Forge Home


A standalone client for cfssl


6,039 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.2 (latest)
  • 1.0.1
released Feb 20th 2018
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.5.0
  • , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'jimmypw-cfssl', '1.0.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add jimmypw-cfssl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install jimmypw-cfssl --version 1.0.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



jimmypw/cfssl — version 1.0.2 Feb 20th 2018


Table of Contents

  1. Description
  2. Setup - The basics of getting started with cfssl
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module


cfssl is an api driven pki server written in go. This puppet module enables puppet to request certificates from cfssl.


What cfssl affects

This module will request a certificate based on the parameters you specify then save the signed certificate in the directory you specify.

Setup Requirements

This module uses built in ruby libraries and has no extra dependancies

Beginning with cfssl

The very basic steps needed for a user to get the module up and running. This can include setup steps, if necessary, or it can be an example of the most basic use of the module.


At minimum you require the following

    ensure   => present,
    server   => '',
    manifest => {
        'hosts' => ['', ''],
        'key'   => { 'algo' => 'rsa', 'size' => 4096 },
        'CN'    => '',
        'names' => [
                'C'  => 'County',
                'ST' => 'State',
                'L'  => 'Locality',
                'O'  => 'Organisation'

The provided manifest is passed directly to the cfssl API. The documentation can be found here....


To create a certificate

  • ensure, Shall we create or remove the certificate
  • server, The URI to the cfssl server
  • certpath, Where will the certificate be saved (default: /etc/ssl)
  • authkey, What key will be used. Only required for authenticated profiles. (optional)
  • profile, What signing profile will be used (optional)
  • label, What label will be used (optional)
  • manifest, The particulars of the certificate to be signed

For example:

    ensure   => present,
    server   => '',
    certpath => '/etc/ssl',
    authkey  => 'ababababababababababababababab',
    profile  => 'endpoint',
    label    => 'label',
    manifest => {
        'hosts' => [''],
        'key'   => { 'algo' => 'rsa', 'size' => 4096 },
        'CN'    => 'Some CN',
        'names' => [
                'C'  => 'Farnborough',
                'ST' => 'Hampshire',
                'L'  => 'Locality',
                'O'  => 'Organisation'


This has been tested on linux, it will likely work on windows since we are using the builtin types

Ensuring absent will not revoke the certificate on the server

CFSSL has a gaping security hole where authentication on profiles can be ignored by using the 'newcert' endpoint. I am expecting that this functionality will change at some point so this code only uses the sign and authsign endpoints and switches based on weather you provide an authkey or not.


TODO: Move the cfssl library out in to its own gem