[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-5088":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":27,"readmeContent":28,"aiSummary":29,"trendingCount":16,"starSnapshotCount":16,"syncStatus":17,"lastSyncTime":30,"discoverSource":31},5088,"cfssl","cloudflare\u002Fcfssl","cloudflare","CFSSL: Cloudflare's PKI and TLS toolkit","https:\u002F\u002Fcfssl.org\u002F",null,"Go",9434,1142,201,269,0,2,5,27,7,40.17,"BSD 2-Clause \"Simplified\" License",false,"master",true,[],"2026-06-12 02:01:08","# CFSSL\n\n[![Build Status](https:\u002F\u002Ftravis-ci.org\u002Fcloudflare\u002Fcfssl.svg?branch=master)](https:\u002F\u002Ftravis-ci.org\u002Fcloudflare\u002Fcfssl)\n[![Coverage Status](http:\u002F\u002Fcodecov.io\u002Fgithub\u002Fcloudflare\u002Fcfssl\u002Fcoverage.svg?branch=master)](http:\u002F\u002Fcodecov.io\u002Fgithub\u002Fcloudflare\u002Fcfssl?branch=master)\n[![GoDoc](https:\u002F\u002Fgodoc.org\u002Fgithub.com\u002Fcloudflare\u002Fcfssl?status.svg)](https:\u002F\u002Fgodoc.org\u002Fgithub.com\u002Fcloudflare\u002Fcfssl)\n\n## CloudFlare's PKI\u002FTLS toolkit\n\nCFSSL is CloudFlare's PKI\u002FTLS swiss army knife. It is both a command line\ntool and an HTTP API server for signing, verifying, and bundling TLS\ncertificates. It requires Go 1.20+ to build.\n\nNote that certain linux distributions have certain algorithms removed\n(RHEL-based distributions in particular), so the golang from the\nofficial repositories will not work. Users of these distributions should\n[install go manually](\u002F\u002Fgolang.org\u002Fdl) to install CFSSL.\n\nCFSSL consists of:\n\n* a set of packages useful for building custom TLS PKI tools\n* the `cfssl` program, which is the canonical command line utility\n  using the CFSSL packages.\n* the `multirootca` program, which is a certificate authority server\n  that can use multiple signing keys.\n* the `mkbundle` program is used to build certificate pool bundles.\n* the `cfssljson` program, which takes the JSON output from the\n  `cfssl` and `multirootca` programs and writes certificates, keys,\n  CSRs, and bundles to disk.\n\n### Building\n\nBuilding cfssl requires a\n[working Go 1.20+ installation](http:\u002F\u002Fgolang.org\u002Fdoc\u002Finstall).\n\n```\n$ git clone git@github.com:cloudflare\u002Fcfssl.git\n$ cd cfssl\n$ make\n$ make install\n```\n\nThe resulting binaries will be in the bin folder:\n```\n$ tree bin\nbin\n├── cfssl\n├── cfssl-bundle\n├── cfssl-certinfo\n├── cfssl-newkey\n├── cfssl-scan\n├── cfssljson\n├── mkbundle\n└── multirootca\n\n0 directories, 8 files\n```\n\n#### Cross Compilation\n\nYou can set the `GOOS` and `GOARCH` environment variables to have Go cross compile for alternative platforms; however, cfssl requires cgo, and cgo requires a working compiler toolchain for the target platform.\n\n### Installation\n\nInstallation requires a [working Go 1.20+ installation](http:\u002F\u002Fgolang.org\u002Fdoc\u002Finstall).\nAlternatively, [prebuilt binaries are available](https:\u002F\u002Fgithub.com\u002Fcloudflare\u002Fcfssl\u002Freleases)\n\n```\n$ go install github.com\u002Fcloudflare\u002Fcfssl\u002Fcmd\u002F...@latest\n```\n\nThis will download, build, and install all of the utility programs\n(including `cfssl`, `cfssljson`, and `mkbundle` among others).\n\n### Using the Command Line Tool\n\nThe `cfssl` command line tool takes a command to specify what\noperation it should carry out:\n\n       sign             signs a certificate\n       bundle           build a certificate bundle\n       genkey           generate a private key and a certificate request\n       gencert          generate a private key and a certificate\n       serve            start the API server\n       version          prints out the current version\n       selfsign         generates a self-signed certificate\n       print-defaults   print default configurations\n\nUse `cfssl [command] -help` to find out more about a command.