Install the Cloudflare root certificate
Advanced security features including HTTPS traffic inspection require users to install and trust the Cloudflare root certificate on their machine or device. If you are installing certificates manually on all of your devices, these steps will need to be performed on each new device that is to be subject to HTTP filtering.
Download the Cloudflare root certificate
First, download the Cloudflare certificate from this location.
Verify the certificate fingerprint
To verify your download, check that the certificate's thumbprint matches:
SHA1
BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
SHA256
F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
Add the certificate to your system
MacOS
On MacOS, you can choose to install the Cloudflare root certificate with three different methods:
Keychain
You will need to install the root certificate in the Keychain Access application. In the application, you can choose the keychain in which you want to install the certificate. macOS offers three options, each having a different impact on which users will be affected by trusting the root certificate.
Keychain | Impact |
---|---|
login | The logged in user |
Local Items | Cached iCloud passwords |
System | All users on the system |
Installing the certificate in the Login keychain will result in only the logged in user trusting the Cloudflare certificate. Installing it in the System keychain affects all users who have access to that machine.
To install the certificate in Keychain Access:
Download the Cloudflare certificate here.
Double-click on the
.crt
file.In the pop-up message, choose the option that suits your needs (login, Local Items, or System) and click Add.
The certificate is now listed in your preferred keychain within the Keychain Access application. You can always move the certificate under a different keychain by dragging and dropping the certificate onto the desired keychain on the left.
Double-click on the certificate.
Click Trust.
- From the When using this certificate drop-down menu, select Always Trust.
- Close the menu.
The root certificate is now installed and ready to be used.
Base Operating System
You can install the Cloudflare certificate on your terminal, too.
Download the Cloudflare certificate here.
Open Terminal.
Launch the following command:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <Cloudflare_CA.crt>
Update the OpenSSL CA Store to include the Cloudflare certificate:
sudo cat Cloudflare_CA.crt >> /usr/local/etc/openssl/cert.pem
Python on Mac
Download the Cloudflare certificate here.
Install the
certifi
package.pip install certifi
Identify the CA store by running:
python -m certifi
This will output:
~/Library/Python/3.7/lib/python/site-packages/certifi/cert.pem
Append the Cloudflare certificate to this CA Store by running:
cat Cloudflare_CA.crt >> $(python -m certifi)
If needed, configure system variables to point to this CA Store by running:
export CERT_PATH=$(python -m certifi)export SSL_CERT_FILE=${CERT_PATH}export REQUESTS_CA_BUNDLE=${CERT_PATH}
iOS
Download the Cloudflare certificate here.
The device will show a message: This website is trying to open Settings to how you a configuration profile. Do you want to allow this?
Tap Allow.
Navigate to Settings > General > Profile and find the Cloudflare for Teams ECC Certificate Authority profile.
Tap Install. If the iOS device is passcode-protected, you will be prompted to enter the passcode.
Next, a certificate warning will appear. Tap Install.
If a second prompt is displayed, tap Install again.
Next, the Profile Installed screen will appear. Tap Done.
The certificate is now installed. However, before it can be used, it must be trusted by the device.
On the device, go to Settings > General > About > Certificate Trust Settings.
The installed root certificates will be displayed in the Enable full trust for root certificates section.
Tap the slide button next to the Cloudflare certificate you just installed.
A confirmation dialogue will appear. Tap Continue.
The root certificate is now installed and ready to be used.
Windows
On Windows machines, you can choose to install the Cloudflare root certificate with three different methods:
Standard
Windows offers two options to install the certificate, each having a different impact on which users will be affected by trusting the root certificate.
Store Location | Impact |
---|---|
Current User Store | The logged in user |
Local Machine Store | All users on the system |
Download the Cloudflare certificate here.
Right-click on the certificate file.
Click Open.
If you see a Security Warning window, click Open.The Certificate window will appear. Click Install Certificate.
Now choose a Store Location.
Click Next.
On the next screen, click Browse.
Choose the Trusted Root Certification Authorities store.
Click OK.
- Click Finish.
The root certificate is now installed and ready to be used.
GIT
Download the Cloudflare certificate here.
Open Powershell.
Run the following command:
git config -l
This will output:
core.symlinks=falsecore.autocrlf=truecore.fscache=truecolor.diff=autocolor.status=autocolor.branch=autocolor.interactive=truehelp.format=htmlrebase.autosquash=truehttp.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crthttp.sslbackend=openssldiff.astextplain.textconv=astextplainfilter.lfs.clean=git-lfs clean -- %ffilter.lfs.smudge=git-lfs smudge -- %ffilter.lfs.process=git-lfs filter-processfilter.lfs.required=truecredential.helper=manager
The
http.sslcainfo
defines the CA Certificate store. Update this to append the Cloudflare certificate to the CA bundle by running this command:gc .\Cloudflare_CA.crt | ac $(git config --get http.sslcainfo)
Python on Windows
The command to install the certificate with Python on Windows automatically includes PIP and Certifi (the default certificate bundle for certificate validation).
Download the Cloudflare certificate here.
Run the following command to update the bundle to include the Cloudflare certificate:
gc .\Cloudflare_CA.crt | ac C:\Python37\Lib\site-packages\pip\_vendor\certifi\cacert.pem
Android
Download the Cloudflare certificate here.
Navigate to the Settings menu.
Select Security.
- Tap Advanced > Encryption & Credentials.
- Tap Install a certificate > CA certificate.
- Tap Install Anyway.
Verify your identity through the fingerprint, or by inserting the pin code.
Select the certificate you want to install.
The root certificate is now installed and ready to be used.