Client certificate variables
When a request includes a client certificate for mTLS authentication, Cloudflare exposes certificate details as variables in the Ruleset Engine and as properties on the Workers request.cf object.
Client certificate fields are available as mTLS fields in Ruleset Engine-based products such as WAF custom rules and request header modification rules.
These variables are also available as part of the request.cf.tlsClientAuth object via Cloudflare Workers. Refer to the linked Rules language field for the full definition.
request.cf.tlsClientAuth.certRevoked— Indicates whether the mTLS client presented a valid but revoked client certificate. In Workers, this is a string ("1"for revoked,"0"for not revoked) rather than a boolean.request.cf.tlsClientAuth.certVerified— Indicates whether the mTLS client presented a valid client certificate. In Workers, this is a string ("SUCCESS"when valid,"NONE"when not present) rather than a boolean. On failure, the string contains the error reason (for example,"FAILED:unable to get local issuer certificate").request.cf.tlsClientAuth.certPresented— Indicates whether the mTLS client presented a certificate (valid or not). In Workers, this is a string ("1"when a certificate is presented,"0"otherwise) rather than a boolean.request.cf.tlsClientAuth.certIssuerDN— The Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate.request.cf.tlsClientAuth.certSubjectDN— The Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate.request.cf.tlsClientAuth.certIssuerDNRFC2253— The Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate in RFC 2253 ↗ format.request.cf.tlsClientAuth.certSubjectDNRFC2253— The Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate in RFC 2253 ↗ format.request.cf.tlsClientAuth.certIssuerDNLegacy— The Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate in a legacy format.request.cf.tlsClientAuth.certSubjectDNLegacy— The Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate in a legacy format.request.cf.tlsClientAuth.certSerial— Serial number of the mTLS client certificate.request.cf.tlsClientAuth.certIssuerSerial— Serial number of the direct issuer of the mTLS client certificate.request.cf.tlsClientAuth.certFingerprintSHA256— The SHA-256 fingerprint of the mTLS client certificate.request.cf.tlsClientAuth.certFingerprintSHA1— The SHA-1 fingerprint of the mTLS client certificate.request.cf.tlsClientAuth.certNotBefore— The mTLS client certificate is not valid before this date.request.cf.tlsClientAuth.certNotAfter— The mTLS client certificate is not valid after this date.request.cf.tlsClientAuth.certSKI— The Subject Key Identifier (SKI) of the mTLS client certificate.request.cf.tlsClientAuth.certIssuerSKI— The Subject Key Identifier (SKI) of the direct issuer of the mTLS client certificate.request.cf.tlsClientAuth.certRFC9440— The client leaf certificate encoded in RFC 9440 ↗ format (DER, Base64-encoded, colon-wrapped).request.cf.tlsClientAuth.certRFC9440TooLarge—trueif the leaf certificate exceeded the 10 KiB encoding limit and was omitted fromcertRFC9440.request.cf.tlsClientAuth.certChainRFC9440— The intermediate certificate chain in RFC 9440 ↗ format as a comma-separated list.request.cf.tlsClientAuth.certChainRFC9440TooLarge—trueif the intermediate chain exceeded the 16 KiB encoding limit and was omitted fromcertChainRFC9440.