\nThe `version` command takes no arguments.\n\n#### Signing\n\n```\ncfssl sign [-ca cert] [-ca-key key] [-hostname comma,separated,hostnames] csr [subject]\n```\n\nThe `csr` is the client's certificate request. The `-ca` and `-ca-key`\nflags are the CA's certificate and private key, respectively. By\ndefault, they are `ca.pem` and `ca_key.pem`. The `-hostname` is\na comma separated hostname list that overrides the DNS names and\nIP address in the certificate SAN extension.\nFor example, assuming the CA's private key is in\n`\u002Fetc\u002Fssl\u002Fprivate\u002Fcfssl_key.pem` and the CA's certificate is in\n`\u002Fetc\u002Fssl\u002Fcerts\u002Fcfssl.pem`, to sign the `cloudflare.pem` certificate\nfor cloudflare.com:\n\n```\ncfssl sign -ca     \u002Fetc\u002Fssl\u002Fcerts\u002Fcfssl.pem       \\\n           -ca-key \u002Fetc\u002Fssl\u002Fprivate\u002Fcfssl_key.pem \\\n           -hostname cloudflare.com               \\\n           .\u002Fcloudflare.pem\n```\n\nIt is also possible to specify CSR with the `-csr` flag. By doing so,\nflag values take precedence and will overwrite the argument.\n\nThe subject is an optional file that contains subject information that\nshould be used in place of the information from the CSR. It should be\na JSON file as follows:\n\n```json\n{\n    \"CN\": \"example.com\",\n    \"names\": [\n        {\n            \"C\":  \"US\",\n            \"L\":  \"San Francisco\",\n            \"O\":  \"Internet Widgets, Inc.\",\n            \"OU\": \"WWW\",\n            \"ST\": \"California\"\n        }\n    ]\n}\n```\n\n**N.B.** As of Go 1.7, self-signed certificates will not include\n[the AKI](https:\u002F\u002Fgo.googlesource.com\u002Fgo\u002F+\u002Fb623b71509b2d24df915d5bc68602e1c6edf38ca).\n\n#### Bundling\n\n```\ncfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \\\n             [-metadata metadata_file] [-flavor bundle_flavor] \\\n             -cert certificate_file [-key key_file]\n```\n\nThe bundles are used for the root and intermediate certificate\npools. In addition, platform metadata is specified through `-metadata`.\nThe bundle files, metadata file (and auxiliary files) can be\nfound at:\n\n        https:\u002F\u002Fgithub.com\u002Fcloudflare\u002Fcfssl_trust\n\nSpecify PEM-encoded client certificate and key through `-cert` and\n`-key` respectively. If key is specified, the bundle will be built\nand verified with the key. Otherwise the bundle will be built\nwithout a private key. Instead of file path, use `-` for reading\ncertificate PEM from stdin. It is also acceptable that the certificate\nfile should contain a (partial) certificate bundle.\n\nSpecify bundling flavor through `-flavor`. There are three flavors:\n`optimal` to generate a bundle of shortest chain and most advanced\ncryptographic algorithms, `ubiquitous` to generate a bundle of most\nwidely acceptance across different browsers and OS platforms, and\n`force` to find an acceptable bundle which is identical to the\ncontent of the input certificate file.\n\nAlternatively, the client certificate can be pulled directly from\na domain. It is also possible to connect to the remote address\nthrough `-ip`.