Cloudflare API | Origin TLS Client Auth › Hostnames › Enable Or Disable A Hostname For Client Authentication

Upload your own certificate you want Cloudflare to use for edge-to-origin communication to override the shared certificate. Please note that it is important to keep only one certificate active. Also, make sure to enable zone-level authenticated origin pulls by making a PUT call to settings endpoint to see the uploaded certificate in use.

Delete Certificate -> Envelope<

ZoneAuthenticatedOriginPull

delete/zones/{zone_id}/origin_tls_client_auth/{certificate_id}

Delete Certificate

Get Certificate Details -> Envelope<

ZoneAuthenticatedOriginPull

get/zones/{zone_id}/origin_tls_client_auth/{certificate_id}

Get Certificate Details

List Certificates -> SinglePage<

ZoneAuthenticatedOriginPull

get/zones/{zone_id}/origin_tls_client_auth

List Certificates

Domain types

ZoneAuthenticatedOriginPull = { id, certificate, expires_on, 4 more... }

Origin TLS Client Auth

Hostnames

origin_tls_client_auth.hostnames

Methods

Get The Hostname Status For Client Authentication -> Envelope<

AuthenticatedOriginPull

get/zones/{zone_id}/origin_tls_client_auth/hostnames/{hostname}

Get the Hostname Status for Client Authentication

Enable Or Disable A Hostname For Client Authentication -> Envelope<Array<

AuthenticatedOriginPull

put/zones/{zone_id}/origin_tls_client_auth/hostnames

Associate a hostname to a certificate and enable, disable or invalidate the association. If disabled, client certificate will not be sent to the hostname even if activated at the zone level. 100 maximum associations on a single certificate are allowed. Note: Use a null value for parameter enabled to invalidate the association.

Security

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example: X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example: X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Parameters

zone_id: string

Identifier

Response fields

errors: Array<

ResponseInfo

messages: Array<

ResponseInfo

success: true

Whether the API call was successful

result: Array<

AuthenticatedOriginPull

Optional

result_info: { count, page, per_page, 1 more... }

Optional

Request example

curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames \
    -X PUT \
    -H 'Content-Type: application/json' \
    -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
    -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \
    -d '{
      "config": [
        {}
      ]
    }'

200Example

{
  "errors": [
    {
      "code": 1000,
      "message": "message"
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message"
    }
  ],
  "success": true,
  "result": [
    {
      "cert_id": "023e105f4ecef8ad9ca31a8372d0c353",
      "cert_status": "initializing",
      "cert_updated_at": "2100-01-01T05:20:00Z",
      "cert_uploaded_on": "2019-10-28T18:11:23.37411Z",
      "certificate": "-----BEGIN CERTIFICATE-----\nMIIDtTCCAp2gAwIBAgIJAMHAwfXZ5/PWMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV\nBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX\naWRnaXRzIFB0eSBMdGQwHhcNMTYwODI0MTY0MzAxWhcNMTYxMTIyMTY0MzAxWjBF\nMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50\nZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAwQHoetcl9+5ikGzV6cMzWtWPJHqXT3wpbEkRU9Yz7lgvddmGdtcGbg/1\nCGZu0jJGkMoppoUo4c3dts3iwqRYmBikUP77wwY2QGmDZw2FvkJCJlKnabIRuGvB\nKwzESIXgKk2016aTP6/dAjEHyo6SeoK8lkIySUvK0fyOVlsiEsCmOpidtnKX/a+5\n0GjB79CJH4ER2lLVZnhePFR/zUOyPxZQQ4naHf7yu/b5jhO0f8fwt+pyFxIXjbEI\ndZliWRkRMtzrHOJIhrmJ2A1J7iOrirbbwillwjjNVUWPf3IJ3M12S9pEewooaeO2\nizNTERcG9HzAacbVRn2Y2SWIyT/18QIDAQABo4GnMIGkMB0GA1UdDgQWBBT/LbE4\n9rWf288N6sJA5BRb6FJIGDB1BgNVHSMEbjBsgBT/LbE49rWf288N6sJA5BRb6FJI\nGKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV\nBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAMHAwfXZ5/PWMAwGA1UdEwQF\nMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHHFwl0tH0quUYZYO0dZYt4R7SJ0pCm2\n2satiyzHl4OnXcHDpekAo7/a09c6Lz6AU83cKy/+x3/djYHXWba7HpEu0dR3ugQP\nMlr4zrhd9xKZ0KZKiYmtJH+ak4OM4L3FbT0owUZPyjLSlhMtJVcoRp5CJsjAMBUG\nSvD8RX+T01wzox/Qb+lnnNnOlaWpqu8eoOenybxKp1a9ULzIVvN/LAcc+14vioFq\n2swRWtmocBAs8QR9n4uvbpiYvS8eYueDCWMM4fvFfBhaDZ3N9IbtySh3SpFdQDhw\nYbjM2rxXiyLGxB4Bol7QTv4zHif7Zt89FReT/NBy4rzaskDJY5L6xmY=\n-----END CERTIFICATE-----\n",
      "created_at": "2100-01-01T05:20:00Z",
      "enabled": true,
      "expires_on": "2100-01-01T05:20:00Z",
      "hostname": "app.example.com",
      "issuer": "GlobalSign",
      "serial_number": "6743787633689793699141714808227354901",
      "signature": "SHA256WithRSA",
      "status": "initializing",
      "updated_at": "2100-01-01T05:20:00Z"
    }
  ],
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000
  }
}

Domain types

AuthenticatedOriginPull = { cert_id, cert_status, cert_updated_at, 11 more... }

Origin TLS Client Auth Hostnames

Certificates

origin_tls_client_auth.hostnames.certificates

Methods

Upload A Hostname Client Certificate -> Envelope<{ id, certificate, expires_on, 5 more... }>

post/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates

Upload a certificate to be used for client authentication on a hostname. 10 hostname certificates per zone are allowed.

Delete Hostname Client Certificate -> Envelope<{ id, certificate, expires_on, 5 more... }>

delete/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}

Delete Hostname Client Certificate

Get The Hostname Client Certificate -> Envelope<{ id, certificate, expires_on, 5 more... }>

get/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}

Get the certificate by ID to be used for client authentication on a hostname.

List Certificates -> SinglePage<

AuthenticatedOriginPull

get/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates

List Certificates

Domain types

Certificate = { id, certificate, expires_on, 5 more... }

Origin TLS Client Auth

Settings

origin_tls_client_auth.settings

Methods

Get Enablement Setting For Zone -> Envelope<{ enabled }>

get/zones/{zone_id}/origin_tls_client_auth/settings

Get whether zone-level authenticated origin pulls is enabled or not. It is false by default.

Set Enablement For Zone -> Envelope<{ enabled }>

put/zones/{zone_id}/origin_tls_client_auth/settings

Enable or disable zone-level authenticated origin pulls. 'enabled' should be set true either before/after the certificate is uploaded to see the certificate in use.