and -ca-key flags are the CA's certificate and private key, respectively. By default, they are ca.pem and ca_key.pem. The -hostname is a comma separated hostname list that overrides the DNS names and IP address in the certificate SAN extension. For example, assuming the CA's private key is in /etc/ssl/private/cfssl_key.pem and the CA's certificate is in /etc/ssl/certs/cfssl.pem, to sign the cloudflare.pem certificate for cloudflare.com:

cfssl sign -ca     /etc/ssl/certs/cfssl.pem       \
           -ca-key /etc/ssl/private/cfssl_key.pem \
           -hostname cloudflare.com               \
           ./cloudflare.pem

It is also possible to specify CSR with the -csr flag. By doing so, flag values take precedence and will overwrite the argument.

The subject is an optional file that contains subject information that should be used in place of the information from the CSR. It should be a JSON file as follows:

{
    "CN": "example.com",
    "names": [
        {
            "C":  "US",
            "L":  "San Francisco",
            "O":  "Internet Widgets, Inc.",
            "OU": "WWW",
            "ST": "California"
        }
    ]
}

N.B. As of Go 1.7, self-signed certificates will not include the AKI.

Bundling

cfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \
             [-metadata metadata_file] [-flavor bundle_flavor] \
             -cert certificate_file [-key key_file]

The bundles are used for the root and intermediate certificate pools. In addition, platform metadata is specified through -metadata. The bundle files, metadata file (and auxiliary files) can be found at:

    https://github.com/cloudflare/cfssl_trust

Specify PEM-encoded client certificate and key through -cert and -key respectively. If key is specified, the bundle will be built and verified with the key. Otherwise the bundle will be built without a private key. Instead of file path, use - for reading certificate PEM from stdin. It is also acceptable that the certificate file should contain a (partial) certificate bundle.

Specify bundling flavor through -flavor. There are three flavors: optimal to generate a bundle of shortest chain and most advanced cryptographic algorithms, ubiquitous to generate a bundle of most widely acceptance across different browsers and OS platforms, and force to find an acceptable bundle which is identical to the content of the input certificate file.

Alternatively, the client certificate can be pulled directly from a domain. It is also possible to connect to the remote address through -ip.

cfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \
             [-metadata metadata_file] [-flavor bundle_flavor] \
             -domain domain_name [-ip ip_address]

The bundle output form should follow the example:

{
    "bundle": "CERT_BUNDLE_IN_PEM",
    "crt": "LEAF_CERT_IN_PEM",
    "crl_support": true,
    "expires": "2015-12-31T23:59:59Z",
    "hostnames": ["example.com"],
    "issuer": "ISSUER CERT SUBJECT",
    "key": "KEY_IN_PEM",
    "key_size": 2048,
    "key_type": "2048-bit RSA",
    "ocsp": ["http://ocsp.example-ca.com"],
    "ocsp_support": true,
    "root": "ROOT_CA_CERT_IN_PEM",
    "signature": "SHA1WithRSA",
    "subject": "LEAF CERT SUBJECT",
    "status": {
        "rebundled": false,
        "expiring_SKIs": [],
        "untrusted_root_stores": [],
        "messages": [],
        "code": 0
    }
}

Generating certificate signing request and private key

cfssl genkey csr.json

To generate a private key and corresponding certificate request, specify the key request as a JSON file. This file should follow the form:

{
    "hosts": [
        "example.com",
        "www.example.com",
        "https://www.example.com",
        "jdoe@example.com",
        "127.0.0.1"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C":  "US",
            "L":  "San Francisco",
            "O":  "Internet Widgets, Inc.",
            "OU": "WWW",
            "ST": "California"
        }
    ]
}

Generating self-signed root CA certificate and private key

cfssl genkey -initca csr.json | cfssljson -bare ca

To generate a self-signed root CA certificate, specify the key request as a JSON file in the same format as in 'genkey'. Three PEM-encoded entities will appear in the output: the private key, the csr, and the self-signed certificate.

Generating a remote-issued certificate and private key.

cfssl gencert -remote=remote_server [-hostname=comma,separated,hostnames] csr.json

This calls genkey but has a remote CFSSL server sign and issue the certificate. You may use -hostname to override certificate SANs.

Generating a local-issued certificate and private key.

cfssl gencert -ca cert -ca-key key [-hostname=comma,separated,hostnames] csr.json

This generates and issues a certificate and private key from a local CA via a JSON request. You may use -hostname to override certificate SANs.

Updating an OCSP responses file with a newly issued certificate

cfssl ocspsign -ca cert -responder key -responder-key key -cert cert \
 | cfssljson -bare -stdout >> responses

This will generate an OCSP response for the cert and add it to the responses file. You can then pass responses to ocspserve to start an OCSP server.

Starting the API Server

CFSSL comes with an HTTP-based API server; the endpoints are documented in doc/api/intro.txt. The server is started with the serve command:

cfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \
            [-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \
            [-metadata file] [-remote remote_host] [-config config] \
            [-responder cert] [-responder-key key] [-db-config db-config]

Address and port default to "127.0.0.1:8888". The -ca and -ca-key arguments should be the PEM-encoded certificate and private key to use for signing; by default, they are ca.pem and ca_key.pem. The -ca-bundle and -int-bundle should be the certificate bundles used for the root and intermediate certificate pools, respectively. These default to ca-bundle.crt and int-bundle.crt respectively. If the -remote option is specified, all signature operations will be forwarded to the remote CFSSL.

-int-dir specifies an intermediates directory. -metadata is a file for root certificate presence. The content of the file is a json dictionary (k,v) such that each key k is an SHA-1 digest of a root certificate while value v is a list of key store filenames. -config specifies a path to a configuration file. -responder and -responder-key are the certificate and the private key for the OCSP responder, respectively.

The amount of logging can be controlled with the -loglevel option. This comes after the serve command:

cfssl serve -loglevel 2

The levels are:

  • 0 - DEBUG
  • 1 - INFO (this is the default level)
  • 2 - WARNING
  • 3 - ERROR
  • 4 - CRITICAL

The multirootca

The cfssl program can act as an online certificate authority, but it only uses a single key. If multiple signing keys are needed, the multirootca program can be used. It only provides the sign, authsign and info endpoints. The documentation contains instructions for configuring and running the CA.

The mkbundle Utility

mkbundle is used to build the root and intermediate bundles used in verifying certificates. It can be installed with

go get github.com/cloudflare/cfssl/cmd/mkbundle

It takes a collection of certificates, checks for CRL revocation (OCSP support is planned for the next release) and expired certificates, and bundles them into one file. It takes directories of certificates and certificate files (which may contain multiple certificates). For example, if the directory intermediates contains a number of intermediate certificates:

mkbundle -f int-bundle.crt intermediates

will check those certificates and combine valid certificates into a single int-bundle.crt file.

The -f flag specifies an output name; -loglevel specifies the verbosity of the logging (using the same loglevels as above), and -nw controls the number of revocation-checking workers.

The cfssljson Utility

Most of the output from cfssl is in JSON. The cfssljson utility can take this output and split it out into separate key, certificate, CSR, and bundle files as appropriate. The tool takes a single flag, -f, that specifies the input file, and an argument that specifies the base name for the files produced. If the input filename is - (which is the default), cfssljson reads from standard input. It maps keys in the JSON file to filenames in the following way:

  • if cert or certificate is specified, basename.pem will be produced.
  • if key or private_key is specified, basename-key.pem will be produced.
  • if csr or certificate_request is specified, basename.csr will be produced.
  • if bundle is specified, basename-bundle.pem will be produced.
  • if ocspResponse is specified, basename-response.der will be produced.

Instead of saving to a file, you can pass -stdout to output the encoded contents to standard output.

Static Builds

By default, the web assets are accessed from disk, based on their relative locations. If you wish to distribute a single, statically-linked, cfssl binary, you’ll want to embed these resources before building. This can by done with the go.rice tool.

pushd cli/serve && rice embed-go && popd

Then building with go build will use the embedded resources.

Additional Documentation

Additional documentation can be found in the "doc" directory: