Skip to content
The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors.

Install certificate manually

If your device does not support certificate installation via WARP, you can manually install a Cloudflare certificate. You must add the certificate to both the system keychain and to individual application stores. These steps must be performed on each new device that is to be subject to HTTP filtering.

Download the Cloudflare root certificate

First, generate and download a Cloudflare certificate. The certificate is available in both .pem and .crt file format. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.

  1. In Zero Trust, go to Settings > Resources.
  2. In Certificates, select Manage.
  3. Select the certificate you want to download.
  4. Depending on which format you want, choose Download .pem and/or Download .crt.

Verify the downloaded certificate

To verify your download, use a terminal to check that the downloaded certificate’s hash matches the thumbprint listed under Certificate thumbprint. For example:

SHA1

SHA1 .crt example
openssl x509 -noout -fingerprint -sha1 -inform der -in <certificate.crt>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
SHA1 .pem example
openssl x509 -noout -fingerprint -sha1 -inform pem -in <certificate.pem>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C

SHA256

SHA256 .crt example
openssl x509 -noout -fingerprint -sha256 -inform der -in <certificate.crt>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
SHA256 .pem example
openssl x509 -noout -fingerprint -sha256 -inform pem -in <certificate.pem>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF

Add the certificate to operating systems

macOS

In macOS, you can choose the keychain in which you want to install the certificate. Each keychain impacts which users will be affected by trusting the root certificate.

KeychainAccess scope
loginThe logged in user
Local ItemsUsers with access to cached iCloud passwords
SystemAll users on the system

To install a Cloudflare certificate in macOS, you can use either the Keychain Access application or a terminal. Both methods require you to download a certificate in .crt format.

  1. Download a Cloudflare certificate.
  2. Open the .crt file in Keychain Access. If prompted, enter your local password.
  3. In Keychain, choose the access option that suits your needs and select Add.
  4. In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select Get Info.
  5. Select Trust. Under When using this certificate, select Always Trust.

The root certificate is now installed and ready to be used.

Windows

Windows offers two locations to install the certificate, each impacting which users will be affected by trusting the root certificate.

Store locationAccess scope
Current User StoreThe logged in user
Local Machine StoreAll users on the system
  1. Download a Cloudflare certificate.
  2. Right-click the certificate file.
  3. Select Open. If a security warning appears, choose Open to proceed.
  4. The Certificate window will appear. Select Install Certificate.
  5. Now choose a Store Location. If a security warning appears, choose Yes to proceed.
  6. On the next screen, select Browse.
  7. In the list, choose the Trusted Root Certification Authorities store.
  8. Select OK, then select Finish.

The root certificate is now installed and ready to be used.

Linux

The location where the root certificate should be installed is different depending on your Linux distribution. Follow the specific instructions for your distribution.

Debian-based distributions

The following procedure applies to Debian-based systems, such as Debian, Ubuntu, and Kali Linux.

  1. Download a Cloudflare certificate in .pem format.

  2. Install the ca-certificates package.

    Terminal window
    sudo apt-get install ca-certificates
  3. Copy the certificate to the system, changing the file extension to .crt.

    Terminal window
    sudo cp certificate.pem /usr/share/ca-certificates/certificate.crt
  4. Import the certificate.

    Terminal window
    sudo dpkg-reconfigure ca-certificates

Red Hat-based distributions

The following procedure applies to Red Hat-based systems, such as CentOS and Red Hat Enterprise Linux (RHEL).

  1. Download a Cloudflare certificate in both .crt and .pem format.

  2. Install the ca-certificates package.

    Terminal window
    sudo dnf install ca-certificates
  3. Copy both certificates to the trust store.

    Terminal window
    sudo cp certificate.crt certificate.pem /etc/pki/ca-trust/source/anchors
  4. Import the certificate.

    Terminal window
    sudo update-ca-trust

NixOS

NixOS does not use the system certificate store for self updating and instead relies on the certificates found in ~/.nix-profile/etc/ssl/certs or provided by NIX_SSL_CERT_FILE at runtime.

iOS

  1. In Safari, download a Cloudflare certificate in .pem format.
  2. Open Files and go to Recents.
  3. Find and open the downloaded certificate file. A message will appear confirming the profile was downloaded. Select Close.
  4. Open Settings. Select the Profile Downloaded section beneath your Apple Account info. Alternatively, go to General > VPN & Device Management and select the Gateway CA - Cloudflare Managed G1 profile.
  5. Select Install. If the iOS device is passcode-protected, you will be prompted to enter the passcode.
  6. A certificate warning will appear. Select Install. If a second prompt appears, select Install again.
  7. The Profile Installed screen will appear. Select Done. The certificate is now installed. However, before it can be used, it must be trusted by the device.
  8. In Settings, go to General > About > Certificate Trust Settings. The installed root certificates will be displayed under Enable full trust for root certificates.
  9. Turn on the Cloudflare certificate.
  10. A security warning message will appear. Choose Continue.

