Per-hostname authenticated origin pulls
When you enable Authenticated Origin Pulls per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. Customers can use client certificates from their Private PKI to authenticate connections from Cloudflare.
1. Upload custom certificate
In the API response, save the certificate
id since it is required for the next step.
2. Enable Authenticated Origin Pulls (globally)
Then, enable the Authenticated Origin Pulls feature as an option for your Cloudflare zone.
This step sets the TLS Client Auth to require Cloudflare to use a client certificate when connecting to your origin server.
To enable Authenticated Origin Pulls in the dashboard: