Enable mTLS
You can enable mutual Transport Layer Security (mTLS) for any hostname.
Enable mTLS
To enable mutual Transport Layer Security (mTLS) for a host from the Cloudflare dashboard:
- Log in to the Cloudflare dashboard and select your account and application.
- Go to SSL > Client Certificates.
- To enable mTLS for a host, select Edit in the Hosts section of the Client Certificates card.
- Enter the name of a host in your current application and press
Enter
. - Select Save.
After enabling mTLS for your host, you can enforce mTLS with API Shield. While API Shield is not required to use mTLS, many teams may use mTLS to protect their APIs.
Forward a client certificate
In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging.
Cloudflare API
The most common approach to forwarding a certificate is to use the Cloudflare API to update an mTLS certificate’s hostname settings.
Requestcurl --request PUT \https://api.cloudflare.com/client/v4/zones/{zone_id}/access/certificates/settings \
--header "x-auth-email: <EMAIL>" \
--header "x-auth-key: <API_KEY>" \
--header "content-type: application/json" \
--data '{ "settings": [ { "hostname": "<HOSTNAME>", "china_network": false, "client_certificate_forwarding": true } ]}'
Once client_certificate_forwarding
is set to true
, the first request of an mTLS connection will now include the following headers:
Cf-Client-Cert-Der-Base64
Cf-Client-Cert-Sha256
Managed Transforms
You can also modify HTTP response headers using Managed Transforms to pass along TLS client auth headers.
Cloudflare Workers
Additionally, Workers can provide details around the client certificate.
const tlsHeaders = { 'X-CERT-ISSUER-DN': request.cf.tlsClientAuth.certIssuerDN, 'X-CERT-SUBJECT-DN': request.cf.tlsClientAuth.certSubjectDN, 'X-CERT-ISSUER-DN-L': request.cf.tlsClientAuth.certIssuerDNLegacy, 'X-CERT-SUBJECT-DN-L': request.cf.tlsClientAuth.certSubjectDNLegacy, 'X-CERT-SERIAL': request.cf.tlsClientAuth.certSerial, 'X-CERT-FINGER': request.cf.tlsClientAuth.certFingerprintSHA1, 'X-CERT-VERIFY': request.cf.tlsClientAuth.certVerify, 'X-CERT-NOTBE': request.cf.tlsClientAuth.certNotBefore, 'X-CERT-NOTAF': request.cf.tlsClientAuth.certNotAfter};