Mutual TLS testing

You can use Cloudflare's open source tools for private key infrastructure (PKI) to test the mTLS feature in Cloudflare Access. This guide details the process to generate a Root CA, add it to the Cloudflare dashboard, and issue client certificates that can authenticate against the root CA and reach a protected resource.

Installing dependencies

The process requires two packages from Cloudflare's PKI toolkit:

  • cf-ssl
  • cfssljson

You can install these packages from the Cloudflare SSL GitHub repository. You will need a working installation of Go, version 1.12 or later. Alternatively, you can download the packages directly.

Use the instructions under "Installation" to install the toolkit. Ensure that you install all of the utility programs in the toolkit.

Generating the Root CA

Create a new directory to store the Root CA. Within that directory, create two new files:

CSR

Create a file named ca-csr.json and add the following JSON blob.

{
  "CN": "Access Testing CA",
  "key": {
    "algo": "rsa",
    "size": 4096
  },
  "names": [
    {
      "C": "US",
      "L": "Austin",
      "O": "Access Testing",
      "OU": "TX",
      "ST": "Texas"
    }
  ]
}

Save the file.

Next, create a file named ca-config.json and add the following JSON blob.

{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "server": {
        "usages": ["signing", "key encipherment", "server auth"],
        "expiry": "8760h"
      },
      "client": {
        "usages": ["signing","key encipherment","client auth"],
        "expiry": "8760h"
      }
    }
  }
}

Save the config file as well.

Now, run the following command to generate the Root CA with those files.

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca

Within the directory, check its content to confirm the output was successful.

$ ls

The output should now return the following content.

ca-config.json	ca-csr.json	ca-key.pem	ca.csr		ca.pem

Access dashboard configuration

With the Root CA generated, you can now add the public key to the Cloudflare Access dashboard.

You will need the ca.pem file generated by Cloudflare SSL. This file will be saved to the working directory used above.

In the Cloudflare Access dashboard, open the row titled Service Auth and select the tab Mutual TLS. Click Add mTLS Certificate.

Root CA

Paste the content of the ca.pem file in the Certificate content field. Assign the Root CA a name and add the fully-qualified domain names (FQDN) that will use this certificate. These FQDNs will be the hostnames used for the resources being protected in the Access policy. Click save.

Root CA

Once saved, navigate to the section titled "Access Policies". Create a new policy that will enforce mTLS authentication. The policy must be built with a hostname that was associated in the certificate upload modal.

Under the Policies section, select "Non Identity" from the drop-down for Decision. In the Include rule, you can pick from two options for mTLS authentication.

OptionResult
Common NameOnly client certificates with a specific common name will be allowed to proceed.
Valid CertificateAny client certificate that can authenticate with the Root CA will be allowed to proceed.

mTLS Policy

Click save.

Generating a client certificate

Returning to the terminal, generate a client certificate that will authenticate against the Root CA uploaded. This example creates a new directory to keep client certificates separate from the Root CA working location for ease of management.

CSR

Create a file named client-csr.json and add the following JSON blob.

{
  "CN": "James Royal",
  "hosts": [""],
  "key": {
    "algo": "rsa",
    "size": 4096
  },
  "names": [
    {
      "C": "US",
      "L": "Austin",
      "O": "Access",
      "OU": "Access Admins",
      "ST": "Texas"
    }
  ]
}

Now, use the following command to generate a client certificate with the Cloudflare PKI toolkit.

$ cfssl gencert -ca=../mtls-test/ca.pem -ca-key=../mtls-test/ca-key.pem  -config=../mtls-test/ca-config.json -profile=client client-csr.json | cfssljson -bare client

You can now test the client certificate with the following cURL command.

$ curl -v --cert client.pem --key client-key.pem https://iot.widgetcorp.tech

Testing in the browser

The instructions here cover usage with a computer running MacOS.

In the same working directory, run the following command to add the client certificate into the MacOS Keychain.

Warning: this will add the client certificate to the trusted store on your device. Only proceed if you are comfortable doing so and intend to keep these testing certificates safeguarded.

$ open client.pem
$ security import client-key.pem -k ~/Library/Keychains/login.keychain-db

Click on the certificate in the Keychain list to set the certificate to trusted. Confirm that the certificate is listed in "My Certificates".

Creating a CRL

You can use the Cloudflare PKI toolkit to generate a certificate revocation list (CRL), as well. This list will contain client certificates that are revoked.

First, get the serial number from the client certificate generated earlier. Add that serial number, or any others you intend to revoke, in hex format in a text file. This example uses a file named serials.txt.

Next, create the CRL with the following command.

cfssl gencrl serials.txt ../mtls-test/ca.pem ../mtls-test/ca-key.pem | base64 -D > ca.crl

You will need to add this to your server or enforce the revocation in a Cloudflare Worker.