# Install cfssl with Homebrew, apk, MacPorts, Nix, pacman, scoop

CloudFlare's PKI toolkit. Version 1.6.5 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:cfssl
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cfssl
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install cfssl
```

  Evidence: MacPorts ports tree: security/cfssl/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add cfssl
```

  Evidence: Alpine Linux edge package indexes: cfssl from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- Nix (92%):

```sh
nix profile install nixpkgs#cfssl
```

  Evidence: nixpkgs package indexes: pkgs/by-name/cf/cfssl/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S cfssl
```

  Evidence: Arch Linux sync databases: cfssl from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

### Windows

- Scoop (92%):

```sh
scoop install extras/cfssl
```

  Evidence: Scoop official bucket manifest trees: bucket/cfssl.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:cfssl
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cfssl>
- **Version:** 1.6.5
- **Source summary:** CloudFlare's PKI toolkit
- **Homepage:** <https://cfssl.org/>
- **Repository:** <https://github.com/cloudflare/cfssl>
- **Upstream docs:** <https://cfssl.org/>
- **License:** BSD-2-Clause
- **Source archive:** <https://github.com/cloudflare/cfssl/archive/refs/tags/v1.6.5.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- cfssl (cli)
- cfssl-bundle (cli)
- cfssl-certinfo (cli)
- cfssl-newkey (cli)
- cfssl-scan (cli)
- cfssljson (cli)
- multirootca (cli)
- cfssl (alias)
- cfssl-bundle (alias)
- cfssl-certinfo (alias)
- cfssl-newkey (alias)
- cfssl-scan (alias)
- cfssljson (alias)
- multirootca (alias)

## Dependencies

- libtool

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.6.5
- Local data: ok
- Upstream repository: https://github.com/cloudflare/cfssl
- Upstream latest detected: v1.6.5 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

CFSSL is Cloudflare's PKI and TLS toolkit. The official README describes it as both a command-line tool and an HTTP API server for signing, verifying, bundling, scanning, and serving certificate-authority workflows.

### Project history

Cloudflare introduced CFSSL in July 2014 as an open-source toolkit for TLS and SSL, saying it was used internally for certificate-chain bundling and internal certificate-authority infrastructure. The GitHub repository was created the same month under Cloudflare's organization.

The project is written in Go and ships multiple utilities, including `cfssl`, `cfssljson`, `cfssl-bundle`, `cfssl-certinfo`, `cfssl-newkey`, `cfssl-scan`, `mkbundle`, and `multirootca`. The documentation covers CLI operation, JSON configuration, authentication, an HTTP API, certificate bundling, signing, OCSP, and CA serving.

### Adoption history

CFSSL became a durable package because it solves operational PKI tasks that teams need outside a browser or a single web server: generating CSRs and keys, signing certificates, bundling chains, scanning hosts, and exposing CA operations through an API.

The package metadata in this batch shows CFSSL packaged across Homebrew, Alpine, MacPorts, Nix, Arch, and Scoop. Official installation also supports `go install` and prebuilt GitHub release binaries.

### How it is used

The `cfssl` command supports subcommands such as sign, bundle, genkey, gencert, serve, version, selfsign, and print-defaults. The README documents default CA credential filenames `ca.pem` and `ca_key.pem` for signing and serving.

The configuration file is a JSON dictionary for signing profiles, OCSP, authentication, and remote servers, but the docs present it as an argument such as `-config config` rather than a fixed path. For that reason, the config-file location is null while the default CA credential filenames are recorded.

### Why package nerds care

CFSSL is package-nerd significant because it turns PKI operations that are often hidden inside bespoke scripts into a set of installable Unix-style commands and a documented API server.

It is also a classic Go security-tool package: one upstream repository builds several related executables, package managers expose the main toolkit, and operators can choose between system packages, Homebrew, Scoop, prebuilt release binaries, or `go install`.

### Timeline

- 2014: Cloudflare introduces CFSSL as an open-source PKI toolkit and creates the GitHub repository.
- 2020: v1.5.0 is published on GitHub releases.
- 2021: v1.6.0 and v1.6.1 are published on GitHub releases.
- 2024: v1.6.5 is published on GitHub releases.
- 2026: The README documents Go 1.20+ as the build requirement and continues to describe CFSSL as Cloudflare's PKI/TLS toolkit.

### Related projects

- cfssl_trust is referenced by the README as the source for bundle files and platform metadata.
- multirootca is shipped by the same repository as a certificate-authority server using multiple signing keys.
- Go is the implementation language and installation path documented by the project.

### Sources

- <https://api.github.com/repos/cloudflare/cfssl>
- <https://github.com/cloudflare/cfssl>
- <https://cfssl.org/>
- <https://github.com/cloudflare/cfssl#readme>
- <https://github.com/cloudflare/cfssl/tree/master/doc>
- <https://formulae.brew.sh/api/formula/cfssl.json>
- <https://api.github.com/repos/cloudflare/cfssl/releases>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Credential files

- Unix: ca.pem, ca_key.pem
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cfssl
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - cfssl: normalized package name match | nixpkgs package indexes: pkgs/by-name/cf/cfssl/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- apk - cfssl - 1.6.5-r15: normalized package name match | Alpine Linux edge package indexes: cfssl from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Cloudflare PKI and TLS toolkit | https://cfssl.org/
- pacman - cfssl - 1.6.5-2: normalized package name match | Arch Linux sync databases: cfssl from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | CloudFlare PKI and TLS toolkit | https://cfssl.org/
- MacPorts - cfssl: normalized package name match | MacPorts ports tree: security/cfssl/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - extras/cfssl: normalized package name match | Scoop official bucket manifest trees: bucket/cfssl.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [libtool](https://www.automicvault.com/pkg/brew/libtool/) - Runtime dependency declared by Homebrew.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [certstrap](https://www.automicvault.com/pkg/brew/certstrap/) - Shares av.db curated category or tags: certificates, cli, pki, security, tls.
- [nss](https://www.automicvault.com/pkg/brew/nss/) - Shares av.db curated category or tags: cli, cryptography, pki, security, tls.
- [botan](https://www.automicvault.com/pkg/brew/botan/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [easy-rsa](https://www.automicvault.com/pkg/brew/easy-rsa/) - Shares av.db curated category or tags: certificates, cli, pki, security.
- [fetch-crl](https://www.automicvault.com/pkg/brew/fetch-crl/) - Shares av.db curated category or tags: certificates, cli, pki, security.
- [gmssl](https://www.automicvault.com/pkg/brew/gmssl/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [gnutls](https://www.automicvault.com/pkg/brew/gnutls/) - Shares av.db curated category or tags: cli, cryptography, security, tls.
- [libressl](https://www.automicvault.com/pkg/brew/libressl/) - Shares av.db curated category or tags: cli, cryptography, security, tls.

## Combined YAML source

View the package source record on GitHub. [combined/cfssl.yml](https://github.com/automic-vault/db/blob/main/combined/cfssl.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
