# CFSSL — PKI and TLS Certificate Toolkit by Cloudflare > CFSSL is a versatile toolkit for building and operating a private certificate authority, handling certificate signing, bundling, and TLS configuration scanning. ## Install Save as a script file and run: # CFSSL — PKI and TLS Certificate Toolkit by Cloudflare ## Quick Use ```bash # Install go install github.com/cloudflare/cfssl/cmd/...@latest # Generate a self-signed CA cfssl gencert -initca ca-csr.json | cfssljson -bare ca # Sign a certificate cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json server-csr.json | cfssljson -bare server ``` ## Introduction CFSSL (Cloudflare's SSL) is an open-source PKI toolkit written in Go that Cloudflare uses internally to manage its own certificate infrastructure. It provides both a CLI and an HTTP API server for certificate generation, signing, and bundling, making it suitable for building internal CAs and automating TLS across services. ## What CFSSL Does - Generates root and intermediate CA certificates from JSON configuration - Signs certificate requests with configurable profiles (expiry, key usage, extensions) - Bundles certificates into optimal chains for TLS deployment - Scans remote hosts for TLS configuration quality and vulnerabilities - Serves as an HTTP API for programmatic certificate issuance ## Architecture Overview CFSSL is a collection of Go binaries: `cfssl` (the main tool and optional server), `cfssljson` (extracts PEM from JSON responses), `mkbundle` (builds CA bundles), and `multirootca` (serves multiple CA keys). When running as a server, it exposes RESTful endpoints for sign, info, and bundle operations, optionally backed by a database for certificate tracking. ## Self-Hosting & Configuration - Install via `go install` or download pre-built binaries from the GitHub releases - Define CA and certificate profiles in JSON config files specifying key algorithm, expiry, and usage - Run `cfssl serve` to start the HTTP API on a configurable address and port - Supports PKCS#11 for hardware security module (HSM) key storage - Use SQLite, PostgreSQL, or MySQL as a certificate database backend ## Key Features - Multi-root CA support via `multirootca` for serving certificates from multiple authorities - OCSP responder for real-time certificate revocation status - TLS configuration scanner (`cfssl scan`) evaluates cipher suites and protocol versions - Certificate transparency log submission support - Lightweight alternative to full-featured CAs like EJBCA or Vault PKI ## Comparison with Similar Tools - **step-ca (Smallstep)** — modern CA with ACME protocol support and richer identity features - **HashiCorp Vault PKI** — secrets engine that issues certificates as part of a broader secrets platform - **mkcert** — focused on local development certificates only, not production PKI - **Let's Encrypt (ACME)** — public CA for internet-facing domains; CFSSL targets internal PKI - **OpenSSL** — lower-level toolkit; CFSSL provides higher-level workflows ## FAQ **Q: Is CFSSL suitable for production internal CAs?** A: Yes. Cloudflare uses it at scale, and it supports HSM key storage, database-backed tracking, and OCSP. **Q: How does CFSSL compare to Let's Encrypt?** A: Let's Encrypt issues publicly trusted certificates for internet domains. CFSSL is for building private CAs where you control the trust root. **Q: Can I use CFSSL with Kubernetes?** A: Yes. CFSSL can serve as a CA backend for Kubernetes certificate signing, and some projects use it alongside cert-manager. **Q: Does CFSSL support ACME protocol?** A: No. For ACME support, consider step-ca or Boulder. CFSSL uses its own JSON-based API. ## Sources - https://github.com/cloudflare/cfssl - https://blog.cloudflare.com/introducing-cfssl/ --- Source: https://tokrepo.com/en/workflows/asset-2d43138b Author: Script Depot