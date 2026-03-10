Certificates
Use these commands to manage certificates for mTLS connections.
The
mtls-certificate commands manage client certificates for Worker subrequests. The
cert commands manage both mTLS client certificates and Certificate Authority (CA) chain certificates, primarily for use with Hyperdrive configurations.
Manage client certificates used for mTLS connections in subrequests.
These certificates can be used in
mtls_certificate bindings, which allow a Worker to present the certificate when establishing a connection with an origin that requires client authentication (mTLS).
Upload an mTLS certificate
-
--certstring required
The path to a certificate file (.pem) containing a chain of certificates to upload
-
--keystring required
The path to a file containing the private key for your leaf certificate
-
--namestring
The name for the certificate
Global flags
-
--vboolean alias: --version
Show version number
-
--cwdstring
Run as if Wrangler was started in the specified directory instead of the current working directory
-
--configstring alias: --c
Path to Wrangler configuration file
-
--envstring alias: --e
Environment to use for operations, and for selecting .env and .dev.vars files
-
--env-filestring
Path to an .env file to load - can be specified multiple times - values from earlier files are overridden by values in later files
-
--experimental-provisionboolean aliases: --x-provision default: true
Experimental: Enable automatic resource provisioning
-
--experimental-auto-createboolean alias: --x-auto-create default: true
Automatically provision draft bindings with new resources
The following is an example of using the
upload command to upload an mTLS certificate.
You can then add this certificate as a binding in your Wrangler configuration file:
Note that the certificate and private keys must be in separate (typically
.pem) files when uploading.
List uploaded mTLS certificates
The following is an example of using the
list command to upload an mTLS certificate.
Delete an mTLS certificate
-
--idstring
The id of the mTLS certificate to delete
-
--namestring
The name of the mTLS certificate record to delete
The following is an example of using the
delete command to delete an mTLS certificate.
Manage mTLS client certificates and Certificate Authority (CA) chain certificates used for secured connections.
These certificates can be used in Hyperdrive configurations, enabling them to present the certificate when connecting to an origin database that requires client authentication (mTLS) or a custom Certificate Authority (CA).
Upload an mTLS certificate
-
--certstring required
The path to a certificate file (.pem) containing a chain of certificates to upload
-
--keystring required
The path to a file containing the private key for your leaf certificate
-
--namestring
The name for the certificate
The following is an example of using the
upload command to upload an mTLS certificate.
Note that the certificate and private keys must be in separate (typically
.pem) files when uploading.
Upload a CA certificate chain
-
--namestring
The name for the certificate
-
--ca-certstring required
The path to a certificate file (.pem) containing a chain of CA certificates to upload
The following is an example of using the
upload command to upload an CA certificate.
List uploaded mTLS certificates
The following is an example of using the
list command to upload an mTLS or CA certificate.
Delete an mTLS certificate
-
--idstring
The id of the mTLS certificate to delete
-
--namestring
The name of the mTLS certificate record to delete
The following is an example of using the
delete command to delete an mTLS or CA certificate.