macOS
brew install cfssllocal Homebrew formula metadata
sudo port install cfsslMacPorts ports tree · security/cfssl/Portfile · source: api.github.com
brew
CloudFlare's PKI toolkit. Version 1.6.5 via Homebrew; verified from local package data.
install
brew install cfssllocal Homebrew formula metadata
sudo port install cfsslMacPorts ports tree · security/cfssl/Portfile · source: api.github.com
sudo apk add cfsslAlpine Linux edge package indexes · cfssl · source: dl-cdn.alpinelinux.org
nix profile install nixpkgs#cfsslnixpkgs package indexes · pkgs/by-name/cf/cfssl/package.nix · source: api.github.com
sudo pacman -S cfsslArch Linux sync databases · cfssl · source: geo.mirror.pkgbuild.com
scoop install extras/cfsslScoop official bucket manifest trees · bucket/cfssl.json · source: api.github.com
overview
CloudFlare's PKI toolkit
history
CFSSL is Cloudflare's PKI and TLS toolkit. The official README describes it as both a command-line tool and an HTTP API server for signing, verifying, bundling, scanning, and serving certificate-authority workflows.
Cloudflare introduced CFSSL in July 2014 as an open-source toolkit for TLS and SSL, saying it was used internally for certificate-chain bundling and internal certificate-authority infrastructure. The GitHub repository was created the same month under Cloudflare's organization.
The project is written in Go and ships multiple utilities, including `cfssl`, `cfssljson`, `cfssl-bundle`, `cfssl-certinfo`, `cfssl-newkey`, `cfssl-scan`, `mkbundle`, and `multirootca`. The documentation covers CLI operation, JSON configuration, authentication, an HTTP API, certificate bundling, signing, OCSP, and CA serving.
CFSSL became a durable package because it solves operational PKI tasks that teams need outside a browser or a single web server: generating CSRs and keys, signing certificates, bundling chains, scanning hosts, and exposing CA operations through an API.
The package metadata in this batch shows CFSSL packaged across Homebrew, Alpine, MacPorts, Nix, Arch, and Scoop. Official installation also supports `go install` and prebuilt GitHub release binaries.
The `cfssl` command supports subcommands such as sign, bundle, genkey, gencert, serve, version, selfsign, and print-defaults. The README documents default CA credential filenames `ca.pem` and `ca_key.pem` for signing and serving.
The configuration file is a JSON dictionary for signing profiles, OCSP, authentication, and remote servers, but the docs present it as an argument such as `-config config` rather than a fixed path. For that reason, the config-file location is null while the default CA credential filenames are recorded.
CFSSL is package-nerd significant because it turns PKI operations that are often hidden inside bespoke scripts into a set of installable Unix-style commands and a documented API server.
It is also a classic Go security-tool package: one upstream repository builds several related executables, package managers expose the main toolkit, and operators can choose between system packages, Homebrew, Scoop, prebuilt release binaries, or `go install`.
security posture
infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Credential-bearing paths to review before unattended agent runs.
ca.pemca_key.pemexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cfssl | cli | global executable | |
cfssl-bundle | cli | global executable | |
cfssl-certinfo | cli | global executable | |
cfssl-newkey | cli | global executable | |
cfssl-scan | cli | global executable | |
cfssljson | cli | global executable | |
multirootca | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/cloudflare/cfssl
install metadata
| Package key | brew:cfssl |
|---|---|
| Version | 1.6.5 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cfssl |
| Homepage | https://cfssl.org/ |
| Repository | https://github.com/cloudflare/cfssl |
| Upstream docs | https://cfssl.org/ |
| License | BSD-2-Clause |
| Source archive | https://github.com/cloudflare/cfssl/archive/refs/tags/v1.6.5.tar.gz |
| Dependencies | libtool |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cfssl |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
cfssl
nix profile install nixpkgs#cfsslcfssl 1.6.5-r15
Cloudflare PKI and TLS toolkit
sudo apk add cfsslcfssl 1.6.5-2
CloudFlare PKI and TLS toolkit
sudo pacman -S cfsslcfssl
sudo port install cfsslextras/cfssl
scoop install extras/cfsslsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.