

Introducing CFSSL – CloudFlare's PKI toolkit - helper
http://blog.cloudflare.com/introducing-cfssl

======
zdw
The main use case brought up is supporting people still on Win XP SP2
(released in August 2004), when the answer should be for them to upgrade to
something newer, either OS or browser.

That said, there are probably a lot of embedded systems of similar ancient
vintage that may not be easily upgradable. The wisdom of having them internet
connected is questionable at best.

It appears that this really works best with CloudFlare's systems - if you're
looking to set up your own CA, and want help working through all the openssl
commands and configuration files, this is pretty helpful:

[https://pki-tutorial.readthedocs.org/en/latest/](https://pki-
tutorial.readthedocs.org/en/latest/)

~~~
grittygrease
We find that Android 2.2 and 2.3 are also relevant platforms that require
alternative toolchains. Upgrades are not possible for many of these devices.

As for setting up your CA, openssl's command line interface can be very
clunky. CFSSL not only has a clean and simple command line interface, but it
has a nice RESTful JSON API for simple integration into web services.

------
rdl
Cert bundling has always been a pain -- people getting intermediate certs
wrong, and thus things working in some browsers and not others. I don't think
a huge number of people will ever use a tool like this to run their own CA
(but that's great that they can), but a lot of admins have to deal with cert
bundling.

~~~
mattzito
A lot of enterprises end up with messy CA implementations, and have to deal
with bundling their certs, partner certs, and so on. I could see this being
useful for them.

------
jgrahamc
This makes good on a promise we made a long ago to release this code and our
bundles. Many people on HN have bitched about us not making good on that
promise

------
backslash
Very useful indeed!