The root certificate is now installed and ready to be used.

Android

  1. Download a Cloudflare certificate.
  2. In Settings, go to Security > Advanced > Encryption & credentials > Install a certificate.
  3. Select CA certificate.
  4. Select Install anyway.
  5. Verify your identity.
  6. Choose the certificate file you want to install.

The root certificate is now installed and ready to be used.

ChromeOS

ChromeOS devices use different methods to store and deploy root certificates. Certificates may fall under the VPN and apps or CA certificate settings. Follow the procedure that corresponds with your device.

  1. Download a Cloudflare certificate in .crt format.

  2. Go to Settings > Apps > Google Play Store.

  3. Select Manage Android preferences.

  4. Go to Security & location > Credentials > Install from SD card.

  1. In the file open dialog, choose the certificate.crt file you downloaded. Select Open.
  2. Enter a name to identify the certificate. Ensure Credential use is set to VPN and apps.
  3. Select OK.

After adding the Cloudflare certificate to ChromeOS, you may also have to install the certificate in your browser.

Add the certificate to applications

Some packages, development tools, and other applications provide options to trust root certificates that will allow for the traffic inspection features of Gateway to work without breaking the application.

All of the applications below first require downloading a Cloudflare certificate with the instructions above. On macOS, the default path to the system keychain database file is /Library/Keychains/System.keychain. On Windows, the default path is \Cert:\CurrentUser\Root.

Browsers

Chrome

Versions of Chrome before Chrome 113 use the operating system root store on macOS and Windows. Chrome 113 and newer on macOS and Windows — and all versions on Linux and ChromeOS — use the Chrome internal trust store.

To install a Cloudflare certificate to Chrome manually:

  1. Download a Cloudflare certificate in .pem format.
  2. In Chrome, go to Settings > Privacy and security > Security.
  3. Select Manage certificates.
  4. Go to Authorities. Select Import.
  5. In the file open dialog, choose the certificate.pem file you downloaded.
  6. In the dialog box, turn on Trust this certificate for identifying websites, Trust this certificate for identifying email users, and Trust this certificate for identifying software makers. Select OK.
  7. To verify the certificate was installed and trusted, locate it in Authorities.

For information on installing a Cloudflare certificate for organizations, refer to Google’s Chrome Enterprise and Education documentation.

Firefox

To install a Cloudflare certificate to Firefox manually:

  1. Download a Cloudflare certificate in .pem format.
  2. In Firefox, go to Settings > Privacy & Security.
  3. In Security, select Certificates > View Certificates.
  4. In Authorities, select Import.
  5. In the file open dialog, choose the certificate.pem file you downloaded.
  6. In the dialog box, turn on Trust this CA to identify websites and Trust this CA to identify email users. Select OK.
  7. To verify the certificate was installed and trusted, locate it in the table under Cloudflare.

For information on installing a Cloudflare certificate for organizations, refer to this Mozilla support article.

Python

Depending on which version of Python you have installed and your configuration, you may need to use either the python or python3 command. If you use virtual environments, you will need to repeat the following steps within each virtual environment.

Python on Windows

The command to install the certificate with Python on Windows automatically includes pip and certifi (the default certificate bundle for certificate validation).

  1. Download a Cloudflare certificate in .crt format.
  2. In a PowerShell terminal, install the certifi package:
    PowerShell
    python -m pip install certifi
  3. Identify the Python CA store:
    PowerShell
    $CERT_PATH = python -c "import certifi; print(certifi.where())"
  4. Update the bundle to include the Cloudflare certificate:
    PowerShell
    gc "$env:USERPROFILE\Downloads\certificate.crt" | ac $CERT_PATH
  5. (Optional) Configure your system variables to point to the CA store by adding them to PowerShell’s configuration file:
    PowerShell
    [System.Environment]::SetEnvironmentVariable('CERT_PATH', $CERT_PATH, 'Machine')
    [System.Environment]::SetEnvironmentVariable('SSL_CERT_FILE', $CERT_PATH, 'Machine')
    [System.Environment]::SetEnvironmentVariable('REQUESTS_CA_BUNDLE', $CERT_PATH, 'Machine')
  6. Restart your terminal.

