Cloudflare Docs
Ssl
SSL
Visit SSL on GitHub
Set theme to dark (⇧+D)

Set up authenticated origin pulls

Set up authenticated origin pulls via one of the following options:

Authenticated Origin Pull does not work when your SSL/TLS encryption mode is set to Off or Flexible.


Zone-Level — Cloudflare certificate

Certificate value

Cloudflare uses a specific CA to sign certificates for the Authenticated Origin Pull service.

If you need the value for that CA, download the .PEM file .

Setup instructions

To enable Authenticated Origin Pull globally on a zone:

  1. Install the above certificate at the origin web server to authenticate all connections.

  2. For your SSL/TLS encryption mode, select Full.

  3. Configure your origin web server to accept client certificates:

    Apache example

    For this example, you would have saved the certificate /path/to/origin-pull-ca.pem.

    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile /path/to/origin-pull-ca.pem
    NGINX example

    For this example, you would have saved the certificate to /etc/nginx/certs/cloudflare.crt.

    ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
    ssl_verify_client on;
  4. Enable Authenticated Origin Pulls:


Zone-Level — customer certificates

  1. For your SSL/TLS encryption mode, select Full.

  2. Upload a custom certificate following these instructions , but use the origin_tls_client_auth endpoint.

  3. Enable Authenticated Origin Pulls:


Per-Hostname — customer certificates

When enabling Authenticated Origin Pull per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. Customers can use client certificates from their Private PKI to authenticate connections from Cloudflare.

  1. Upload a custom certificate following these instructions , but use the /origin_tls_client_auth/hostnames/certificates endpoint.
  1. On a specific hostname, enable Authenticated Origin Pull.

Replace a client cert (without downtime)

For hostname:

  1. Upload the new certificate.

  2. Enable Authenticated Origin Pull for that specific hostname.

For global:

  1. Upload the new certificate.

  2. Check whether new certificate is Active.

  3. Once certificate is active, then delete the old certificate.


To apply a different client certificate simultaneously at both the zone and hostname level

  1. Upload a certificate following steps in Zone-Level Authenticated Origin Pull

  2. Upload multiple certificates following the steps in Per-Hostname Authenticated Origin Pull

Delete a certificate

Client certificates are not deleted from Cloudflare upon expiration unless a delete or replace request is sent to the Cloudflare API.

However, requests are dropped at your origin if your origin only accepts a valid client certificate.