Skip to content
Cloudflare for Teams
Visit Cloudflare for Teams on GitHub
Set theme to dark (⇧+D)

Install the Cloudflare certificate

Advanced security features including HTTPS traffic inspection require users to install and trust the Cloudflare root certificate on their machine or device. If you are installing certificates manually on all of your devices, these steps will need to be performed on each new device that is to be subject to HTTP filtering.

Download the Cloudflare root certificate

First, download the Cloudflare certificate. The certificate is available both as a .pem and as a .crt file. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.

Verify the certificate fingerprint

To verify your download, check that the certificate's thumbprint matches:


~ openssl x509 -noout -fingerprint -sha1 -inform der -in <Cloudflare_CA.crt>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
~ openssl x509 -noout -fingerprint -sha1 -inform pem -in <Cloudflare_CA.pem>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C


~ openssl x509 -noout -fingerprint -sha256 -inform der -in <Cloudflare_CA.crt>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
~ openssl x509 -noout -fingerprint -sha256 -inform pem -in <Cloudflare_CA.pem>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF

Add the certificate to your system


You will need to install the root certificate in the Keychain Access application. In the application, you can choose the keychain in which you want to install the certificate. macOS offers three options, each having a different impact on which users will be affected by trusting the root certificate.

loginThe logged in user
Local ItemsCached iCloud passwords
SystemAll users on the system

Installing the certificate in the Login keychain will result in only the logged in user trusting the Cloudflare certificate. Installing it in the System keychain affects all users who have access to that machine.

To install the certificate in Keychain Access:

  1. Download the Cloudflare certificate.

  2. Double-click on the .crt file.

  3. In the pop-up message, choose the option that suits your needs (login, Local Items, or System) and click Add.


    The certificate is now listed in your preferred keychain within the Keychain Access application. You can always move the certificate under a different keychain by dragging and dropping the certificate onto the desired keychain on the left.


  4. Double-click on the certificate.

  5. Click Trust.


  1. From the When using this certificate drop-down menu, select Always Trust.

Always trust

  1. Close the menu.

The root certificate is now installed and ready to be used.

Base Operating System

You can install the Cloudflare certificate on your terminal, too.

  1. Download the Cloudflare certificate.

  2. Open Terminal.

  3. Launch the following command:

    sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <Cloudflare_CA.crt>
  4. Update the OpenSSL CA Store to include the Cloudflare certificate:

    sudo cat Cloudflare_CA.crt >> /usr/local/etc/openssl/cert.pem


  1. Download the Cloudflare certificate.

    The device will show a message: This website is trying to open Settings to how you a configuration profile. Do you want to allow this?

iOS download

  1. Tap Allow.

  2. Navigate to Settings > General > Profile and find the Cloudflare for Teams ECC Certificate Authority profile.

iOS profile

  1. Tap Install. If the iOS device is passcode-protected, you will be prompted to enter the passcode.

  2. Next, a certificate warning will appear. Tap Install.

    If a second prompt is displayed, tap Install again.

  3. Next, the Profile Installed screen will appear. Tap Done.

    The certificate is now installed. However, before it can be used, it must be trusted by the device.

  4. On the device, go to Settings > General > About > Certificate Trust Settings.

    The installed root certificates will be displayed in the Enable full trust for root certificates section.

    iOS cert trust

  5. Tap the slide button next to the Cloudflare certificate you just installed.

  6. A confirmation dialogue will appear. Tap Continue.

    iOS cert confirm

The root certificate is now installed and ready to be used.


Windows offers two options to install the certificate, each having a different impact on which users will be affected by trusting the root certificate.

Store LocationImpact
Current User StoreThe logged in user
Local Machine StoreAll users on the system
  1. Download the Cloudflare certificate.

  2. Right-click on the certificate file.

  3. Click Open.
    If you see a Security Warning window, click Open.

  4. The Certificate window will appear. Click Install Certificate.

Windows install cert

  1. Now choose a Store Location.

  2. Click Next.

  3. On the next screen, click Browse.

  4. Choose the Trusted Root Certification Authorities store.

  5. Click OK.

Windows cert location

  1. Click Finish.

Windows cert install complete

The root certificate is now installed and ready to be used.


