Yesterday the folks over at CloudFlare introduced their “CFSSL” toolkit for working with TLS (SSL) certificates. Their blog post explains what CFSSL is all about, and they have also made the code available along with further documentation on Github: https://github.com/cloudflare/cfssl
This is interesting to me for a couple of reasons. First, their blog post has some excellent diagrams outlining the challenges with ensuring that a TLS certificate is able to be validated by a web browser. The author Nick Sullivan points out that different browsers trust different numbers of Certificate Authorities (CAs) – and that older browsers may not trust newer CA certificates. He outlines the need to create “certificate bundles” that include multiple TLS chains. The key point of all of this is to make it so that your TLS certificate is accessible to the widest range of browsers and systems.
As a tutorial alone, the post is a good read.
It also highlights the complexity (some might say “brokenness”!) of the current CA system and why many folks are looking for mechanisms to add more trust into the system (the DANE protocol being one of those potential mechanisms).
The post also explains their CFSSL tool which is available for anyone to use. While it is not exactly a TLS library, like some of the other tools we’ve highlighted in our TLS for Applications area, the source code is available and some developers may find it of use. I found it interesting that the tool could also be used to create your own CA and generate your own certificates. This might be useful for people looking to do additional testing or to run their own CA for their own purposes.
Regardless of what you may do with the toolkit, kudos to CloudFlare for making it available under a permissive open source license and for providing the documentation they do. I hope it will help some folks out there make the Internet more secure!