Bring your own CA for mTLS
This page explains how you can manage mTLS using client certificates that have not been issued by Cloudflare CA.
This is especially useful if you already have mTLS implemented and client certificates are already installed on devices.
- Currently, you can only manage your uploaded CA via API, and the hostname associations are not reflected on the dashboard ↗.
- This process is only available on Enterprise accounts.
- Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through Cloudflare Access.
- The CA certificate can be from a publicly trusted CA or self-signed.
- In the certificate
Basic Constraints
, the attributeCA
must be set toTRUE
. - The certificate must use one of the signature algorithms listed below:
Allowed signature algorithms
x509.SHA1WithRSA
x509.SHA256WithRSA
x509.SHA384WithRSA
x509.SHA512WithRSA
x509.ECDSAWithSHA1
x509.ECDSAWithSHA256
x509.ECDSAWithSHA384
x509.ECDSAWithSHA512
- Use the Upload mTLS certificate endpoint to upload the CA root certificate.
-
ca
boolean required- Set to
true
to indicate that the certificate is a CA certificate.
- Set to
-
certificates
string required- Insert content from the
.pem
file associated with the CA certificate, formatted as a single string with\n
replacing the line breaks.
- Insert content from the
-
name
string optional- Indicate a unique name for your CA certificate.
- Take note of the certificate ID (
id
) that is returned in the API response. - Use the Replace Hostname Associations endpoint to enable mTLS in each hostname that should use the CA for mTLS validation. Use the following parameters:
-
hostnames
array required-
List the hostnames that will be using the CA for client certificate validation.
-
-
mtls_certificate_id
string required-
Indicate the certificate ID obtained from the previous step.
-
-
(Optional) Since this process is API-only, and hostnames that use your uploaded CA certificate are not listed on the dashboard, you can make a GET request to confirm the CA hostname associations.
-
Create a custom rule to enforce client certificate validation. You can do this via the dashboard or via API.
If you want to remove a CA that you have previously uploaded, you must first remove any hostname associations that it has.
- Make a request to the Replace Hostname Associations endpoint, with an empty array for
hostnames
and specifying your CA certificate ID inmtls_certificate_id
:
- Use the Delete mTLS certificate endpoint to delete the certificate.
You can also use the API to list the hostname associations. Make sure you include the query parameter mtls_certificate_id
, where mtls_certificate_id
is the certificate ID of the uploaded CA (step 2 above).