Cloudflare API | Origin TLS Client Auth › Hostnames › Enable Or Disable A Hostname For Client Authentication

Upload your own certificate you want Cloudflare to use for edge-to-origin communication to override the shared certificate. Please note that it is important to keep only one certificate active. Also, make sure to enable zone-level authenticated origin pulls by making a PUT call to settings endpoint to see the uploaded certificate in use.

Delete Certificate -> Envelope<

ZoneAuthenticatedOriginPull

Deprecated

delete/zones/{zone_id}/origin_tls_client_auth/{certificate_id}

Deprecated

Use zone_certificates.delete for zone-level certificates. This method will be removed in a future major version.

Removes a client certificate used for zone-level authenticated origin pulls.

Origin TLS Client Auth

Hostname Certificates

origin_tls_client_auth.hostname_certificates

Methods

List Certificates -> SinglePage<{ id, certificate, expires_on, 5 more... }>

get/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates

Lists all client certificates configured for per-hostname authenticated origin pulls on the zone.

Get The Hostname Client Certificate -> Envelope<{ id, certificate, expires_on, 5 more... }>

get/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}

Get the certificate by ID to be used for client authentication on a hostname.

Upload A Hostname Client Certificate -> Envelope<{ id, certificate, expires_on, 5 more... }>

post/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates

Upload a certificate to be used for client authentication on a hostname. 10 hostname certificates per zone are allowed.

Delete Hostname Client Certificate -> Envelope<{ id, certificate, expires_on, 5 more... }>

delete/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates/{certificate_id}

Removes a client certificate used for authenticated origin pulls on a specific hostname. Note: Before deleting the certificate, you must first invalidate the hostname for client authentication by sending a PUT request with enabled set to null. After invalidating the association, the certificate can be safely deleted.

Domain types

Certificate = { id, certificate, expires_on, 5 more... }

Origin TLS Client Auth

Hostnames

origin_tls_client_auth.hostnames

Methods

Get The Hostname Status For Client Authentication -> Envelope<

AuthenticatedOriginPull

get/zones/{zone_id}/origin_tls_client_auth/hostnames/{hostname}

Retrieves the client certificate authentication status for a specific hostname, showing whether authenticated origin pulls are enabled.

Enable Or Disable A Hostname For Client Authentication -> SinglePage<

AuthenticatedOriginPull

put/zones/{zone_id}/origin_tls_client_auth/hostnames

Associate a hostname to a certificate and enable, disable or invalidate the association. If disabled, client certificate will not be sent to the hostname even if activated at the zone level. 100 maximum associations on a single certificate are allowed. Note: Use a null value for parameter enabled to invalidate the association.

Security

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example: Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

Accepted Permissions (at least one required)

SSL and Certificates Write

path Parameters

zone_id: string

(maxLength: 32)

Identifier.

Response fields

errors: Array<{ code, message, documentation_url, 1 more... }>

messages: Array<{ code, message, documentation_url, 1 more... }>

success: true

Whether the API call was successful.

result: Array<

AuthenticatedOriginPull

Optional

result_info: { count, page, per_page, 1 more... }

Optional

Request example

curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames \
    -X PUT \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    -d '{
          "config": [
            {}
          ]
        }'