\n\n```\ncfssl bundle [-ca-bundle bundle] [-int-bundle bundle] \\\n             [-metadata metadata_file] [-flavor bundle_flavor] \\\n             -domain domain_name [-ip ip_address]\n```\n\nThe bundle output form should follow the example:\n\n```json\n{\n    \"bundle\": \"CERT_BUNDLE_IN_PEM\",\n    \"crt\": \"LEAF_CERT_IN_PEM\",\n    \"crl_support\": true,\n    \"expires\": \"2015-12-31T23:59:59Z\",\n    \"hostnames\": [\"example.com\"],\n    \"issuer\": \"ISSUER CERT SUBJECT\",\n    \"key\": \"KEY_IN_PEM\",\n    \"key_size\": 2048,\n    \"key_type\": \"2048-bit RSA\",\n    \"ocsp\": [\"http:\u002F\u002Focsp.example-ca.com\"],\n    \"ocsp_support\": true,\n    \"root\": \"ROOT_CA_CERT_IN_PEM\",\n    \"signature\": \"SHA1WithRSA\",\n    \"subject\": \"LEAF CERT SUBJECT\",\n    \"status\": {\n        \"rebundled\": false,\n        \"expiring_SKIs\": [],\n        \"untrusted_root_stores\": [],\n        \"messages\": [],\n        \"code\": 0\n    }\n}\n```\n\n\n#### Generating certificate signing request and private key\n\n```\ncfssl genkey csr.json\n```\n\nTo generate a private key and corresponding certificate request, specify\nthe key request as a JSON file. This file should follow the form:\n\n```json\n{\n    \"hosts\": [\n        \"example.com\",\n        \"www.example.com\",\n        \"https:\u002F\u002Fwww.example.com\",\n        \"jdoe@example.com\",\n        \"127.0.0.1\"\n    ],\n    \"key\": {\n        \"algo\": \"rsa\",\n        \"size\": 2048\n    },\n    \"names\": [\n        {\n            \"C\":  \"US\",\n            \"L\":  \"San Francisco\",\n            \"O\":  \"Internet Widgets, Inc.\",\n            \"OU\": \"WWW\",\n            \"ST\": \"California\"\n        }\n    ]\n}\n```\n\n#### Generating self-signed root CA certificate and private key\n\n```\ncfssl genkey -initca csr.json | cfssljson -bare ca\n```\n\nTo generate a self-signed root CA certificate, specify the key request as\na JSON file in the same format as in 'genkey'. Three PEM-encoded entities\nwill appear in the output: the private key, the csr, and the self-signed\ncertificate.\n\n#### Generating a remote-issued certificate and private key.\n\n```\ncfssl gencert -remote=remote_server [-hostname=comma,separated,hostnames] csr.json\n```\n\nThis calls `genkey` but has a remote CFSSL server sign and issue\nthe certificate. You may use `-hostname` to override certificate SANs.\n\n#### Generating a local-issued certificate and private key.\n\n```\ncfssl gencert -ca cert -ca-key key [-hostname=comma,separated,hostnames] csr.json\n```\n\nThis generates and issues a certificate and private key from a local CA\nvia a JSON request. You may use `-hostname` to override certificate SANs.\n\n\n#### Updating an OCSP responses file with a newly issued certificate\n\n```\ncfssl ocspsign -ca cert -responder key -responder-key key -cert cert \\\n | cfssljson -bare -stdout >> responses\n```\n\nThis will generate an OCSP response for the `cert` and add it to the\n`responses` file. You can then pass `responses` to `ocspserve` to start an\nOCSP server.\n\n### Starting the API Server\n\nCFSSL comes with an HTTP-based API server; the endpoints are\ndocumented in [`doc\u002Fapi\u002Fintro.txt`](doc\u002Fapi\u002Fintro.txt). The server is started with the `serve`\ncommand:\n\n```\ncfssl serve [-address address] [-ca cert] [-ca-bundle bundle] \\\n            [-ca-key key] [-int-bundle bundle] [-int-dir dir] [-port port] \\\n            [-metadata file] [-remote remote_host] [-config config] \\\n            [-responder cert] [-responder-key key] [-db-config db-config]\n```\n\nAddress and port default to \"127.0.0.1:8888\". The `-ca` and `-ca-key`\narguments should be the PEM-encoded certificate and private key to use\nfor signing; by default, they are `ca.pem` and `ca_key.pem`. The\n`-ca-bundle` and `-int-bundle` should be the certificate bundles used\nfor the root and intermediate certificate pools, respectively. These\ndefault to `ca-bundle.crt` and `int-bundle.crt` respectively. If the\n`-remote` option is specified, all signature operations will be forwarded\nto the remote CFSSL.\n\n`-int-dir` specifies an intermediates directory. `-metadata` is a file for\nroot certificate presence. The content of the file is a json dictionary \n(k,v) such that each key k is an SHA-1 digest of a root certificate while value v \nis a list of key store filenames. `-config` specifies a path to a configuration\nfile. `-responder` and  `-responder-key` are the certificate and the\nprivate key for the OCSP responder, respectively.