This demonstrates using Cloudflare's cfssl to easily generate certificates for an etcd cluster.

Defaults generate an ECDSA-384 root and leaf certificates for localhost. etcd nodes will use the same certificates for both sides of mutual authentication, but won't require client certs for non-peer clients.


  1. Install git, go, and make
  2. Amend - IP's currently in the config should be replaced/added with IP addresses of each cluster node, please note is always required for loopback purposes:
  "CN": "etcd",
  "hosts": [
  "key": {
    "algo": "ecdsa",
    "size": 384
  "names": [
      "O": "autogenerated",
      "OU": "etcd cluster",
      "L": "the internet"
  1. Run make to generate the certs