Use Cloudflare public key infrastructure (PKI) to create client certificates. Use these certificates with Cloudflare
or API Shield™ to enforce mutual Transport Layer Security (mTLS) encryption. Cloudflare Workers Since Cloudflare validates client certificates with one CA, set at account level, these certificates can be used for validation across multiple zones, as long as the zones are under the same account and mTLS has been enabled for the requested hosts.
This means that (a) if you , you can associate it with hosts in different zones and (b) if you use Cloudflare Managed CA, this is the default behavior. bring your own CA
To use API Shield to protect your API or web application, you must do the following:
Use Cloudflare’s fully hosted public key infrastructure (PKI) to
. create a client certificate to use your Cloudflare-issued client certificate. Configure your mobile app or IoT device for the hosts you wish to protect with API Shield. Enable mTLS
Create WAF custom rules that
. require API requests to present a valid client certificate
By default, API Shield mTLS uses client certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each account.
If you need to use certificates issued by another CA, you can use the API to
. bring your own CA for API Shield mTLS
To authenticate Workers requests using mTLS:
Use Cloudflare’s fully hosted public key infrastructure (PKI) to . create a client certificate Create and use an to authenticate Workers connections. mTLS binding