Python on Mac and Linux

  1. Download a Cloudflare certificate in .pem format.
  2. In a terminal, install the certifi package:
    Terminal window
    python -m pip install certifi
  3. Append the Cloudflare certificate to this CA store by running:
    Terminal window
    echo | cat - certificate.pem >> $(python -m certifi)
  4. (Optional) Configure your system variables to point to the CA store by adding them to your shell’s configuration file (such as ~/.zshrc or ~/.bash_profile). For example:
    Terminal window
    echo 'export CERT_PATH=$(python -c "import certifi; print(certifi.where())")
    export SSL_CERT_FILE=${CERT_PATH}
    export REQUESTS_CA_BUNDLE=${CERT_PATH}' >> ~/.zshrc
  5. Restart your terminal.

Git

Git on Windows

  1. Open PowerShell.

  2. Run the following command:

    PowerShell
    git config -l

    This command will output:

    core.symlinks=false
    core.autocrlf=true
    core.fscache=true
    color.diff=auto
    color.status=auto
    color.branch=auto
    color.interactive=true
    help.format=html
    rebase.autosquash=true
    http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
    http.sslbackend=openssl
    diff.astextplain.textconv=astextplain
    filter.lfs.clean=git-lfs clean -- %f
    filter.lfs.smudge=git-lfs smudge -- %f
    filter.lfs.process=git-lfs filter-process
    filter.lfs.required=true
    credential.helper=manager
  3. The http.sslcainfo defines the CA Certificate store. To append the Cloudflare certificate to the CA bundle, update http.sslcainfo.

    PowerShell
    gc .\certificate.pem | ac $(git config --get http.sslcainfo)

Git on Mac and Linux

To configure Git to trust a Cloudflare certificate, run the following command:

Terminal window
git config --global http.sslcainfo [PATH_TO_CLOUDFLARE_CERT]

npm

  1. Download a Cloudflare certificate in .pem format.
  2. Set the cafile configuration to use the Cloudflare certificate:
    Terminal window
    npm config set cafile [PATH_TO_CLOUDFLARE_CERT.pem]

On some systems you may need to set the following in your path/export list:

Terminal window
export NODE_EXTRA_CA_CERTS='[PATH_TO_CLOUDFLARE_CERT.pem]'

Google Cloud

Google Cloud SDK

The commands below will set the Google Cloud SDK to use a Cloudflare certificate. For more information on configuring the Google Cloud SDK, refer to the Google Cloud documentation.

  1. Get curl’s cacert bundle.

    Terminal window
    curl --remote-name https://curl.se/ca/cacert.pem
  2. Download a Cloudflare certificate in .pem format.

  3. Combine the certs into a single .pem file.

    Terminal window
    cat cacert.pem certificate.pem > ~/ca.pem
  4. Configure Google Cloud to use the combined .pem.

    Terminal window
    gcloud config set core/custom_ca_certs_file ~/ca.pem
Kaniko

If you use Kaniko with Google Cloud SDK, you must install a Cloudflare certificate in the Kaniko CA store. For more information, refer to the gcloud documentation.

Google Drive for desktop

To trust a Cloudflare root certificate in the Google Drive desktop application, follow the procedure for your operating system. These steps require you to download the .pem certificate.

macOS

  1. In the Finder menu bar, go to Go > Go to Folder. Enter /Applications/Google Drive.app/Contents/Resources.

  2. Find roots.pem and copy it to a permanent location, such as your Documents folder.

  3. Append the contents of cloudflare.pem to the end of roots.pem.

    Terminal window
    cat ~/Downloads/certificate.pem >> path/to/roots.pem
  4. Apply the newly created root certificate to your Google Drive application.

    Terminal window
    sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootCertsFile -string "path/to/roots.pem"

You can verify the update with the following command.

Terminal window
defaults read /Library/Preferences/com.google.drivefs.settings

Windows

  1. In File Explorer, go to \Program Files\Google\Drive File Stream\<version>\config\.

  2. Find roots.pem and copy it to a permanent location, such as your Documents folder.

  3. Append the contents of cloudflare.pem to the end of roots.pem.

    PowerShell
    cat ~\Downloads\certificate.pem >> path\to\roots.pem
  4. Update the Google Drive registry key.

    PowerShell
    reg ADD "HKEY_LOCAL_MACHINE\Software\Google\DriveFS" /v TrustedRootCertsFile /t REG_SZ /d "path\to\roots.pem"

You can verify the update with the following command.

PowerShell
reg QUERY "HKEY_LOCAL_MACHINE\Software\Google\DriveFS" /v TrustedRootCertsFile"

For more information, refer to the Google documentation for the TrustedRootCertsFile setting.

Google Apps Manager (GAM)

Google Apps Manager (GAM) uses its own certificate store. To add a Cloudflare certificate to GAM, refer to the GAM documentation.

