Client certificates
Use Cloudflare public key infrastructure (PKI) to create client certificates. Use these certificates with Cloudflare API Shield™ or Cloudflare Workers to enforce mutual Transport Layer Security (mTLS) encryption.
API Shield
To use API Shield to protect your API or web application, you must do the following:
Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.
Configure your mobile app or IoT device to use your Cloudflare-issued client certificate.
Enable mTLS for the hosts you wish to protect with API Shield.
Create WAF custom rules that require API requests to present a valid client certificate.
Workers
To authenticate Workers requests using mTLS:
- Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.
- Create and use an mTLS binding to authenticate Workers connections.