Client certificates
Use Cloudflare public key infrastructure (PKI) to create client certificates. Use these certificates with Cloudflare API Shield or Cloudflare Workers to enforce mutual Transport Layer Security (mTLS) encryption.
Since Cloudflare validates client certificates with one CA, set at account level, these certificates can be used for validation across multiple zones, as long as the zones are under the same account and mTLS has been enabled for the requested hosts. This means that (a) if you bring your own CA, you can associate it with hosts in different zones and (b) if you use Cloudflare Managed CA, this is the default behavior.
To use API Shield to protect your API or web application, you must do the following:
-
Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.
-
Configure your mobile app or IoT device to use your Cloudflare-issued client certificate.
-
Enable mTLS for the hosts you wish to protect with API Shield.
-
Create WAF custom rules that require API requests to present a valid client certificate.
By default, API Shield mTLS uses client certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each account.
If you need to use certificates issued by another CA, you can use the API to bring your own CA for mTLS.
To authenticate Workers requests using mTLS:
- Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.
- Create and use an mTLS binding to authenticate Workers connections.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark