Enable mTLS
You can enable mutual Transport Layer Security (mTLS) for any hostname.
To enable mutual Transport Layer Security (mTLS) for a host from the Cloudflare dashboard:
- Log in to the Cloudflare dashboard ↗ and select your account and application.
- Go to SSL > Client Certificates.
- To enable mTLS for a host, select Edit in the Hosts section of the Client Certificates card.
- Enter the name of a host in your current application and press
Enter
. - Select Save.
After enabling mTLS for your host, you can enforce mTLS with API Shield. While API Shield is not required to use mTLS, many teams may use mTLS to protect their APIs.
In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging.
To avoid adding the certificate to every single request, the certificate is only forwarded on the first request of an mTLS connection.
The most common approach to forwarding a certificate is to use the Cloudflare API to update an mTLS certificate's hostname settings.
Once client_certificate_forwarding
is set to true
, the first request of an mTLS connection will now include the following headers:
Cf-Client-Cert-Der-Base64
Cf-Client-Cert-Sha256
You can also modify HTTP response headers using Managed Transforms to pass along TLS client auth headers.
Additionally, Workers can provide details around the client certificate.