Create a client certificate

Use Cloudflare's public key infrastructure (PKI) to create client certificates issued from a Cloudflare-managed CA. You can then complete your mTLS configuration, as explained in How mTLS works.

Cloudflare-issued or BYOCA

The following process only refers to certificates issued from the Cloudflare-managed CA. To bring your own CA, refer to BYOCA instead. Only available to Enterprise accounts.

To create a client certificate on the Cloudflare dashboard:

1. Go to the Client Certificates page.

   Go to Client Certificates

2. Select Add Certificate. The Cloudflare-managed CA is the default Certificate Authority.

3. Fill in the required fields. You can choose one of the following options:

• Generate a private key and Certificate Signing Request (CSR) with Cloudflare.

• Use your own private key and CSR. This option allows you to also label client certificates.

  Example OpenSSL command

  To generate and use your own CSR, you can run a command like the following:

  openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -subj '/C=GB/ST=London/L=London/O=Organization/CN=CommonName'

3. Select a value for Certificate Validity, and choose Continue.

4. Make sure to copy the certificate and private key as they will no longer be displayed after creation.

5. (Optional) Specify hostnames where you wish to enable mTLS.

   When associating hostnames via this form, they should be in fully qualified domain name (FQDN) format and correspond to a hostname that exists in the zone you are in. For example, if you are in zone example.com, you can specify host.example.com but not host.example.net.

6. Select Save to confirm.

Next steps

After creating the client certificate, make sure it is installed on the client devices and enable mTLS for each hostname that should require a certificate from clients.

Refer to our mTLS at Cloudflare learning path for further context.