Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Bring your own CA for mTLS

This page explains how you can manage client certificates that have not been issued by Cloudflare CA. For a broader overview, refer to the mTLS at Cloudflare learning path.

Bring your own CA (BYOCA) is especially useful if you already have mTLS implemented and client certificates are already installed on devices.

Availability

  • This feature is only available on Enterprise accounts.
  • Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through Cloudflare Access.

CA certificate requirements

When you upload your CA, Cloudflare validates the certificate according to certain requirements.

  • The CA certificate can be from a publicly trusted CA or self-signed.

  • In the certificate Basic Constraints, the attribute CA must be set to TRUE.

  • The certificate must use one of the signature algorithms listed below:

    Allowed signature algorithms

    x509.SHA1WithRSA

    x509.SHA256WithRSA

    x509.SHA384WithRSA

    x509.SHA512WithRSA

    x509.ECDSAWithSHA1

    x509.ECDSAWithSHA256

    x509.ECDSAWithSHA384

    x509.ECDSAWithSHA512

Set up mTLS with your CA

  1. In the Cloudflare dashboard, go to the Client Certificates page.

    Go to Client Certificates

  2. Select Add Certificate.

  3. In the Certificate Authority dropdown, select Bring your own CA.

  4. Upload your CA certificate file (PEM encoded) and enter a name for the CA.

  5. Select Continue.

  6. On the Associate Hostnames page, enter the hostname that should use this CA for mTLS validation and select Add for each one. You can also skip this step and associate hostnames later.

  7. Select Save to confirm.

After uploading the CA and associating hostnames, create a custom rule to enforce client certificate validation. You can do this via the dashboard or via API.

  "expression": "(http.host in {\"<HOSTNAME_1>\" \"<HOSTNAME_2>\"} and not cf.tls_client_auth.cert_verified)",
  "action": "block"

Multiple CAs for one hostname

There can be multiple CAs (Cloudflare-managed or BYOCA) associated with the same hostname. For BYOCA certificates, the most recently deployed certificate will be prioritized.

If you wish to remove the association from the Cloudflare-managed certificate and only use your BYOCA certificate(s):

  1. In the Cloudflare dashboard, go to the Client Certificates page.

    Go to Client Certificates

  2. On the Hosts section under Cloudflare-issued Client Certificates, select Edit.

  3. Select the cross next to the hostname you want to remove.

  4. Select Save to confirm.

Delete an uploaded CA

If you want to remove a CA that you have previously uploaded, you must first remove any hostname associations that it has.

  1. In the Cloudflare dashboard, go to the Client Certificates page.

    Go to Client Certificates

  2. Select the BYOCA tab.

  3. Find the CA you want to delete and select the three dots next to it.

  4. Remove all associated hostnames first, if any exist.

  5. Select the delete option and confirm.

List CA hostname associations

  1. In the Cloudflare dashboard, go to the Client Certificates page.

    Go to Client Certificates

  2. Select the BYOCA tab.

  3. Find the CA you want to inspect and select the three dots next to it.

  4. Select Edit hostnames. The Certificate Details panel displays the associated hostnames.