Skip to content
Latchkey

cfssljson: Split cfssl JSON Into Files

cfssljson reads the JSON that cfssl emits and writes out the cert, key, and CSR as individual files.

cfssl commands print a JSON blob; cfssljson is the companion that materializes it into the .pem files tools actually consume. It is almost always the tail of a cfssl pipe.

What it does

cfssljson parses a cfssl JSON object (from stdin with -bare - or from a file with -f) and writes <prefix>.pem, <prefix>-key.pem, and <prefix>.csr from the cert, key, and csr fields. -bare uses a filename prefix instead of a wrapping bundle.

Common usage

Terminal
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# from a saved JSON file
cfssljson -bare server -f server-response.json

Options

FlagWhat it does
-bare <prefix>Write files as <prefix>.pem, <prefix>-key.pem, <prefix>.csr
-f <file>Read the JSON from a file (default stdin)
-stdoutPrint the certificate to stdout instead of a file

In CI

Pipe cfssl straight into cfssljson -bare <name> to get predictable file names your later steps reference. The key file is <name>-key.pem, a common naming gotcha when a config expects key.pem.

Common errors in CI

"Failed to parse input: unexpected end of JSON input" means nothing was piped in, usually because the upstream cfssl command errored; check its exit and stderr. "no key or CSR ... in the input" means the JSON lacked the field cfssljson expected; you likely piped the wrong cfssl subcommand output.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →