CFSSL — PKI and TLS Certificate Toolkit by Cloudflare

Introduction

CFSSL (Cloudflare's SSL) is an open-source PKI toolkit written in Go that Cloudflare uses internally to manage its own certificate infrastructure. It provides both a CLI and an HTTP API server for certificate generation, signing, and bundling, making it suitable for building internal CAs and automating TLS across services.

What CFSSL Does

• Generates root and intermediate CA certificates from JSON configuration
• Signs certificate requests with configurable profiles (expiry, key usage, extensions)
• Bundles certificates into optimal chains for TLS deployment
• Scans remote hosts for TLS configuration quality and vulnerabilities
• Serves as an HTTP API for programmatic certificate issuance

Architecture Overview

CFSSL is a collection of Go binaries: cfssl (the main tool and optional server), cfssljson (extracts PEM from JSON responses), mkbundle (builds CA bundles), and multirootca (serves multiple CA keys). When running as a server, it exposes RESTful endpoints for sign, info, and bundle operations, optionally backed by a database for certificate tracking.

Self-Hosting & Configuration

• Install via go install or download pre-built binaries from the GitHub releases
• Define CA and certificate profiles in JSON config files specifying key algorithm, expiry, and usage
• Run cfssl serve to start the HTTP API on a configurable address and port
• Supports PKCS#11 for hardware security module (HSM) key storage
• Use SQLite, PostgreSQL, or MySQL as a certificate database backend

Key Features

• Multi-root CA support via multirootca for serving certificates from multiple authorities
• OCSP responder for real-time certificate revocation status
• TLS configuration scanner (cfssl scan) evaluates cipher suites and protocol versions
• Certificate transparency log submission support
• Lightweight alternative to full-featured CAs like EJBCA or Vault PKI

Comparison with Similar Tools

• step-ca (Smallstep) — modern CA with ACME protocol support and richer identity features
• HashiCorp Vault PKI — secrets engine that issues certificates as part of a broader secrets platform
• mkcert — focused on local development certificates only, not production PKI
• Let's Encrypt (ACME) — public CA for internet-facing domains; CFSSL targets internal PKI
• OpenSSL — lower-level toolkit; CFSSL provides higher-level workflows

FAQ

Q: Is CFSSL suitable for production internal CAs? A: Yes. Cloudflare uses it at scale, and it supports HSM key storage, database-backed tracking, and OCSP.

Q: How does CFSSL compare to Let's Encrypt? A: Let's Encrypt issues publicly trusted certificates for internet domains. CFSSL is for building private CAs where you control the trust root.

Q: Can I use CFSSL with Kubernetes? A: Yes. CFSSL can serve as a CA backend for Kubernetes certificate signing, and some projects use it alongside cert-manager.

Q: Does CFSSL support ACME protocol? A: No. For ACME support, consider step-ca or Boulder. CFSSL uses its own JSON-based API.

Sources

• https://github.com/cloudflare/cfssl
• https://blog.cloudflare.com/introducing-cfssl/