cfssljson: Split cfssl JSON Into Files
cfssljson reads the JSON that cfssl emits and writes out the cert, key, and CSR as individual files.
cfssl commands print a JSON blob; cfssljson is the companion that materializes it into the .pem files tools actually consume. It is almost always the tail of a cfssl pipe.
What it does
cfssljson parses a cfssl JSON object (from stdin with -bare - or from a file with -f) and writes <prefix>.pem, <prefix>-key.pem, and <prefix>.csr from the cert, key, and csr fields. -bare uses a filename prefix instead of a wrapping bundle.
Common usage
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# from a saved JSON file
cfssljson -bare server -f server-response.jsonOptions
| Flag | What it does |
|---|---|
| -bare <prefix> | Write files as <prefix>.pem, <prefix>-key.pem, <prefix>.csr |
| -f <file> | Read the JSON from a file (default stdin) |
| -stdout | Print the certificate to stdout instead of a file |
In CI
Pipe cfssl straight into cfssljson -bare <name> to get predictable file names your later steps reference. The key file is <name>-key.pem, a common naming gotcha when a config expects key.pem.
Common errors in CI
"Failed to parse input: unexpected end of JSON input" means nothing was piped in, usually because the upstream cfssl command errored; check its exit and stderr. "no key or CSR ... in the input" means the JSON lacked the field cfssljson expected; you likely piped the wrong cfssl subcommand output.