Client certificates

Use Cloudflare public key infrastructure (PKI) to create client certificates. Use these certificates with Cloudflare API Shield or Cloudflare Workers to enforce mutual Transport Layer Security (mTLS) encryption.

Warning

Since Cloudflare validates client certificates with one CA, set at account level, these certificates can be used for validation across multiple zones, as long as the zones are under the same account and mTLS has been enabled for the requested hosts. This means that (a) if you bring your own CA, you can associate it with hosts in different zones and (b) if you use Cloudflare Managed CA, this is the default behavior.

API Shield

To use API Shield to protect your API or web application, you must do the following:

1. Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.

2. Configure your mobile app or IoT device to use your Cloudflare-issued client certificate.

3. Enable mTLS for the hosts you wish to protect with API Shield.

4. Create WAF custom rules that require API requests to present a valid client certificate.

Warning

By default, API Shield mTLS uses client certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each account.

If you need to use certificates issued by another CA, you can use the API to bring your own CA for mTLS.

Workers

To authenticate Workers requests using mTLS:

1. Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.
2. Create and use an mTLS binding to authenticate Workers connections.