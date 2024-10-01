mTLS for Workers can be used for requests made to services that are not proxied on Cloudflare, or alternatively used to gain visibility into certificate details and optionally add your own programmatic logic for further checks or actions.
All Client Certificate details can be found in the
tlsClientAuth object in Cloudflare Workers.
Example Cloudflare Workers code to return all headers and gain visibility, including
Client Certificate headers:
addEventListener ( 'fetch' , event => { const { tlsClientAuth = {} } = request . cf || {}; 'X-CERT-ISSUER-DN' : tlsClientAuth . certIssuerDN , 'X-CERT-SUBJECT-DN' : tlsClientAuth . certSubjectDN , 'X-CERT-ISSUER-DN-L' : tlsClientAuth . certIssuerDNLegacy , 'X-CERT-SUBJECT-DN-L' : tlsClientAuth . certSubjectDNLegacy , 'X-CERT-SERIAL' : tlsClientAuth . certSerial , 'X-CERT-FINGER' : tlsClientAuth . certFingerprintSHA1 , 'X-CERT-VERIFY' : tlsClientAuth . certVerify , 'X-CERT-NOTBE' : tlsClientAuth . certNotBefore , 'X-CERT-NOTAF' : tlsClientAuth . certNotAfter const headers = Object . fromEntries ( request . headers ) ; return new Response ( JSON . stringify ( { ... headers , ... tlsHeaders }, null , 2 ) , { headers : { 'Content-Type' : 'application/json' }
The response when using the browser with a P12 Certificate to visit the mTLS hostname would look similar to this example:
"X-CERT-ISSUER-DN": "CN=Managed CA abcdefghijklmnopq123456789,OU=www.cloudflare.com,O=Cloudflare\\, Inc.,L=San Francisco,ST=California,C=US", "X-CERT-SUBJECT-DN": "CN=Cloudflare,C=US", "X-CERT-ISSUER-DN-L": "/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./OU=www.cloudflare.com/CN=Managed CA abcdefghijklmnopq123456789", "X-CERT-SUBJECT-DN-L": "/C=US/CN=Cloudflare", "X-CERT-SERIAL": "37C52778E2F1820CC6342172A0E0ED33A4555F8B", "X-CERT-FINGER": "161e3a2089add0b2134ec43c9071f460e9f4b898", "X-CERT-NOTBE": "May 25 23:11:00 2024 GMT", "X-CERT-NOTAF": "May 23 23:11:00 2034 GMT"
This approach can also be useful to handle additional checks and logic on the mTLS via the Cloudflare Workers.
