--- title: New RFC 9440 mTLS certificate fields in Workers description: Four new fields in request.cf.tlsClientAuth expose client certificate data in RFC 9440 format, making it simpler to forward mTLS certificate information to your origin. image: https://developers.cloudflare.com/changelog-preview.png --- [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) [ ← Back to all posts ](https://developers.cloudflare.com/changelog/) ## New RFC 9440 mTLS certificate fields in Workers Mar 27, 2026 [ Workers ](https://developers.cloudflare.com/workers/) Four new fields are now available on `request.cf.tlsClientAuth` in Workers for requests that include a mutual TLS (mTLS) client certificate. These fields encode the client certificate and its intermediate chain in [RFC 9440 ↗](https://www.rfc-editor.org/rfc/rfc9440) format — the same standard format used by the `Client-Cert` and `Client-Cert-Chain` HTTP headers — so your Worker can forward them directly to your origin without any custom parsing or encoding logic. #### New fields | Field | Type | Description | | ------------------------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | certRFC9440 | String | The client leaf certificate in RFC 9440 format (:base64-DER:). Empty if no client certificate was presented. | | certRFC9440TooLarge | Boolean | true if the leaf certificate exceeded 10 KB and was omitted from certRFC9440. | | certChainRFC9440 | String | The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediates were sent or if the chain exceeded 16 KB. | | certChainRFC9440TooLarge | Boolean | true if the intermediate chain exceeded 16 KB and was omitted from certChainRFC9440. | #### Example: forwarding client certificate headers to your origin JavaScript ``` export default { async fetch(request) { const tls = request.cf.tlsClientAuth; // Only forward if cert was verified and chain is complete if (!tls || !tls.certVerified || tls.certRevoked || tls.certChainRFC9440TooLarge) { return new Response("Unauthorized", { status: 401 }); } const headers = new Headers(request.headers); headers.set("Client-Cert", tls.certRFC9440); headers.set("Client-Cert-Chain", tls.certChainRFC9440); return fetch(new Request(request, { headers })); }, }; ``` Explain Code For more information, refer to [Client certificate variables](https://developers.cloudflare.com/ssl/client-certificates/client-certificate-variables/#workers-variables) and [Mutual TLS authentication](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/).