Forge Home


Forked from rehanone/puppet-cfssl. A puppet module for installing, managing and generating SSL certificates using CloudFlare's PKI toolkit - CFSSL


339,196 latest version

4.3 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.1 (latest)
  • 1.0.0
released May 17th 2017
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 5.0.0
  • , , , Debian, , ArchLinux

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'mmack-cfssl', '1.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add mmack-cfssl
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install mmack-cfssl --version 1.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



mmack/cfssl — version 1.0.1 May 17th 2017

forked from rehanone/puppet-cfssl

Table of Contents

  1. Overview
  2. Module Description
  3. Setup
  4. Usage
  5. Dependencies
  6. Development


The mmack-cfssl module for installing, managing and generating SSL certificates using CloudFlare's PKI toolkit - CFSSL.

Module Description

A puppet module for managing the installation and configuration of CloudFlare's PKI toolkit. This module installs and configures CFSSL as a service so clients can request certificates from the local PKI server.

CFSS is not the easiest toolkit to understand and work with. The main reason is lack of proper documentation. However, more information on it is available at:

Implemented Features:

  • Installs cfssl binaries to /opt/cfssl and creates links under /usr/local/bin
  • Can be configured to become a PKI server in which case it will generate Root and Intermediate CA certificates.
  • Sets up PKI service that clients on the network can use to request certificates.
  • If puppetlabs-firewall module is used, this module can setup proper rules for opening local port for the PKI server.

Features not yet updated

  • Allow multiple Intermediate CA certificates.


In order to install mmack-cfssl, run the following command:

$ sudo puppet module install mmack-cfssl

The module does expect all the data to be provided through 'Hiera'. See Usage for examples on how to configure it.


This module is designed to be as clean and compliant with latest puppet code guidelines. It works with:

  • puppet >=4.0.0




A basic install with the defaults would be:

include cfssl

Or the PKI Server using the parameters:

class{ 'cfssl':
  ca_manage       => true,
  service_port    => 8888,
  service_address => '',
  • wget_manage: This module use archive to download the cfssl binaries. That behaviour can be disabled with this option.
  • download_url: Download URL for cfssl binaries, the default is
  • download_dir: Download loaction for cfssl binaries. The default value /opt/cfssl.
  • install_dir: Install location for cfssl binaries. The default is /usr/local/bin.
  • conf_dir: Root directory for cfssl configuration and certificate creation. The default is /etc/cfssl.
  • ca_manage: Controls the generation of Root and Intermediate CA certificates that allow the system to serve as a PKI server. The default is false.
  • key_algo: The key algorithm to use, the possible values are rsa or ecdsa. The default is rsa.
  • key_size: The key size to use for certificate creation. The default is 4096.
  • root_ca_name: The name for the Root CA. The default is My Root CA.
  • root_ca_expire: Time in hours for the CA to expire. The default is 262800h (30 years).
  • intermediate_ca_name: The name for the Intermediate CA. The default is My Intermediate CA.
  • intermediate_ca_expire: Time in hours for the CA to expire. The default is 42720h.
  • cr_server_expire: Time in hours for the CA to expire. The default is 35040h.
  • cr_client_expire: Time in hours for the CA to expire. The default is 35040h.
  • cr_client_server_expire: Time in hours for the CA to expire. The default is 35040h.
  • service_manage: Controls if the service will be created to generate certificates on a CA server. The default is same asca_manage.
  • service_ensure: Controls the status of the service. The default is running.
  • service_enable: Enables or disables the service. the default is true.
  • service_name: Name of the service. the default is cfssl.
  • service_address: The service bind address. the default is
  • service_port: The service port. the default is 8888.
  • service_user: The service user. the default is root.
  • firewall_manage: Controls the firewall if it is managed by puppet. The default is false.
  • allowed_networks: Array of networks that are allowd to access service through the firewall. The default is ''.
  • requests: A hash of certificate requests, see cfssl::certificate_request for more details.

All of this data can be provided through Hiera.

For PKI Server


cfssl::ca_manage: true
cfssl::root_ca_name: 'Root Authority X1'
cfssl::intermediate_ca_name: "Intermediate Authority X2"
cfssl::country: 'UK'
cfssl::state: 'England'
cfssl::city: 'Dewsbury'
cfssl::organization: 'Corp'
cfssl::org_unit: 'NetLink'
cfssl::service_manage: true
cfssl::service_ensure: 'running'
cfssl::service_enable: 'true'
cfssl::service_port: 8888
cfssl::service_address: ''
cfssl::firewall_manage: true
  - ''
  - ''
For PKI Client


cfssl::ca_manage: false
    remote_port: 8888
    remote_address: ''
    profile: 'server'
    hosts: ['', '']
    key_algo: 'rsa'
    key_size: '2048'
    country: 'UK'
    state: 'England'
    city: 'Leeds'
    organization: 'Corp'
    org_unit: 'NetLink'



This resource creates a request for a certificate that will be signed by the remote PKI server.


cfssl::certificate_request { '':
 remote_port    => 8888,
 remote_address => '',
 profile        => 'server',
 hosts          => ['', ''],
 key_algo       => 'rsa',
 key_size       => '2048',
 country        => 'UK',
 state          => 'England',
 city           => 'Leeds',
 organization   => 'Corp',
 org_unit       => 'NetLink',
  • common_name Common Name for the certficate, the default is $title.
  • hosts Alternative host names for this certficate.
  • profile Can specify the type of cert client, server, and client and server.



You can submit pull requests and create issues through the official page of this module: Please do report any bug and suggest new features/improvements.