Client authentication with mTLS
When using HTTPS, a server presents a certificate for the client to authenticate in order to prove their identity. For even tighter security, some services require that the client also present a certificate.
This process - known as mTLS - moves authentication to the protocol of TLS, rather than managing it in application code. Connections from unauthorized clients are rejected during the TLS handshake instead.
To present a client certificate when communicating with a service, create a mTLS certificate binding in your Worker project’s wrangler.toml file. This will allow your Worker to present a client certificate to a service on your behalf.
First, upload a certificate and its private key to your account using the wrangler mtls-certificate command:
$ npx wrangler mtls-certificate upload --cert cert.pem --key key.pem --name my-client-cert
Then, update your Worker project’s wrangler.toml file to create an mTLS certificate binding:
wrangler.tomlmtls_certificates = [ { binding = "MY_CERT", certificate_id = "<CERTIFICATE_ID>" }
]
Adding an mTLS certificate binding includes a variable in the Worker’s environment on which the fetch() method is available. This fetch() method uses the standard Fetch API and has the exact same signature as the global fetch, but always presents the client certificate when establishing the TLS connection.
Interface
export default { async fetch(request, environment) { return await environment.MY_CERT.fetch("https://a-secured-origin.com") }
}
interface Env { MY_CERT: Fetcher;
}
export default { async fetch(request: Request, environment: Env) { return await environment.MY_CERT.fetch("https://a-secured-origin.com") }
}