Joseph Edmonds

Client Certificate mTLS with Cloudflare

by Joseph Edmonds

by Joseph Edmonds

An easy, robust and convenient way to add a strong layer of extra protection to your online systems – client SSL certificates are something I’ve been a big fan of for a number of years now.

Traditionally, getting this set up required a bit of command line wizardy and it was not something that was particularly well documented online.

Now for sites protected by Cloudflare, setting this up is really quite easy.

Cloudflare push this as part of their API Shield, though in fact you can use it to protect any web site.

You can read the docs here which explain the process quite clearly.

  • Create the client certificate within the Cloudflare dashboard
  • Enable mTLS for the host(s) you want to protect with this certificate
  • Create a firewall rule that enforces a valid certificate for the host(s)


Use a Password Protected P12 Certificate

One thing I suggest you do though to increase security is to password protect the generated key by bundling it into a P12 file. This is a single file that can be easily shared and is useless without a corresponding password.

The plain cert and key files that cloudflare provides are not very secure – anyone who gets them can use them freely. By wrapping these in a P12 file you add an extra layer of security, so even if an email/message is intercepted that contains the file, it is not any use unless the attacker can also get the password (note – you should really use a proper password manager for secure sharing of passwords)

You can copy and paste teh PEM format files into 2 local files, cert.pem and cert.key

Once you have these files, to create a password protected P12 that contains them, you would run a command like this:

openssl pkcs12 -export -in cert.pem -inkey cert.key -out cert.p12

You will be prompted for a password, I suggest a nice long secure password – it is only generally needed to be typed in once, when installing to a browser or device.

When using client SSL, it is very similar to normal server side SSL in that it protects the entire domain. So for example, you might want to create a new subdomain

Within Cloudflare, you will want to configure this new subdomain and ensure that it is proxied through Cloudflare. You might decide to use a Cloudflare Tunnel (formerly Argo Tunnel) to provide a highly secure link between your server and Cloudflare so that no one can find a way to bypass Cloudflare when accessing the protected subdomain.

Combining with Teams/Access

You can (and should) combine this protection with Cloudflare Teams to provide yet another layer of protection. One thing I do suggest though is that hosts/domains that you intend to protect with p12s, you do this first in isolation, and only once you have the p12 protection working should you then configure it in Teams.

This just makes your life a lot easier as you can then easily test the p12 proection using curl

Testing Using Curl

You can test your P12 protection using Curl. Browsers can be a bit funny with P12 certificates and sometimes require a full machine restart to work properly. By using Curl, you remove any caching etc that might be happening in a browser and can get verbose debug information

To access a site with a P12, you can use the following command

curl --cert-type P12 --cert ./cert.p12:MySuperLongSecurePass123 -vvv

Note how the password for the P12 is tacked onto the path to the cert, with a : character separating the path and the password

About Joseph Edmonds

About Joseph Edmonds

Personal musings, tech tips, trivia and other things that might be interesting.

Get in touch today

Send me a message concerning your idea, problem, or question – and I’ll personally respond as soon as possible.

Connect with me on LinkedIn.