Mutual TLS Authentication

Mutual TLS authentication through Cloudflare Access requires additional account permissions. If you are interested in enforcing mTLS authentication in your application with Access, please contact your Customer Success Manager.

Mutual TLS authentication ensures that the traffic is secure and trusted in both directions between a client and server. This type of authentication can be used for allowing requests that do not login with an identity provider, like IoT devices, to demonstrate that they should be able to reach a given resource. Client certificate authentication can also be used as a second layer of security for team members who both login with an identity provider and present a valid client certificate.

Cloudflare Access can add mutual TLS authentication to your application. With a root CA in place, Access will only allow requests from devices that have a corresponding client certificate. When a request is made to the application, Access will respond with a request for the client to present a certificate. If the device fails to present one, the request will not be allowed to proceed. If the client does have a certificate, Access will complete a key exchange to verify.

mTLS Diagram

Adding Mutual TLS Authentication to your Access Configuration

  1. To enforce mutual TLS authentication, navigate to the Access tab in the Cloudflare dashboard for the application you need to secure.
  2. In the Access panel, click Add A New Certificate in the “Mutual TLS Root Certificates” card.
  3. In the modal, assign the Root CA a name. Next, paste the Root CA certificate in the “Certificate content” field in PEM format. If you are using an intermediate certificate, in addition to the root, upload the entire chain here.
  4. You will need to associate the certificate with a hostname as paths cannot be associated. In the “Associated Hostnames” field, input the hostnames where you plan to enforce mTLS authentication. Thest must be hostnames in your account.
  5. Next, create an Access Policy. Apply the policy to the path you intend to protect.
  6. Under the Policies section, name the policy and select “Non Identity” as the Decision.
  7. Under “Include” select “Valid Certificate” in the drop-down and it will populate with the certificate you associated with this hostname.
  8. Save the rule; you can use cURL to test the operation.

Testing with cURL

For example, if your hostname is foo.com, start by attempting to cURL the server without a client certificate: curl https://foo.com You should receive a 302 redirect if the root CA was correctly applied, preventing your access. Now, add your client certificate to the request: curl https://foo.com –cert example.pem –key key.pem

Method of Validation

Cloudflare Access evaluates every request to your application based on rules you configure. Client certificates provide a method to authenticate requests where an identity provider is not used, like IoT devices. Additionally, when an identity provider is used, enforcing mTLS authentication adds a second layer of security to control who can reach your application.

Note: If a request is made without a valid client certificate, the failure will return a 302.

  1. With a policy in place, Access will evaluate all requests to the origin for the presence of a valid client certificate. When the client devices sends the client hello, Cloudflare Access will respond with the server hello and a request for the client certificate.
  2. The client certificate, if configured on the device, will be presented with the request from Cloudflare for a client certificate.
  3. Cloudflare Access will proceed to complete the client authentication handshake against the root CA and, if applicable, intermediates configured for the policy.
  4. Chain verification can be used for certificate validation. If a chain is used, Access will evaluate each certificate in the chain to ensure none are expired.
  5. If the client certificate is trusted by the root certificate, Cloudflare Access will allow the request and subsequent requests to proceed by generating a signed JSON Web Token for the client.

Passing Request Headers

Cloudflare makes client certificate details available to be passed as request headers to your origin. For more information, follow the instructions here.