BestHub
Sign in
Information Security 14 min read

Master CFSSL: Step‑by‑Step Guide to Generate Self‑Signed Certificates on Linux

This comprehensive tutorial explains the fundamentals of PKI, CA, CSR, and cfssl configuration, shows how to install cfssl on Linux, details the cfssl gencert command and its core parameters, and provides practical, end‑to‑end examples for creating root, intermediate, server, client, and Kubernetes certificates.

Raymond Ops
Raymond Ops
Raymond Ops
Master CFSSL: Step‑by‑Step Guide to Generate Self‑Signed Certificates on Linux

CFSSL Self‑Signed Certificate Tool Overview

Certificate generation basics

Linux installation of cfssl

cfssl gencert command details and core parameters

Practical steps:

Create root CA configuration and CSR

Generate root CA certificate and key

Create intermediate CA CSR and generate intermediate CA certificate

Generate server certificate using intermediate CA

Generate client certificate

Generate Kubernetes certificates (API server, etc.)

Installation

Download cfssl, cfssljson, and cfssl‑certinfo binaries and grant execution permission.

curl -L -o /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -L -o /usr/local/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -L -o /usr/local/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /usr/local/bin/cfssl*

cfssl gencert command

Core parameters include -ca, -ca-key, -config, -profile, -hostname, -cn, -key-algo, -key-size, -initca, -self-signed, etc.

Root CA generation

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

Produces ca.pem, ca-key.pem, and ca.csr.

Intermediate CA generation

cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca-config.json -profile=ca intermediate-csr.json | cfssljson -bare intermediate/intermediate

Server certificate generation

cfssl gencert -ca=intermediate/intermediate.pem -ca-key=intermediate/intermediate-key.pem -config=ca-config.json -profile=server server-csr.json | cfssljson -bare server/server

Client certificate generation

cfssl gencert -ca=intermediate/intermediate.pem -ca-key=intermediate/intermediate-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client/client

Kubernetes certificates

Example for API server:

cfssl gencert -ca=intermediate/intermediate.pem -ca-key=intermediate/intermediate-key.pem -config=ca-config.json -profile=kubernetes k8s-apiserver-csr.json | cfssljson -bare api-server/api-server

The resulting directory tree shows generated CA, intermediate, server, client, and Kubernetes certificates.

Certificate workflow diagram
Certificate workflow diagram
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

automationLinuxTLSCertificatePKIcfssl
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment