Skip to content

mTLS with Application Security

1. Enable mTLS

  1. Go to your Cloudflare dashboard and select your account and domain.

  2. Go to SSL/TLS > Client Certificates tab and select Edit to add the Hosts (hostnames) you want to enable mTLS for.

    Example host: mtls-test.example.com

  3. Select Create Certificate and fill in the required fields. You can choose one of the following options:

  • Generate a private key (usually referred to as Private Certificate) and Certificate Signing Request (CSR) with Cloudflare (which includes the Public Certificate).
  • Use your own private key and CSR which allows you to also label client certificates.

To generate and use your own CSR, you can run a command like the following:

Terminal window
openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -subj '/C=GB/ST=London/L=London/O=Organization/CN=CommonName'

Or use a script like this one from GitHub.

Do not forget to copy the values shown when creating the certificate as they become unavailable after creation.

2. Install the client certificate

In order for a client to utilize the Client Certificate you created, it must be on the devices that you want to use them on. You will want to place them in the same directory as your process / script that targets your APIs / hostnames.

We generally recommended using one Client Certificate per device. Configuring your system to actually use the Public and Private Certificates is especially important.

An example is to add both certificates to the Keychain on a MacBook laptop.

Another example is to generate a PKCS12 (P12) certificate file and then add it to your browser:

Terminal window
openssl pkcs12 -export -out certificate.p12 -inkey private-cert.pem -in cert.pem

Use the values from the previous step.

Example using cURL command:

Terminal window
curl -v --cert cert.pem --key private-cert.pem <HOSTNAME>

Use the values from the previous step.

3. Validate the client certificate in the WAF

mTLS is verified and checked in the Cloudflare WAF phase. This is done by creating WAF Custom Rules using the dynamic fields.

All Client Certificate details can be found in the cf.tls_* fields in the Cloudflare Ruleset Engine.

Example WAF Custom Rule with action block:

Example of a WAF custom rule with an action block in the Cloudflare dashboard during the validate client certificate step

Demo

With the Public and Private Certificates in the same directory, with this cURL command, we will gain access:

Terminal window
curl -I --cert cert.pem --key private-cert.pem https://mtls-test.example.com/mtls-test
HTTP/2 200
server: cloudflare

Without the certificates, the terminal will display the following:

Terminal window
curl -I https://mtls-test.example.com/mtls-test
HTTP/2 403
server: cloudflare