Cloudflare Docs
Cloudflare Zero Trust
Edit this page on GitHub
Set theme to dark (⇧+D)

Client certificate

The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.

​​ Prerequisites

  • A root CA that issues client certificates for your devices. You can use the Cloudflare PKI toolkit to generate a sample root CA for testing.
  • Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to WARP client checks.
  • A client certificate is installed and trusted on the device.
    SystemCertificate store
    macOSSystem Keychain
    WindowsCurrent User\Personal store
    LinuxNSSDB

​​ Configure the client certificate check

  1. Use the Upload mTLS certificate endpoint to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with \n replacing the line breaks. The private key is only required if you are using this custom certificate for Gateway HTTPS inspection.

    curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/mtls_certificates" \
    --header "X-Auth-Email: <EMAIL>" \
    --header "X-Auth-Key: <API_KEY>" \
    --header "Content-Type: application/json" \
    --data '{
    "name": "example_ca_cert",
    "certificates": "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----",
    "private_key": "-----BEGIN PRIVATE KEY-----\nXXXXX\n-----END PRIVATE KEY-----",
    "ca": true
    }'

    The response will return a UUID for the certificate:

    {
    "success": true,
    "errors": [],
    "messages": [],
    "result": {
    "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60",
    "name": "example_ca_cert",
    "issuer": "O=Example Inc.,L=California,ST=San Francisco,C=US",
    "signature": "SHA256WithRSA"
    ...
    }
  2. In Zero Trust, go to Settings > WARP Client.

  3. Scroll down to WARP client checks and select Add new.

  4. Select Client certificate.

  5. You will be prompted for the following information:

    1. Name: Enter a unique name for this device posture check.
    2. Operating system: Select your operating system.
    3. Certificate ID: Enter the UUID of the root CA.
    4. Common name: Enter the common name of the client certificate (not the root CA).
  6. Select Save.

Next, go to Logs > Posture and verify that the client certificate check is returning the expected results.

​​ How WARP checks for a client certificate

Learn how the WARP client determines if a client certificate is installed and trusted on the device.

  1. Open Terminal.
  2. Run the following command to search for a certificate with a specific common name:
$ /usr/bin/security find-certificate -c "<COMMON_NAME>" -p /Library/Keychains/System.keychain
  1. Open a PowerShell window.
  2. Run the following command to search for a certificate with a specific common name:
PS C:\Users\JohnDoe> Get-ChildItem Cert:\CurrentUser\My\ | where{$_.Subject -like "*<COMMON_NAME>*"}
  1. Open Terminal.
  2. Run the following command to search for a certificate with a specific common name:
$ certutil -L -d sql:/etc/pki/nssdb -r -n <COMMON_NAME>

For the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.