Installation cfssl in Unix/Linux

Installation cfssl in Unix/Linux

CFSSL is a utility for working with PKI/TLS which allows you to sign, verify and merge TLS certificates. This utility created and podderjivaut to CloudFlare company. To use this program to install GO 1.8+.

Setting the Go/Golang in Unix/Linux

Now, go to installation.

Installation cfssl in Linux

Downloaded 2 files:

$ wget -q --show-progress --https-only --timestamping

PS: There is 2 types of bits for Linux:

  • cfssljson_linux-386 and cfssl_linux-386.
  • cfssljson_linux-amd64 and cfssl_linux-amd64.
  • cfssljson_linux-arm and cfssl_linux-arm.

Put rights:

# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64

Prestim files:

# mv cfssl_linux-amd64 /usr/local/bin/cfssl 
# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

Check the version:

$ cfssl version

You are ready to use.

Installation cfssl in Mac OS X

There is a few ways how to install this software on your server.

-=== METHOD 1 ===-

Downloaded 2 files:

$ wget -q --show-progress --https-only --timestamping

PS: There is 2 types of bits for Mac OS X:

  • cfssljson_darwin-386 and cfssl_darwin-386.
  • cfssljson_darwin-amd64 and cfssl_darwin-amd64.

Put rights:

# chmod +x cfssl*

Prestim files:

# mv cfssl_darwin-amd64 /usr/local/bin/cfssl && mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson

Check the version:

$ cfssl version

-=== METHOD 2 ===-

Also, you can use brew to install:

$ brew install cfssl

You are ready to use.

Cfssl installation on other Unix/Linux OS

To assemble cfssl requires Go 1.8+ correctly installed and GOPATH. After that, execute:

$ git clone [email protected]:cloudflare/cfssl.git $GOPATH/src/ 
$ cd $GOPATH/src/ 
$ make

Setting cfssl in Unix/Linux

Don’t see any settings for this utility. If I find something interesting, will complement this section.

Use cfssl in Unix/Linux

Create a folder:

$ mkdir tmp && cd $_

Create a CA (certificate authority or CA):

$ cat > ca-config.json << EOF 
 "signing": { 
 "default": { 
 "expiry": "8760h" 
 "profiles": { 
 "kubernetes": { 
 "usages": ["signing", "key encipherment", "server auth", "client auth"], 
 "expiry": "8760h" 

Create a CSR signature:

$ cat > ca-csr.json << EOF 
 "CN": "Kubernetes", 
 "key": { 
 "algo": "rsa", 
 "size": 2048 
 "names": [ 
 "C": "UA", 
 "L": "Kiev", 
 "O": "Kubernetes", 
 "OU": "CA", 
 "ST": "Kiev" 

You can add the host(s), for example:

 "hosts": [ 
 "CN": "", 
 "key": { 
 "algo": "rsa", 
 "size": 2048 
 "names": [{ 
 "C": "UA", 
 "L": "Kiev", 
 "O": "Kubernetes", 
 "OU": "CA", 
 "ST": "Kiev" 

Create the certificate:

$ cfssl gencert-initca ca-csr.json | cfssljson -bare ca

Get example output:

2018/11/15 16:49:38 [INFO] generating a new CA key and certificate from a CSR 
2018/11/15 16:49:38 [INFO] generate request received 
2018/11/15 16:49:38 [INFO] received CSR 
2018/11/15 16:49:38 [INFO] generating key: rsa-2048 
2018/11/15 16:49:38 [INFO] encoded CSR 
2018/11/15 16:49:38 [INFO] signed certificate with serial number 352959392755430077750949756394023000115317850199 

Other support teams

Create a self-signed certificate using the CSR:

$ cfssl selfsign ca-csr.json | cfssljson -bare selfsigned

The generated self-signed root CA certificate and private key:

$ cfssl genkey -initca csr.json | cfssljson -bare ca

Generated remote-issued certificate and private key:

$ cfssl gencert -remote=remote_server [-hostname=comma,separated,hostnames] csr.json

Generated local-issued certificate and private key:

$ cfssl gencert-ca cert -ca-key key [-hostname=comma,separated,hostnames] csr.json

This command will generate and issue the certificate and the private key of a local CA using JSON. You can use hostname to override the SAN certificates.

Update OCSP response file with the new certificate:

$ cfssl ocspsign -ca cert-key responder-responder-key key -- cert cert  
| cfssljson -bare -stdout >> responses

This will cause the OCSP response for the certificate and adds it to answer file. You can then transfer the answers to ocspserve to run OCSP server.

Run CFSSL API server. In CFSSL has support for HTTP server API; All necessary materials can be found in doc/api/intro.txt document. The server is started with the command:

$ cfssl serve [-address address] [-ca cert] [-ca-bundle bundle]  
[-ca-key key] [-int-bundle bundle] [-int,-dir dir] [-port port]  
[-metadata file] [-remote remote_host] [-config config]  
[-responder cert] [-responder-key key] [-db-config db-config]


$ cfssl serve-address=localhost -port=8888 -ca-key=ca-key.pem -ca=ca-cert.pem

The output logs can be controlled by using the “-loglevel” option:

$ cfssl serve-loglevel 0

Where levels is:

  • 0 — DEBUG
  • 1 — INFO (default)
  • 2 — WARNING
  • 3 — ERROR
  • 4 — CRITICAL

For assistance, you can use:

$ cfssl -h 
Available commands: 
Top-level flags: 
 Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962. 

That’s all, “Install cfssl in Unix/Linux” is completed.


(Visited 266 times, 1 visits today)