Skip to content
Visit SSL on GitHub
Set theme to dark (⇧+D)


If your query returns an error even after configuring and embedding a client SSL certificate, check the following settings.

SSL/TLS handshake

On your terminal, use the following command to check whether an SSL/TLS connection can be established successfully between the client and the API endpoint.

curl -v --cert /path/to/certificate.pem --key /path/to/key.pem

If the SSL/TLS handshake cannot be completed, check whether the certificate and the private key are correct.

mTLS host enablement

On your dashboard, click SSL/TLS > Client Certificates. Check whether mTLS has been enabled for the correct host. The host should match the API endpoint that you want to protect. For example, if your API endpoint is, then you should add under “Hosts”. Client Certificates host enablement

mTLS rules

To review mTLS rules:

  1. Click Firewall > Firewall Rules.
  2. On a specific rule, click Edit.
  3. On that rule, check whether:
    • The Expression Preview is correct
    • The hostname matches your API endpoint. For example, for the API endpoint, the rule should look like:
      ( in {""} and not cf.tls_client_auth.cert_verified)
  4. To edit the rule, either use the user interface or click Edit expression.