Cloudflare Docs
Cloudflare Zero Trust
Cloudflare Docs
Cloudflare Zero Trust
GitHub icon
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Cloudflare Zero Trust
  3. ...
  4. ...
  5. ...
  6. User-side certificates
  7. Install certificate manually

Install the Cloudflare certificate

If your device does not support certificate installation via WARP, you can manually install the Cloudflare certificate. You will need to add the certificate to both the system keychain and to individual application stores. These steps will need to be performed on each new device that is to be subject to HTTP filtering.

​​ Download the Cloudflare root certificate

First, download the Cloudflare certificate. The certificate is available both as a .pem and as a .crt file. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.

​​ Verify the certificate fingerprint

To verify your download, check that the certificate’s thumbprint matches:

​​ SHA1 


BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
➜  ~ openssl x509 -noout -fingerprint -sha1 -inform der -in <Cloudflare_CA.crt>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
➜  ~ openssl x509 -noout -fingerprint -sha1 -inform pem -in <Cloudflare_CA.pem>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C

​​ SHA256 


F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
➜  ~ openssl x509 -noout -fingerprint -sha256 -inform der -in <Cloudflare_CA.crt>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
➜  ~ openssl x509 -noout -fingerprint -sha256 -inform pem -in <Cloudflare_CA.pem>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF

​​ Add the certificate to operating systems

​​ macOS

To install the Cloudflare certificate in macOS, you can use either the Keychain Access application or a terminal. Both methods require you to download the Cloudflare certificate in .crt format.

​​ Keychain Access

In Keychain Access, you can choose the keychain in which you want to install the certificate. Each keychain impacts which users will be affected by trusting the root certificate.

Keychain Access scope
login The logged in user
Local Items Users with access to cached iCloud passwords
System All users on the system

To install the certificate with Keychain Access:

  1. Download the Cloudflare certificate.

  2. Open the .crt file in Keychain Access. If prompted, enter your local password.

  3. In Keychain, choose the access option that suits your needs and select Add.

  4. In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select Get Info.

  5. Select Trust. Under When using this certificate, select Always Trust.

The root certificate is now installed and ready to be used.

​​ Terminal

The following procedure will install the Cloudflare certificate to your keychain via the command line.

  1. Download the Cloudflare certificate.
  2. Open Terminal.
  3. Add the certificate to your keychain:

$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <path-to-Cloudflare_CA.crt>

This keychain will allow all users on the system access to the certificate. If you want to install the certificate to a different keychain, replace System.keychain with the name of that keychain. For information on the scope of each keychain, refer to Keychain Access.

  1. Update the OpenSSL CA Store to include the Cloudflare certificate:

$ echo | sudo tee -a /etc/ssl/cert.pem < Cloudflare_CA.pem

​​ Windows

Windows offers two locations to install the certificate, each impacting which users will be affected by trusting the root certificate.

Store location Access scope
Current User Store The logged in user
Local Machine Store All users on the system

  1. Download the Cloudflare certificate.

  2. Right-click the certificate file.

  3. Select Open. If you see a Security Warning, choose Open to proceed.

  4. The Certificate window will appear. Select Install Certificate.

  5. Now choose a Store Location. If you see a security warning, choose Yes to proceed.

  6. On the next screen, select Browse.

  7. In the list, choose the Trusted Root Certification Authorities store.

  8. Select OK, then select Finish.

The root certificate is now installed and ready to be used.

​​ Linux

The location where the root certificate should be installed is different depending on your Linux distribution. Follow the specific instructions for your distribution.

​​ Debian-based distributions

The following procedure applies to Debian-based systems, such as Debian, Ubuntu, and Kali Linux.

  1. Download the .pem certificate.
  2. Copy the certificate to the system, changing the file extension to .crt.

$ sudo cp Cloudflare_CA.pem /usr/local/share/ca-certificates/Cloudflare_CA.crt
  1. Import the certificate.

$ sudo dpkg-reconfigure ca-certificates

​​ Red Hat-based distributions

The following procedure applies to Red Hat-based systems, such as Red Hat Enterprise Linux (RHEL), Fedora, Rocky Linux, and AlmaLinux.

  1. Download both the .crt certificate and the .pem certificate.
  2. Copy both certificates to the trust store.

$ sudo cp Cloudflare_CA.crt Cloudflare_CA.pem /etc/pki/ca-trust/source/anchors
  1. Import the certificate.

