Install certificate using WARP
Feature availability
| WARP modes | Zero Trust plans ↗ |
|---|---|
| All modes | All plans |
| System | Availability | Minimum WARP version |
|---|---|---|
| Windows | ✅ | 2023.3.381.0 |
| macOS | ✅ | 2023.3.381.0 |
| Linux * | ✅ | 2023.3.381.0 |
| iOS | ❌ | |
| Android | ❌ | |
| ChromeOS | ❌ |
* Only supported on Debian-based systems.
The WARP client can automatically install a Cloudflare certificate or custom root certificate on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to install the certificate manually.
The certificate is required if you want to apply HTTP policies to encrypted websites, display custom block pages, and more.
- (Optional) Upload a custom root certificate to Cloudflare.
- In Zero Trust ↗, go to Settings > WARP Client.
- Turn on Install CA to system certificate store.
- Install the WARP client on the device.
- Enroll the device in your Zero Trust organization.
- (Optional) If the device is running macOS Ventura or newer, manually trust the certificate.
WARP will install the certificate set to In-Use. This certificate can be either a Cloudflare-generated certificate or a custom certificate. If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users’ devices.
After installing the certificate using WARP, you can verify successful installation by accessing the device’s system certificate store.
To access the installed certificate in macOS:
- Open Keychain Access.
- In System Keychains, go to System > Certificates.
- Open your certificate. The default Cloudflare certificate name is Gateway CA - Cloudflare Managed G1.
- If the certificate is trusted by all users, Keychain Access will display This certificate is marked as trusted for all users.
The WARP client will also place the certificate in /Library/Application Support/Cloudflare/installed_cert.pem for reference by scripts or tools.
macOS Ventura and newer do not allow WARP to automatically trust the certificate. To manually trust the certificate:
- In Keychain Access, find and open the certificate.
- Open Trust.
- Set When using this certificate to Always Trust.
- (Optional) Restart the device to reset connections to Zero Trust.
Alternatively, you can configure your mobile device management (MDM) to automatically trust the certificate on all of your organization’s devices.
To access the installed certificate in Windows:
- Open the Start menu and select Run.
- Enter
certlm.msc. - Go to Trusted Root Certification Authority > Certificates. The default Cloudflare certificate name is Gateway CA - Cloudflare Managed G1.
The WARP client will also place the certificate in %ProgramData%\Cloudflare\installed_cert.pem for reference by scripts or tools.
On Linux, the certificate is stored in /usr/local/share/ca-certificates. The default Cloudflare certificate name is managed-warp.pem.
If you cannot find the certificate, run the following commands to update the system store:
-
Go to the system certificate store.
Terminal window cd /usr/local/share/ca-certificates -
Rename the certificate, changing the file extension to
.crt.Terminal window sudo mv managed-warp.pem managed-warp.crt -
Update your list of custom CA certificates.
Terminal window sudo update-ca-certificates
The WARP client will also place the certificate in /var/lib/cloudflare-warp/installed_cert.pem for reference by scripts or tools.
If the certificate was installed by the WARP client, it is automatically removed when you turn on another certificate for inspection in Zero Trust, turn off Install CA to system certificate store, or uninstall WARP. WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications).
To manually remove the certificate, refer to the instructions supplied by your operating system or the third-party application.