Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Enable mTLS

You can enable mutual Transport Layer Security (mTLS) for any hostname.

​​ Enable mTLS

To enable mutual Transport Layer Security (mTLS) for a host from the Cloudflare dashboard:

  1. Log in to the Cloudflare dashboard and select your account and application.
  2. Go to SSL > Client Certificates.
  3. To enable mTLS for a host, select Edit in the Hosts section of the Client Certificates card.
  4. Enter the name of a host in your current application and press Enter.
  5. Select Save.

Now that you have enabled mTLS for your host, you can enforce mTLS with API Shield™.

​​ Forward a client certificate

In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging.

​​ Cloudflare API

The most common approach to forwarding a certificate is to use the Cloudflare API to update an mTLS certificate’s hostname settings.

curl --request PUT \
--url<ZONE_ID>/access/certificates/settings \
--header 'content-type: application/json' \
--header 'x-auth-email: <EMAIL>' \
--header 'x-auth-key: <API_KEY>' \
--data '{
"settings": [
"hostname": "<HOSTNAME>",
"china_network": false,
"client_certificate_forwarding": true

Once client_certificate_forwarding is set to true, the first request of an mTLS connection will now include the following headers:

  • Cf-Client-Cert-Der-Base64
  • Cf-Client-Cert-Sha256

​​ Managed Transforms

You can also modify HTTP response headers using Managed Transforms to pass along TLS client auth headers.

​​ Cloudflare Workers

Additionally, Workers can provide details around the client certificate.

const tlsHeaders = {