  1. Download the Cloudflare certificate.

  2. Navigate to the Settings menu.

  3. Select Security.

Android settings

  1. Tap Advanced > Encryption & Credentials.
  1. Tap Install a certificate > CA certificate.
  1. Tap Install Anyway.

Android install anyway

  1. Verify your identity through the fingerprint, or by inserting the pin code.

  2. Select the certificate you want to install.

Android choose cert

The root certificate is now installed and ready to be used.


  1. Download the Cloudflare certificate.

  2. Navigate to your ChromeOS Settings.

Chrome OS Settings cog

  1. Navigate to Apps and then click Google Play Store.

Click google play store in Apps section

  1. Click Manage Android preferences.

Click manage android preferences

  1. Click Security & location then click Credentials then click Install from SD card.
  1. In the file open dialog select the Cloudflare_CA.crt file downloaded in step #1 and click Open.

Choose the Cloudflare_CA.crt file to install

  1. Enter anything you want for the certificate name and click OK.

Name the certificate with anything

Adding to Applications

Some packages, development tools, and other applications provide options to trust root certificates that will allow for the traffic inspection features of Gateway to work without breaking the application.

All of the applications below first require downloading the Cloudflare certificate with the instructions above. On Mac, the default path is /Library/Keychains/System.keychain Cloudflare_CA.crt. On Windows, the default path is \Cert:\CurrentUser\Root.


If your organization is using Firefox, the browser may need additional configuration to recognize the Cloudflare certificate. There are several ways you can add your Cloudflare certificate to Firefox. For more detailed instructions, see this Mozilla support article.


Python on Windows

The command to install the certificate with Python on Windows automatically includes PIP and Certifi (the default certificate bundle for certificate validation).

  1. Run the following command to update the bundle to include the Cloudflare certificate:
gc .\Cloudflare_CA.crt | ac C:\Python37\Lib\site-packages\pip\_vendor\certifi\cacert.pem

Python on Mac

  1. Install the certifi package.

    pip install certifi
  2. Identify the CA store by running:

    python -m certifi
  3. This will output:

  4. Append the Cloudflare certificate to this CA Store by running:

    cat /Library/Keychains/System.keychain Cloudflare_CA.crt >> $(python -m certifi)
  5. If needed, configure system variables to point to this CA Store by running:

    export CERT_PATH=$(python -m certifi)


Git on Windows

  1. Open Powershell.

  2. Run the following command:

    git config -l
  3. This will output:

    http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
    filter.lfs.clean=git-lfs clean -- %f
    filter.lfs.smudge=git-lfs smudge -- %f
    filter.lfs.process=git-lfs filter-process
  4. The http.sslcainfo defines the CA Certificate store. Update this to append the Cloudflare certificate to the CA bundle by running this command:

    gc .\Cloudflare_CA.crt | ac $(git config --get http.sslcainfo)

Git on Mac

  1. Configure Git to trust the Cloudflare certificate with the following command.

    git config --global http.sslcainfo [PATH_TO_CLOUDFLARE_CERT]


The command below will set the cafile configuration to use the Cloudflare certificate. Make sure to use the certificate in the .pem file type.

npm config set cafile [PATH_TO_CLOUDFLARE_CERT]

Google Cloud SDK

The commands below will set the Google Cloud SDK to use the Cloudflare certificate. More information on configuring the Google Cloud SDK is available here.

curl -O
cat cacert.pem >> ca.pem
cat Cloudflare_CA.pem >> ca.pem
gcloud config set core/custom_ca_certs_file /Users/mgusev/ca.pem
gcloud config set core/custom_ca_certs_file [PATH_TO_CLOUDFLARE_CERT]


If you're using the AWS CLI, you need to set the AWS_CA_BUNDLE environment variable to use the Cloudflare root certificate. Commands are available for different operating systems in the instructions available here.

IntelliJ IDEA

Instructions on how to install the Cloudflare root certificate are available here