Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Bring your own CA for API Shield mTLS

This page explains how you can manage mTLS with API Shield using client certificates that have not been issued by Cloudflare CA.

This is especially useful if you already have mTLS implemented and client certificates issued by your chosen CA are already installed on devices.

​​ Availability

  • Currently, you can only upload your CA via API.
  • This process is only available on Enterprise accounts.
  • Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through Cloudflare Access.

​​ Set up mTLS with your CA

  1. Use the Upload mTLS certificate endpoint to upload the CA root certificate.
  • ca boolean required

    • Set to true to indicate that the certificate is a CA certificate.
  • certificates string required

    • Insert content from the .pem file associated with the CA certificate, formatted as a single string with \n replacing the line breaks.
  • name string optional

    • Indicate a unique name for your CA certificate.
  1. Take note of the certificate ID (id) that is returned in the API response.
  2. Use the Replace Hostname Associations endpoint to enable mTLS in each hostname that should use the CA for mTLS validation. Use the following parameters:
  • hostnames array required

    • List the hostnames that will be using the CA for client certificate validation.

  • mtls_certificate_id string required

    • Indicate the certificate ID obtained from the previous step.

  1. Create a custom rule to enforce client certificate validation. You can do this via the dashboard or via API, using the Create firewall rules endpoint.

"expression": "( in {\"<HOSTNAME_1>\" \"<HOSTNAME_2>\"} and not cf.tls_client_auth.cert_verified)",
"action": "block"

​​ Delete an uploaded CA

If you want to remove a CA that you have previously uploaded, you must first remove any hostname associations that it has.

  1. Make a request to the Replace Hostname Associations endpoint, with an empty array for hostnames and specifying your CA certificate ID in mtls_certificate_id:

"hostnames": [],
"mtls_certificate_id": "<CERTIFICATE_ID>"
  1. Use the Delete mTLS certificate endpoint to delete the certificate.