200Example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": [
    {
      "cert_id": "023e105f4ecef8ad9ca31a8372d0c353",
      "cert_status": "active",
      "cert_updated_at": "2100-01-01T05:20:00Z",
      "cert_uploaded_on": "2019-10-28T18:11:23.37411Z",
      "certificate": "-----BEGIN CERTIFICATE-----\nMIIDtTCCAp2gAwIBAgIJAMHAwfXZ5/PWMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV\nBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX\naWRnaXRzIFB0eSBMdGQwHhcNMTYwODI0MTY0MzAxWhcNMTYxMTIyMTY0MzAxWjBF\nMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50\nZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\nCgKCAQEAwQHoetcl9+5ikGzV6cMzWtWPJHqXT3wpbEkRU9Yz7lgvddmGdtcGbg/1\nCGZu0jJGkMoppoUo4c3dts3iwqRYmBikUP77wwY2QGmDZw2FvkJCJlKnabIRuGvB\nKwzESIXgKk2016aTP6/dAjEHyo6SeoK8lkIySUvK0fyOVlsiEsCmOpidtnKX/a+5\n0GjB79CJH4ER2lLVZnhePFR/zUOyPxZQQ4naHf7yu/b5jhO0f8fwt+pyFxIXjbEI\ndZliWRkRMtzrHOJIhrmJ2A1J7iOrirbbwillwjjNVUWPf3IJ3M12S9pEewooaeO2\nizNTERcG9HzAacbVRn2Y2SWIyT/18QIDAQABo4GnMIGkMB0GA1UdDgQWBBT/LbE4\n9rWf288N6sJA5BRb6FJIGDB1BgNVHSMEbjBsgBT/LbE49rWf288N6sJA5BRb6FJI\nGKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV\nBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAMHAwfXZ5/PWMAwGA1UdEwQF\nMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHHFwl0tH0quUYZYO0dZYt4R7SJ0pCm2\n2satiyzHl4OnXcHDpekAo7/a09c6Lz6AU83cKy/+x3/djYHXWba7HpEu0dR3ugQP\nMlr4zrhd9xKZ0KZKiYmtJH+ak4OM4L3FbT0owUZPyjLSlhMtJVcoRp5CJsjAMBUG\nSvD8RX+T01wzox/Qb+lnnNnOlaWpqu8eoOenybxKp1a9ULzIVvN/LAcc+14vioFq\n2swRWtmocBAs8QR9n4uvbpiYvS8eYueDCWMM4fvFfBhaDZ3N9IbtySh3SpFdQDhw\nYbjM2rxXiyLGxB4Bol7QTv4zHif7Zt89FReT/NBy4rzaskDJY5L6xmY=\n-----END CERTIFICATE-----\n",
      "created_at": "2100-01-01T05:20:00Z",
      "enabled": true,
      "expires_on": "2100-01-01T05:20:00Z",
      "hostname": "app.example.com",
      "issuer": "GlobalSign",
      "serial_number": "6743787633689793699141714808227354901",
      "signature": "SHA256WithRSA",
      "status": "active",
      "updated_at": "2100-01-01T05:20:00Z",
      "id": "023e105f4ecef8ad9ca31a8372d0c353",
      "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAwQHoetcl9+5ikGzV6cMzWtWPJHqXT3wpbEkRU9Yz7lgvddmG\ndtcGbg/1CGZu0jJGkMoppoUo4c3dts3iwqRYmBikUP77wwY2QGmDZw2FvkJCJlKn\nabIRuGvBKwzESIXgKk2016aTP6/dAjEHyo6SeoK8lkIySUvK0fyOVlsiEsCmOpid\ntnKX/a+50GjB79CJH4ER2lLVZnhePFR/zUOyPxZQQ4naHf7yu/b5jhO0f8fwt+py\nFxIXjbEIdZliWRkRMtzrHOJIhrmJ2A1J7iOrirbbwillwjjNVUWPf3IJ3M12S9pE\newooaeO2izNTERcG9HzAacbVRn2Y2SWIyT/18QIDAQABAoIBACbhTYXBZYKmYPCb\nHBR1IBlCQA2nLGf0qRuJNJZg5iEzXows/6tc8YymZkQE7nolapWsQ+upk2y5Xdp/\naxiuprIs9JzkYK8Ox0r+dlwCG1kSW+UAbX0bQ/qUqlsTvU6muVuMP8vZYHxJ3wmb\n+ufRBKztPTQ/rYWaYQcgC0RWI20HTFBMxlTAyNxYNWzX7RKFkGVVyB9RsAtmcc8g\n+j4OdosbfNoJPS0HeIfNpAznDfHKdxDk2Yc1tV6RHBrC1ynyLE9+TaflIAdo2MVv\nKLMLq51GqYKtgJFIlBRPQqKoyXdz3fGvXrTkf/WY9QNq0J1Vk5ERePZ54mN8iZB7\n9lwy/AkCgYEA6FXzosxswaJ2wQLeoYc7ceaweX/SwTvxHgXzRyJIIT0eJWgx13Wo\n/WA3Iziimsjf6qE+SI/8laxPp2A86VMaIt3Z3mJN/CqSVGw8LK2AQst+OwdPyDMu\niacE8lj/IFGC8mwNUAb9CzGU3JpU4PxxGFjS/eMtGeRXCWkK4NE+G08CgYEA1Kp9\nN2JrVlqUz+gAX+LPmE9OEMAS9WQSQsfCHGogIFDGGcNf7+uwBM7GAaSJIP01zcoe\nVAgWdzXCv3FLhsaZoJ6RyLOLay5phbu1iaTr4UNYm5WtYTzMzqh8l1+MFFDl9xDB\nvULuCIIrglM5MeS/qnSg1uMoH2oVPj9TVst/ir8CgYEAxrI7Ws9Zc4Bt70N1As+U\nlySjaEVZCMkqvHJ6TCuVZFfQoE0r0whdLdRLU2PsLFP+q7qaeZQqgBaNSKeVcDYR\n9B+nY/jOmQoPewPVsp/vQTCnE/R81spu0mp0YI6cIheT1Z9zAy322svcc43JaWB7\nmEbeqyLOP4Z4qSOcmghZBSECgYACvR9Xs0DGn+wCsW4vze/2ei77MD4OQvepPIFX\ndFZtlBy5ADcgE9z0cuVB6CiL8DbdK5kwY9pGNr8HUCI03iHkW6Zs+0L0YmihfEVe\nPG19PSzK9CaDdhD9KFZSbLyVFmWfxOt50H7YRTTiPMgjyFpfi5j2q348yVT0tEQS\nfhRqaQKBgAcWPokmJ7EbYQGeMbS7HC8eWO/RyamlnSffdCdSc7ue3zdVJxpAkQ8W\nqu80pEIF6raIQfAf8MXiiZ7auFOSnHQTXUbhCpvDLKi0Mwq3G8Pl07l+2s6dQG6T\nlv6XTQaMyf6n1yjzL+fzDrH3qXMxHMO/b13EePXpDMpY7HQpoLDi\n-----END RSA PRIVATE KEY-----\n"
    }
  ],
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000
  }
}

Domain types

AuthenticatedOriginPull = { cert_id, cert_status, cert_updated_at, 11 more... }

Origin TLS Client Auth

Settings

origin_tls_client_auth.settings

Methods

Get Enablement Setting For Zone -> Envelope<{ enabled }>

get/zones/{zone_id}/origin_tls_client_auth/settings

Get whether zone-level authenticated origin pulls is enabled or not. It is false by default.

Set Enablement For Zone -> Envelope<{ enabled }>

put/zones/{zone_id}/origin_tls_client_auth/settings

Enable or disable zone-level authenticated origin pulls. 'enabled' should be set true either before/after the certificate is uploaded to see the certificate in use.

Origin TLS Client Auth