$ sudo update-ca-trust

​​ NixOS

NixOS does not use the system certificate store for self updating and instead relies on the certificates found in ~/.nix-profile/etc/ssl/certs or provided by NIX_SSL_CERT_FILE at runtime.

​​ iOS

iOS only allows the Safari browser to open and install certificates.

  1. Open Safari and download the Cloudflare certificate. The device will show a message: This website is trying to download a configuration profile. Do you want to allow this?

  2. Select Allow.

  3. Go to Settings, where a new Profile Downloaded section will appear directly beneath your iCloud user account info.

  1. Select Install. If the iOS device is passcode-protected, you will be prompted to enter the passcode.

  2. Next, a certificate warning will appear. Select Install. If a second prompt appears, select Install again.

  3. Next, the Profile Installed screen will appear. Select Done. The certificate is now installed. However, before it can be used, it must be trusted by the device.

  4. Go to Settings > General > About > Certificate Trust Settings. The installed root certificates will be displayed under Enable full trust for root certificates.

  5. Enable the Cloudflare certificate.

  6. A security warning message will appear. Choose Continue.

The root certificate is now installed and ready to be used.

​​ Android

  1. Download the Cloudflare certificate.

  2. Go to Settings > Security > Advanced > Encryption & credentials > Install a certificate.

  3. Select CA certificate.

  4. Select Install anyway.

  5. Verify your identity.

  6. Choose the certificate file you want to install.

The root certificate is now installed and ready to be used.

​​ ChromeOS

  1. Download the Cloudflare certificate.

  2. Go to your ChromeOS Settings.

<strong>Settings</strong> cog in ChromeOS

  1. Go to Apps > Google Play Store.

<strong>Google Play Store</strong> app in ChromeOS settings

  1. Select Manage Android preferences.

<strong>Manage Android preferences</strong> in ChromeOS settings

  1. Go to Security & location > Credentials > Install from SD card.
ChromeOS <strong>Network &amp; Internet</strong> screen
ChromeOS <strong>Security &amp; location</strong> screen
ChromeOS <strong>Credentials</strong> screen
  1. In the file open dialog, select the Cloudflare_CA.crt file downloaded in step #1 and select Open.

ChromeOS dialogue for selecting a certificate file

  1. Enter anything you want for the certificate name and select OK.

ChromeOS dialogue for naming the certificate

​​ Add the certificate to applications

Some packages, development tools, and other applications provide options to trust root certificates that will allow for the traffic inspection features of Gateway to work without breaking the application.

All of the applications below first require downloading the Cloudflare certificate with the instructions above. On Mac, the default path is /Library/Keychains/System.keychain Cloudflare_CA.crt. On Windows, the default path is \Cert:\CurrentUser\Root.

​​ Firefox

If your organization is using Firefox, the browser may need additional configuration to recognize the Cloudflare certificate. There are several ways you can add your Cloudflare certificate to Firefox. For more detailed instructions, see this Mozilla support article.

​​ Python

​​ Python on Windows

The command to install the certificate with Python on Windows automatically includes PIP and Certifi (the default certificate bundle for certificate validation).

  1. Download the Cloudflare root certificate:


    curl -o Cloudflare_CA.crt https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.crt

  2. To update the bundle to include the Cloudflare certificate, run the following command:


    gc .\Cloudflare_CA.crt | ac C:\Python37\Lib\site-packages\pip\_vendor\certifi\cacert.pem

​​ Python on Mac and Linux

  1. Install the certifi package:


    $ pip install certifi

  2. Identify the CA store:


    $ python -m certifi
    ~/Library/Python/3.7/lib/python/site-packages/certifi/cert.pem

  3. Download the Cloudflare root certificate:


    $ wget https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem

  4. Append the Cloudflare certificate to this CA Store by running:


    $ echo | cat - Cloudflare_CA.pem >> $(python -m certifi)

  5. If needed, configure system variables to point to this CA Store:


    $ export CERT_PATH=$(python -m certifi)