\n\nThe amount of logging can be controlled with the `-loglevel` option. This\ncomes *after* the serve command:\n\n```\ncfssl serve -loglevel 2\n```\n\nThe levels are:\n\n* 0 - DEBUG\n* 1 - INFO (this is the default level)\n* 2 - WARNING\n* 3 - ERROR\n* 4 - CRITICAL\n\n### The multirootca\n\nThe `cfssl` program can act as an online certificate authority, but it\nonly uses a single key. If multiple signing keys are needed, the\n`multirootca` program can be used. It only provides the `sign`,\n`authsign` and `info` endpoints. The documentation contains instructions\nfor configuring and running the CA.\n\n### The mkbundle Utility\n\n`mkbundle` is used to build the root and intermediate bundles used in\nverifying certificates. It can be installed with\n\n```\ngo get github.com\u002Fcloudflare\u002Fcfssl\u002Fcmd\u002Fmkbundle\n```\n\nIt takes a collection of certificates, checks for CRL revocation (OCSP\nsupport is planned for the next release) and expired certificates, and\nbundles them into one file. It takes directories of certificates and\ncertificate files (which may contain multiple certificates). For example,\nif the directory `intermediates` contains a number of intermediate\ncertificates:\n\n```\nmkbundle -f int-bundle.crt intermediates\n```\n\nwill check those certificates and combine valid certificates into a single\n`int-bundle.crt` file.\n\nThe `-f` flag specifies an output name; `-loglevel` specifies the verbosity\nof the logging (using the same loglevels as above), and `-nw` controls the\nnumber of revocation-checking workers.\n\n### The cfssljson Utility\n\nMost of the output from `cfssl` is in JSON. The `cfssljson` utility can take\nthis output and split it out into separate `key`, `certificate`, `CSR`, and\n`bundle` files as appropriate. The tool takes a single flag, `-f`, that\nspecifies the input file, and an argument that specifies the base name for\nthe files produced. If the input filename is `-` (which is the default),\ncfssljson reads from standard input. It maps keys in the JSON file to\nfilenames in the following way:\n\n* if __cert__ or __certificate__ is specified,         __basename.pem__          will be produced.\n* if __key__  or __private_key__ is specified,         __basename-key.pem__      will be produced.\n* if __csr__  or __certificate_request__ is specified, __basename.csr__          will be produced.\n* if __bundle__       is specified,                    __basename-bundle.pem__   will be produced.\n* if __ocspResponse__ is specified,                    __basename-response.der__ will be produced.\n\nInstead of saving to a file, you can pass `-stdout` to output the encoded\ncontents to standard output.\n\n### Static Builds\n\nBy default, the web assets are accessed from disk, based on their\nrelative locations. If you wish to distribute a single,\nstatically-linked, `cfssl` binary, you’ll want to embed these resources\nbefore building. This can by done with the\n[go.rice](https:\u002F\u002Fgithub.com\u002FGeertJohan\u002Fgo.rice) tool.\n\n```\npushd cli\u002Fserve && rice embed-go && popd\n```\n\nThen building with `go build` will use the embedded resources.\n\n### Additional Documentation\n\nAdditional documentation can be found in the \"doc\" directory:\n\n* [doc\u002Fapi\u002Fintro.txt](doc\u002Fapi\u002Fintro.txt): documents the API endpoints\n","CFSSL是Cloudflare提供的PKI和TLS工具包，旨在简化证书的签名、验证和打包过程。该项目采用Go语言编写，提供了一套用于构建自定义TLS PKI工具的库，以及包括`cfssl`在内的多个命令行工具，如多根CA服务器`multirootca`、证书池构建工具`mkbundle`等。此外，它还支持通过HTTP API接口进行操作。CFSSL适用于需要灵活管理和自动化处理TLS证书的场景，比如在云环境中部署安全服务时。其简洁的设计和强大的功能使得开发者能够轻松地集成到自己的项目中，以增强安全性。","2026-06-11 03:02:27","top_language"]