Scroll to navigation

CF-KEY(8) System Manager's Manual CF-KEY(8)


cf-key - make private/public key-pairs for CFEngine authentication


cf-key [OPTION]...


The CFEngine key generator makes key pairs for remote authentication.


--help, -h
Print the help message
--inform, -I
Print basic information about key generation
--debug, -d
Enable debugging output
--verbose, -v
Output verbose information about the behaviour of cf-key
--version, -V
Output the version of the software
--log-level, -g value
Specify how detailed logs should be. Possible values: 'error', 'warning', 'notice', 'info', 'verbose', 'debug'
--output-file, -f value
Specify an alternative output file than the default.
--key-type, -T value
Specify a RSA key size in bits, the default value is 2048.
--show-hosts, -s
Show lastseen hostnames and IP addresses
--no-truncate, -N
Don't truncate -s / --show-hosts output
--remove-keys, -r value
Remove keys for specified hostname/IP/MD5/SHA (cf-key -r SHA=12345, cf-key -r MD5=12345, cf-key -r host001, cf-key -r
--force-removal, -x
Force removal of keys
--install-license, -l value
Install license file on Enterprise server (CFEngine Enterprise Only)
--print-digest, -p value
Print digest of the specified public key
--trust-key, -t value
Make cf-serverd/cf-agent trust the specified public key. Argument value is of the form [[USER@]IPADDR:]FILENAME where FILENAME is the local path of the public key for client at IPADDR address.
--color, -C value
Enable colorized output. Possible values: 'always', 'auto', 'never'. If option is used, the default value is 'auto'
--timestamp, -Ò
Log timestamps on each line of log output
--numeric, -n
Do not lookup host names


CFEngine provides automated configuration management of large-scale computer systems. A system administrator describes the desired state of a system using CFEngine policy code. The program cf-agent reads policy code and attempts to bring the current system state to the desired state described. Policy code is downloaded by cf-agent from a cf-serverd daemon. The daemon cf-execd is responsible for running cf-agent periodically.
Documentation for CFEngine is available at


CFEngine is built on principles from promise theory, proposed by Mark Burgess in 2004. Promise theory is a model of voluntary cooperation between individual, autonomous actors or agents who publish their intentions to one another in the form of promises. A promise is a declaration of intent whose purpose is to increase the recipient's certainty about a claim of past, present or future behaviour. For a promise to increase certainty, the recipient needs to trust the promiser, but trust can also be built on the verification that previous promises have been kept, thus trust plays a symbiotic relationship with promises.
For an introduction to promise theory, please see


cf-key is part of CFEngine.
Binary packages may be downloaded from
The source code is available at


Please see the public bug-tracker at
GitHub pull-requests may be submitted to


cf-promises(8), cf-agent(8), cf-serverd(8), cf-execd(8), cf-monitord(8), cf-runagent(8), cf-key(8)


Mark Burgess and AS
CFEngine System Administration