    $ export SSL_CERT_FILE=${CERT_PATH}

    $ export REQUESTS_CA_BUNDLE=${CERT_PATH}

​​ Git

​​ Git on Windows

  1. Open PowerShell.

  2. Run the following command:


$ git config -l

This command will output:

core.symlinks=false
core.autocrlf=true
core.fscache=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
help.format=html
rebase.autosquash=true
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
http.sslbackend=openssl
diff.astextplain.textconv=astextplain
filter.lfs.clean=git-lfs clean -- %f
filter.lfs.smudge=git-lfs smudge -- %f
filter.lfs.process=git-lfs filter-process
filter.lfs.required=true
credential.helper=manager
  1. The http.sslcainfo defines the CA Certificate store. To append the Cloudflare certificate to the CA bundle, update http.sslcainfo.

gc .\Cloudflare_CA.pem | ac $(git config --get http.sslcainfo)

​​ Git on Mac and Linux

Configure Git to trust the Cloudflare certificate.


$ git config --global http.sslcainfo [PATH_TO_CLOUDFLARE_CERT]

​​ npm

The command below will set the cafile configuration to use the Cloudflare certificate. Make sure to use the certificate in the .pem file type.


$ npm config set cafile [PATH_TO_CLOUDFLARE_CERT.pem]

On some systems you may need to set the following in your path/export list:


$ export NODE_EXTRA_CA_CERTS='[PATH_TO_CLOUDFLARE_CERT.pem]'

​​ Google Cloud SDK

The commands below will set the Google Cloud SDK to use the Cloudflare certificate. More information on configuring the Google Cloud SDK is available here.

  1. Get curl’s cacert bundle.


    $ curl -O https://curl.se/ca/cacert.pem

  2. Get the Cloudflare CA.


    $ curl -O https://developers.cloudflare.com/cloudflare-one/static/documentation/connections/Cloudflare_CA.pem

  3. Combine the certs into a single .pem file.


    $ cat cacert.pem Cloudflare_CA.pem > ~/ca.pem

  4. Configure Google Cloud to use the combined .pem.


    $ gcloud config set core/custom_ca_certs_file ~/ca.pem

​​ Google Cloud SDK and Kaniko

Per the gcloud documentation, if Kaniko is being used the Cloudflare certificate will need to be installed in the Kaniko CA store. Instructions can be found here.

​​ Google Drive for desktop

To trust the Cloudflare root certificate in the Google Drive desktop application, follow the procedure for your operating system. These steps require you to download the .pem certificate.

macOS

  1. In the Finder menu bar, go to Go > Go to Folder. Enter /Applications/Google Drive.app/Contents/Resources.

  2. Find roots.pem and copy it to a permanent location, such as your Documents folder.

  3. Append the contents of cloudflare.pem to the end of roots.pem.


    $ cat ~/Downloads/Cloudflare_CA.pem >> path/to/roots.pem

  4. Apply the newly created root certificate to your Google Drive application.


    $ sudo defaults write /Library/Preferences/com.google.drivefs.settings TrustedRootsCertsFile -string "path/to/root.pem"

You can verify the update with the following command.


$ defaults read /Library/Preferences/com.google.drivefs.settings
Windows

  1. In File Explorer, go to \Program Files\Google\Drive File Stream\<version>\config\.

  2. Find roots.pem and copy it to a permanent location, such as your Documents folder.

  3. Append the contents of cloudflare.pem to the end of roots.pem.


    $ cat ~\Downloads\Cloudflare_CA.pem >> path\to\roots.pem

  4. Update the Google Drive registry key.


    $ reg ADD "HKEY_LOCAL_MACHINE\Software\Google\DriveFS" /v TrustedRootCertsFile /t REG_SZ /d "path\to\roots.pem"

You can verify the update with the following command.


$ reg QUERY "HKEY_LOCAL_MACHINE\Software\Google\DriveFS" /v TrustedRootCertsFile"

For more information, refer to the Google documentation for the TrustedRootCertsFile setting.

​​ AWS CLI

If you’re using the AWS CLI, you need to set the AWS_CA_BUNDLE environment variable to use the Cloudflare root certificate. Commands are available for different operating systems in the instructions available here.

​​ PHP Composer

The command below will set the cafile configuration inside of composer.json to use the Cloudflare root certificate. Make sure to use the certificate in the .pem file type.


$ composer config cafile [PATH_TO_CLOUDFLARE_CERT.pem]

Alternatively, you can add this manually to your composer.json file under the config key.

​​ JetBrains

To install the Cloudflare root certificate on JetBrains products, refer to the links below:

​​ Minikube

Instructions on how to install the Cloudflare root certificate are available here