Skip to content
Latchkey

cfssl gencert: Issue Certificates as JSON

cfssl gencert produces a key and certificate from a CSR JSON, either self-signed as a CA (-initca) or signed by a CA you pass.

cfssl is CloudFlare's PKI toolkit, driven by JSON rather than flags-heavy prompts. It streams JSON to stdout that you split into files with cfssljson.

What it does

cfssl gencert reads a CSR JSON and emits a JSON object containing the cert, key, and CSR. With -initca it creates a self-signed CA; with -ca/-ca-key and -config/-profile it signs a leaf using that CA and profile.

Common usage

Terminal
# create a CA
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# sign a leaf using the CA and a profile
cfssl gencert -ca ca.pem -ca-key ca-key.pem \
  -config ca-config.json -profile server server-csr.json | cfssljson -bare server

Options

FlagWhat it does
-initcaCreate a new self-signed CA from the CSR JSON
-ca <file> -ca-key <file>CA cert and key used to sign the leaf
-config <file>JSON config with signing profiles
-profile <name>Which profile in the config to apply
-hostname <list>Override SANs (comma-separated)

In CI

cfssl writes JSON to stdout; always pipe into cfssljson to get .pem files. Keep the CSR and config JSON in the repo so cert generation is reproducible across runs.

Common errors in CI

"Failed to parse input: invalid character ... " means the CSR or config JSON is malformed; validate it with a JSON linter. "{\"code\":1200,...\"failed to load config file\"}" means -config points at a missing file. "code 1000 ... could not sign" often means a hostname not permitted by the profile's allowed names.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →