Mutual TLS authentication through Cloudflare Access requires additional account permissions. If you are interested in enforcing mTLS authentication in your application with Access, please contact your Customer Success Manager.
Mutual TLS authentication ensures that the traffic is secure and trusted in both directions between a client and server. This type of authentication can be used for allowing requests that do not login with an identity provider, like IoT devices, to demonstrate that they should be able to reach a given resource. Client certificate authentication can also be used as a second layer of security for team members who both login with an identity provider and present a valid client certificate.
Cloudflare Access can add mutual TLS authentication to your application. With a root CA in place, Access will only allow requests from devices that have a corresponding client certificate. When a request is made to the application, Access will respond with a request for the client to present a certificate. If the device fails to present one, the request will not be allowed to proceed. If the client does have a certificate, Access will complete a key exchange to verify.
Add A New Certificatein the “Mutual TLS Root Certificates” card.
For example, if your hostname is foo.com, start by attempting to cURL the server without a client certificate: curl https://foo.com You should receive a 302 redirect if the root CA was correctly applied, preventing your access. Now, add your client certificate to the request: curl https://foo.com –cert example.pem –key key.pem
Cloudflare Access evaluates every request to your application based on rules you configure. Client certificates provide a method to authenticate requests where an identity provider is not used, like IoT devices. Additionally, when an identity provider is used, enforcing mTLS authentication adds a second layer of security to control who can reach your application.
Note: If a request is made without a valid client certificate, the failure will return a 302.
Cloudflare makes client certificate details available to be passed as request headers to your origin. For more information, follow the instructions here.