mTLS related features
To make it easier to differentiate between Client Certificates, you can generate your own private key and CSR, and enter information that will be incorporated into your certificate request, essentially labeling your Client Certificates.
In cases of noticing excessive traffic, anomalous traffic (strange sequences of requests), or generally too many attack attempts registered from specific devices using your Client Certificates, it is best to revoke those.
Additionally, ensure to have a WAF Custom Rule in place to block revoked Client Certificates. Review the available cf.tls_* dynamic fields.
Example WAF Custom Rule with action block:
(cf.tls_client_auth.cert_revoked)A better approach may be to check for unverified or revoked client certificates:
(not cf.tls_client_auth.cert_verified) or cf.tls_client_auth.cert_revokedGenerally, ensure client certificates are rotated regularly and safely to reduce the risk of compromise.
There are multiple ways to forward a client certificate to your origin server.
If you already have mTLS implemented, client certificates are already installed on devices, and therefore you would like to use your own Certificate Authority (CA), this is possible by bringing your own CA for mTLS.
Here you can use the Replace Hostname Associations API endpoint to enable mTLS in each hostname that should use the CA for mTLS validation, essentially associating your CAs specific with hostnames.
There are different ways to safely and securely deploy Client Certificates across devices.
Some of the most used methods are embedding the Client Certificate into an application and allowing user devices to download and install that app, or use mobile device management (MDM) to distribute certificates across devices, or to allow user devices to directly download and install the Client Certificate into a device's Certificate Store.
Issuing a certificate is an important step, so if possible, perform thorough client verification.
In complex microservices environments, you can leverage Service Mesh to automate and enforce mTLS at scale. For example, Cloudflare services can handle external traffic security, while Service Mesh technologies enforce mTLS for east-west traffic within your network. This ensures that external traffic is secured by Cloudflare, while internal microservice communication is protected using mTLS via the Service Mesh.
It is generally recommended to customize the cipher suites of your Cloudflare Edge Certificates. This only applies to the Edge Certificates, not Client Certificates.
The recommended TLS versions for mTLS are:
- TLS 1.2: still broadly compatible and secure.
- TLS 1.3: preferred for new implementations due to its enhanced security and efficiency.
Using outdated versions like TLS 1.0 or 1.1 is not recommended due to known vulnerabilities.
Browsers connecting to a domain with a wildcard Edge Certificate in place, connecting to the same domain's mTLS subdomain could cause a non-authentication event, due to TLS Session Resumption, or also called Connection Resumption.
It is generally not recommended to use wildcard certificates.
Review the troubleshooting documentation for more info.
If you need to use Client Certificates after the TLS handshake via renegotiation, you will need to use a prior TLS version than 1.3. This is because TLS 1.3 does not support renegotiation.
For example, if you are using mTLS and you are restricting requests to certain folders, based on a URL path in the request, rather than all content on your origin server, a TLS renegotiation may be triggered. Connections using TLS 1.3 do not support renegotiation.
Customers create Client Certificates and select the option to use my private key and CSR. The customer provides the CSR supplied by end-customers to generate the client certificates shared with end-customers. However, if your end-customers request the Certificate Chain, this can potentially be shared by the Cloudflare account team.
Contact your account team for more information.
In order to effectively implement mTLS with Cloudflare, it is strongly recommended to properly configure the Cloudflare WAF. Review the available cf.tls_* dynamic fields.
Example WAF Custom Rule with action block:
(http.host in {"mtls.example.com" "mtls2.example.com"} and (not cf.tls_client_auth.cert_verified or cf.tls_client_auth.cert_revoked))This expression will check if the request is coming from one of the hostnames and will block the request if the Client Certificate is either not verified or revoked.
Another example WAF Custom Rule with action block, using the cf.tls_client_auth.cert_fingerprint_sha256 field, for a specific Client Certificate (replace ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT):
(http.request.uri.path in {"/headers"} and http.host in {"mtls.example.com" "mtls2.example.com"} and not cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_fingerprint_sha256 ne "ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT")Here is another example of a WAF custom rule to associate a serial number with a hostname:
(http.host in {"mtls.example.com" "mtls2.example.com"} and cf.tls_client_auth.cert_serial ne "ADD_STRING_OF_CLIENT_CERT_SERIAL")This expression will check for a specific Client Certificate serial number linked to specific hostnames, allowing for more granular control.
By enabling forwarding a certificate via the Cloudflare API, the first request of an mTLS connection will include the following headers:
Cf-Client-Cert-Der-Base64(raw certificate in DER format, encoded as base64)Cf-Client-Cert-Sha256(SHA256 fingerprint of the certificate)
The header Cf-Client-Cert-Sha256 can be used within the Rate Limiting characteristics "Header value of".
Example Rate Limiting Rule:
(http.host in {"mtls.example.com" "mtls2.example.com"} and cf.tls_client_auth.cert_verified)
With the same characteristics..."Header value of": "Cf-Client-Cert-Sha256"In addition to mTLS, customers can purchase API Shield features, such as API Discovery, API Routing, Volumetric Abuse Detection, Sequence Mitigation, JWT Validation, Schema Validation, and more.
Cloudflare Workers can provide details around the Client Certificate, such as returning information via headers to the client or to the origin server. Learn more in the mTLS with Workers section below.