Automic VaultAutomic Vault

brew

Install cfssl with Homebrew, apk, MacPorts, Nix, pacman, scoop

CloudFlare's PKI toolkit. Version 1.6.5 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cfssl

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install cfssl

MacPorts ports tree · security/cfssl/Portfile · source: api.github.com

Windows

Scoopverified · 92%
scoop install extras/cfssl

Scoop official bucket manifest trees · bucket/cfssl.json · source: api.github.com

overview

Package summary

CloudFlare's PKI toolkit

Commands and aliases

  • cfssl
  • cfssl-bundle
  • cfssl-certinfo
  • cfssl-newkey
  • cfssl-scan
  • cfssljson
  • multirootca

history

Project history and usage

CFSSL is Cloudflare's PKI and TLS toolkit. The official README describes it as both a command-line tool and an HTTP API server for signing, verifying, bundling, scanning, and serving certificate-authority workflows.

Project history

Cloudflare introduced CFSSL in July 2014 as an open-source toolkit for TLS and SSL, saying it was used internally for certificate-chain bundling and internal certificate-authority infrastructure. The GitHub repository was created the same month under Cloudflare's organization.

The project is written in Go and ships multiple utilities, including `cfssl`, `cfssljson`, `cfssl-bundle`, `cfssl-certinfo`, `cfssl-newkey`, `cfssl-scan`, `mkbundle`, and `multirootca`. The documentation covers CLI operation, JSON configuration, authentication, an HTTP API, certificate bundling, signing, OCSP, and CA serving.

Adoption history

CFSSL became a durable package because it solves operational PKI tasks that teams need outside a browser or a single web server: generating CSRs and keys, signing certificates, bundling chains, scanning hosts, and exposing CA operations through an API.

The package metadata in this batch shows CFSSL packaged across Homebrew, Alpine, MacPorts, Nix, Arch, and Scoop. Official installation also supports `go install` and prebuilt GitHub release binaries.

How it is used

The `cfssl` command supports subcommands such as sign, bundle, genkey, gencert, serve, version, selfsign, and print-defaults. The README documents default CA credential filenames `ca.pem` and `ca_key.pem` for signing and serving.

The configuration file is a JSON dictionary for signing profiles, OCSP, authentication, and remote servers, but the docs present it as an argument such as `-config config` rather than a fixed path. For that reason, the config-file location is null while the default CA credential filenames are recorded.

Why package nerds care

CFSSL is package-nerd significant because it turns PKI operations that are often hidden inside bespoke scripts into a set of installable Unix-style commands and a documented API server.

It is also a classic Go security-tool package: one upstream repository builds several related executables, package managers expose the main toolkit, and operators can choose between system packages, Homebrew, Scoop, prebuilt release binaries, or `go install`.

Timeline

  • 2014: Cloudflare introduces CFSSL as an open-source PKI toolkit and creates the GitHub repository.
  • 2020: v1.5.0 is published on GitHub releases.
  • 2021: v1.6.0 and v1.6.1 are published on GitHub releases.
  • 2024: v1.6.5 is published on GitHub releases.
  • 2026: The README documents Go 1.20+ as the build requirement and continues to describe CFSSL as Cloudflare's PKI/TLS toolkit.

Related projects

  • cfssl_trust is referenced by the README as the source for bundle files and platform metadata.
  • multirootca is shipped by the same repository as a certificate-authority server using multiple signing keys.
  • Go is the implementation language and installation path documented by the project.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:cloud

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 8 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
ca.pemca_key.pem

executables

Installed executables

CommandKindExposureNote
cfsslcliglobal executable
cfssl-bundlecliglobal executable
cfssl-certinfocliglobal executable
cfssl-newkeycliglobal executable
cfssl-scancliglobal executable
cfssljsoncliglobal executable
multirootcacliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.6.5
manager updated
local dataok
upstreamcurrent
latest detectedv1.6.5

https://github.com/cloudflare/cfssl

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:cfssl
Version1.6.5
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cfssl
Homepagehttps://cfssl.org/
Repositoryhttps://github.com/cloudflare/cfssl
Upstream docshttps://cfssl.org/
LicenseBSD-2-Clause
Source archivehttps://github.com/cloudflare/cfssl/archive/refs/tags/v1.6.5.tar.gz
Dependencieslibtool
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecfssl
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

cfssl

nix profile install nixpkgs#cfssl
  • normalized package name match
  • Matched by: Cfssl
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/cf/cfssl/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk95%

cfssl 1.6.5-r15

Cloudflare PKI and TLS toolkit

https://cfssl.org/

sudo apk add cfssl
  • License: BSD-2-Clause
  • Architecture: x86_64
  • Source Package: cfssl
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Cfssl
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: cfssl from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz
pacman95%

cfssl 1.6.5-2

CloudFlare PKI and TLS toolkit

https://cfssl.org/

sudo pacman -S cfssl
  • License: BSD-2-Clause
  • Architecture: x86_64
  • 1 dependencies
  • normalized package name match
  • Matched by: Cfssl
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: cfssl from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
MacPorts95%

cfssl

sudo port install cfssl
  • normalized package name match
  • Matched by: Cfssl
MacPorts ports tree · api.github.com · MacPorts ports tree: security/cfssl/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Scoop95%

extras/cfssl

scoop install extras/cfssl
  • normalized package name match
  • Matched by: Cfssl
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/cfssl.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment