Client certificate
The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.
Feature availability
| WARP modes | Zero Trust plans ↗ |
|---|---|
| All modes | All plans |
| System | Availability | Minimum WARP version1 |
|---|---|---|
| Windows | ✅ | 2024.6.415.0 |
| macOS | ✅ | 2024.6.416.0 |
| Linux | ✅ | 2024.6.497.0 |
| iOS | ❌ | |
| Android | ❌ | |
| ChromeOS | ❌ |
1 Client certificate checks that ran on an earlier WARP version will continue to work. To configure a new certificate check, update WARP to the versions listed above.
- A CA that issues client certificates for your devices. WARP does not evaluate the certificate trust chain; this needs to be the issuing certificate.
- Cloudflare WARP client is deployed on the device.
- A client certificate is installed and trusted on the device.
-
Use the Upload mTLS certificate endpoint to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with
\nreplacing the line breaks. The private key is only required if you are using this custom certificate for Gateway HTTPS inspection.Terminal window curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/mtls_certificates" \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{"name": "example_ca_cert","certificates": "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----","private_key": "-----BEGIN PRIVATE KEY-----\nXXXXX\n-----END PRIVATE KEY-----","ca": true}'The response will return a UUID for the certificate. For example:
{"success": true,"errors": [],"messages": [],"result": {"id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60","name": "example_ca_cert","issuer": "O=Example Inc.,L=California,ST=San Francisco,C=US","signature": "SHA256WithRSA"...}} -
In Zero Trust ↗, go to Settings > WARP Client.
-
Scroll down to WARP client checks and select Add new.
-
Select Client certificate.
-
You will be prompted for the following information:
- Name: Enter a unique name for this device posture check.
- Operating system: Select your operating system.
- OS locations: Specify the location(s) where the client certificate is installed.
Windows
- Local machine trust store - User trust store
- System keychainmacOS
Linux
- NSSDB (
/etc/pki/nssdb) - To search a custom location, enter the absolute file path(s) to the certificate and private key (for example/usr/local/mycompany/certs/client.pemand/usr/local/mycompany/certs/client_key.pem). The certificate and private key must be inPEMformat. They can either be in two different files or the same file.
- Certificate ID: Enter the UUID of the root CA.
- Common name: (Optional) To check for a specific common name on the client certificate, enter a string with optional
${serial_number}and${hostname}variables (for example,${serial_number}_mycompany). WARP will search for an exact, case-insensitive match. If you do not specify a common name, WARP will ignore the common name field on the certificate. - Check for Extended Key Usage: (Optional) Check whether the client certificate has one or more attributes set. Supported values are Client authentication (
1.3.6.1.5.5.7.3.2) and/or Email (1.3.6.1.5.5.7.3.4). - Check for private key: (Recommended) When enabled, WARP checks that the device has a private key associated with the client certificate.
-
Select Save.
Next, go to Logs > Posture and verify that the client certificate check is returning the expected results.
You can use the following commands to check if a client certificate is properly installed and trusted on the device.
- Open a PowerShell window.
- To search the local machine trust store for a certificate with a specific common name, run the following command:
Get-ChildItem Cert:\LocalMachine\My\ | where{$_.Subject -like "*<COMMON_NAME>*"}- To search the user trust store for a certificate with a specific common name, run the following command:
Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -like "*<COMMON_NAME>*"}- Open Terminal.
- To search System Keychain for a certificate with a specific common name, run the following command:
/usr/bin/security find-certificate -c "<COMMON_NAME>" -p /Library/Keychains/System.keychain- Open Terminal.
- To list all client certificates in NSSDB, run the following command:
certutil -L -d /etc/pki/nssdbCertificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
meow CTu,Cu,CunoPrivateKey CT,,- Open your desired certificate using its certificate nickname. The common name will appear in the line
Subject: "CN=123456.mycompany".
certutil -L -d /etc/pki/nssdb -n meowCertificate: Data: Version: 3 (0x2) Serial Number: 236 (0xec) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=123456.mycompany" Validity: Not Before: Tue Jul 02 17:20:40 2024 Not After : Sun Jul 02 17:20:40 2034 Subject: "CN=123456.mycompany" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: <redacted> Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: <redacted> Fingerprint (SHA-256): <redacted> Fingerprint (SHA1): <redacted>
Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: Valid CA Trusted CA User Object Signing Flags: Valid CA Trusted CA UserFor the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.