New RFC 9440 mTLS certificate fields in Workers
Four new fields are now available on request.cf.tlsClientAuth in Workers for requests that include a mutual TLS (mTLS) client certificate. These fields encode the client certificate and its intermediate chain in RFC 9440 ↗ format — the same standard format used by the Client-Cert and Client-Cert-Chain HTTP headers — so your Worker can forward them directly to your origin without any custom parsing or encoding logic.
| Field | Type | Description |
|---|---|---|
certRFC9440 | String | The client leaf certificate in RFC 9440 format (:base64-DER:). Empty if no client certificate was presented. |
certRFC9440TooLarge | Boolean | true if the leaf certificate exceeded 10 KB and was omitted from certRFC9440. |
certChainRFC9440 | String | The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediates were sent or if the chain exceeded 16 KB. |
certChainRFC9440TooLarge | Boolean | true if the intermediate chain exceeded 16 KB and was omitted from certChainRFC9440. |
export default { async fetch(request) { const tls = request.cf.tlsClientAuth;
// Only forward if cert was verified and chain is complete if (!tls || !tls.certVerified || tls.certRevoked || tls.certChainRFC9440TooLarge) { return new Response("Unauthorized", { status: 401 }); }
const headers = new Headers(request.headers); headers.set("Client-Cert", tls.certRFC9440); headers.set("Client-Cert-Chain", tls.certChainRFC9440);
return fetch(new Request(request, { headers })); },};For more information, refer to Client certificate variables and Mutual TLS authentication.