Mutual TLS authentication (mTLS) through Cloudflare Access requires additional account permissions. If you are interested in enforcing mTLS authentication in your application with Access, please contact your Customer Success Manager.
Mutual TLS authentication ensures that traffic is both secure and trusted in both directions between a client and server. mTLS can be used for allowing requests that do not login with an identity provider, like IoT devices, to demonstrate that they can reach a given resource. Client certificate authentication can also be used as a second layer of security for team members who both login with an identity provider and present a valid client certificate.
Cloudflare Access can add mutual TLS authentication to your application. With a root certificate authority in place, Access will only allow requests from devices that have a corresponding client certificate. When a request is made to the application, Access will respond with a request for the client to present a certificate. If the device fails to present one, the request will not be allowed to proceed. If the client does have a certificate, Access will complete a key exchange to verify.
Add A New Certificatein the “Mutual TLS Root Certificates” card.
For example, if your site is example.com and you’ve set up an Access policy on https://auth.example.com using mTLS, start by attempting to cURL the site without a client certificate:
curl -sv https://auth.example.com
You should receive a 403 forbidden response if the client certificate isn’t provided, preventing site access.
Now, add your client certificate information to the request:
curl -sv https://auth.example.com --cert example.pem --key key.pem
If authenticated correctly you should see a CF_Authorization Set-Cookie header returned with a response through Cloudflare.
Cloudflare Access evaluates every request to your application based on rules you configure. Client certificates provide a method to authenticate requests where an identity provider is not used, like IoT devices. Additionally, when an identity provider is used, enforcing mutual TLS authentication adds a second layer of security to control who can reach your application.
Note: If a request is made without a valid client certificate, the failure will return a 403 Forbidden response.
Cloudflare makes client certificate details available to be passed as request headers to your origin. For more information, follow the instructions here.
By default, Cloudflare Access will generate and sign a JSON Web Token (JWT) for all requests that complete a successful mutual TLS handshake. The token is valid for the session duration configured in the Access policy. Teams can configure automated services to reuse that token on subsequent requests. When mutual TLS is a component of users authenticating to a service, this removes the burden of an individual completing the client certificate prompt in their browser on each request.
In some cases, particularly IoT examples, the expected behavior is that Access will force a new mutual TLS handshake on each request. In those cases, the token is not needed and teams may need to ensure it expires immediately to remove the risk of it being reused. To enable this in Access, set the session duration in the policy modal to “No Duration” - Cloudflare will still generate a token, but that token will only be valid for the lifecycle of an individual request. Additionally, the token will not be sent in the response.