whatisgithub

What is cfssl?

cloudflare/cfssl — explained in plain English

Analysis updated 2026-06-24

9,410GoAudience · ops devopsComplexity · 4/5Setup · moderate

In one sentence

CFSSL is Cloudflare's open-source toolkit for creating and managing TLS certificates, letting teams run their own internal certificate authority from the command line or as an HTTP API server.

Mindmap

mindmap
  root((cfssl))
    What it does
      Certificate authority
      TLS cert signing
      Bundle generation
    Tools
      cfssl CLI and API
      cfssljson file writer
      multirootca multi-key
    Tech Stack
      Go
      Pre-built binaries
    Use Cases
      Internal CA setup
      Private network certs
      Automated cert signing
    Deployment
      Command line tool
      HTTP API server
      JSON output format
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Set up an internal certificate authority to issue TLS certificates for private networks or test environments without paying a commercial provider.

USE CASE 2

Run CFSSL as an HTTP API server so automated systems can request and receive signed certificates without manual file handling.

USE CASE 3

Use the cfssljson tool to convert CFSSL's JSON output into standard PEM files that web servers and clients expect.

USE CASE 4

Manage certificates across multiple teams using multirootca with separate signing keys per domain or security boundary.

What is it built with?

Go

How does it compare?

cloudflare/cfsslreplicate/coggoplus/xgo
Stars9,4109,4119,417
LanguageGoGoGo
Setup difficultymoderatemoderatemoderate
Complexity4/53/53/5
Audienceops devopsdatadeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires understanding certificate authority concepts, pre-built binaries are available so no Go compiler is needed.

So what is it?

CFSSL is a collection of tools from Cloudflare for managing TLS certificates, which are the digital documents that websites use to prove their identity and encrypt traffic. If you have ever seen the padlock icon in a browser address bar, that padlock exists because the site holds a valid certificate. CFSSL helps organizations create, sign, and organize those certificates themselves rather than relying entirely on outside certificate providers. The toolkit ships as several programs. The main one, also called cfssl, works both as a command-line tool and as a web server that other programs can talk to over HTTP. You can use it to generate private keys, create certificate requests, sign certificates with your own certificate authority, and assemble certificate bundles. A certificate bundle is a collection of certificates that browsers and operating systems check when verifying that a certificate can be trusted. Two companion tools round out the package. multirootca lets you run a certificate authority that can use more than one signing key, which is useful for organizations that manage certificates across multiple teams or security domains. cfssljson takes the JSON output that cfssl produces and writes the certificate and key files to disk in the standard formats that most web servers expect. The project is written in Go and published as open-source code. Pre-built binaries are available for people who do not want to compile from source. Because it can run as an HTTP API server, teams can build it into internal workflows where other tools send certificate requests and receive signed certificates back without anyone handling files by hand. CFSSL is aimed at developers and infrastructure teams that need to operate their own internal certificate authority, for example to secure private networks or test environments, without purchasing certificates from a commercial provider.

Copy-paste prompts

Prompt 1
Show me how to use cfssl to create a root CA, issue a server certificate, and write the PEM files using cfssljson.
Prompt 2
How do I run CFSSL as an HTTP API server and send a certificate signing request to it using curl?
Prompt 3
Write a cfssl config JSON that signs certificates valid for one year with both server auth and client auth extended key usages.
Prompt 4
How do I install CFSSL on Linux using a pre-built binary and verify it is working correctly?
Prompt 5
Show me how to use multirootca to manage two separate signing authorities with different key configurations.

Frequently asked questions

What is cfssl?

CFSSL is Cloudflare's open-source toolkit for creating and managing TLS certificates, letting teams run their own internal certificate authority from the command line or as an HTTP API server.

What language is cfssl written in?

Mainly Go. The stack also includes Go.

How hard is cfssl to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is cfssl for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.