AWS CLI

If you’re using the AWS CLI, you need to set the AWS_CA_BUNDLE environment variable to use a Cloudflare root certificate. Commands are available for different operating systems in the AWS instructions.

PHP Composer

The command below will set the cafile configuration inside of composer.json to use the Cloudflare root certificate. Make sure to download the certificate in the .pem file type.

Terminal window
composer config cafile [PATH_TO_CLOUDFLARE_CERT.pem]

Alternatively, you can add this manually to your composer.json file under the config key.

JetBrains

To install a Cloudflare root certificate on JetBrains products, refer to the links below:

Eclipse

To install a Cloudflare root certificate on Eclipse IDE for Java Developers, you must add the certificate to the Java virtual machine (JVM) used by Eclipse.

  1. Download a Cloudflare certificate.

  2. Find the java.home value for your Eclipse installation.

    1. In Eclipse, go to Eclipse > About Eclipse (or Help > About Eclipse IDE on Windows and Linux)
    2. Select Installation Details, then go to Configuration.
    3. Search for java.home, then locate the value. For example:
    *** System properties:
    java.home=/Users/<username>/.p2/pool/plugins/org.eclipse.justj.openjdk.hotspot.jre.full.macosx.aarch64_17.0.8.v20230831-1047/jre
    1. Copy the full path after java.home=.
  3. Add the Cloudflare certificate to Eclipse’s JVM:

macOS and Linux

  1. In a terminal, add the java.home value you copied as an environment variable.

    Terminal window
    export JAVA_HOME=$(echo /path/to/java.home)
  2. Run keytool to install and trust the Cloudflare certificate.

    Terminal window
    "$JAVA_HOME/bin/keytool" -import -file ~/Downloads/certificate.crt -alias CloudflareRootCA -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -trustcacerts -noprompt
  3. Restart Eclipse.

Windows

  1. In a terminal, add the java.home value you copied as an environment variable.
PowerShell
set JAVA_HOME="\path\to\java.home"
  1. Run keytool to install and trust the Cloudflare certificate.
PowerShell
"%JAVA_HOME%\bin\keytool.exe" -import -file "%UserProfile%\Downloads\certificate.crt" -alias CloudflareRootCA -keystore "%JAVA_HOME%\lib\security\cacerts" -storepass changeit -trustcacerts -noprompt
  1. Restart Eclipse.

For more information on adding certificates to Eclipse with keytool, refer to IBM’s documentation.

RubyGems

To trust a Cloudflare root certificate in RubyGems, follow the procedure for your operating system. These steps require you to download a .pem certificate.

macOS and Linux

  1. Install OpenSSL.

  2. In a terminal, format the Cloudflare certificate for Ruby.

    Terminal window
    openssl x509 -in ~/Downloads/certificate.pem -out ~/Downloads/ruby-root-ca.crt
  3. Create a RubyGems certificate directory in your home folder.

    Terminal window
    mkdir -p ~/.gem/ssl
  4. Copy the Cloudflare certificate to your RubyGems certificate store.

    Terminal window
    cp ~/Downloads/ruby-root-ca.crt ~/.gem/ssl/rubygems.org.pem
  5. Configure RubyGems to use the certificate.

    Terminal window
    gem sources --add-trusted-cert ~/.gem/ssl/rubygems.org.pem

    Alternatively, add the following line to your RubyGems configuration file located in ~/.gemrc file to globally trust the certificate:

    :ssl_cert: ~/.gem/ssl/rubygems.org.pem
  6. Restart any terminal sessions.

Windows

  1. Install OpenSSL for Windows.

  2. In a PowerShell terminal, format the Cloudflare certificate for Ruby.

    PowerShell
    openssl x509 -in %UserProfile%\Downloads\certificate.pem -out %UserProfile%\Downloads\ruby-root-ca.crt
  3. Create a RubyGems certificate directory in your home folder.

    PowerShell
    mkdir -Force "$env:USERPROFILE\.gem\ssl"
  4. Copy the Cloudflare certificate to your RubyGems certificate store.

    PowerShell
    Copy-Item "$env:USERPROFILE\Downloads\ruby-root-ca.crt" "$env:USERPROFILE\.gem\ssl\rubygems.org.pem"
  5. Configure RubyGems to use the certificate.

    PowerShell
    gem sources --add-trusted-cert "$env:USERPROFILE\.gem\ssl\rubygems.org.pem"

    Alternatively, add the following line to your RubyGems configuration file located in $HOME\.gemrc to globally trust the certificate:

    :ssl_cert: C:/Users/<username>/.gem/ssl/rubygems.org.pem
  6. Restart any terminal sessions.

Minikube

To trust a Cloudflare root certificate in Minikube, refer to x509: certificate signed by unknown authority.