add openssl commands

ranbel · ranbel · commit 060ea5c5fd55 · 2025-07-23T16:54:29.000-04:00
diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
@@ -48,6 +48,8 @@ To enforce mTLS authentication for an application:
 	-----END CERTIFICATE-----
 	```
 
+	Do not include any SSL/TLS server certificates; Access only uses the CA chain to verify the connection between the user's device and Cloudflare.
+
 5. In **Associated hostnames**, enter the fully-qualified domain names (FQDN) that will use this certificate.
 
    These FQDNs will be the hostnames used for the resources being protected in the [Access policy](/cloudflare-one/policies/access/). You must associate the Root CA with the FQDN that the application being protected uses.
@@ -77,7 +79,7 @@ To enforce mTLS authentication for an application:
 
 15. Save the application.
 
-Next, [test mTLS authentication](#test-mtls) to your application.
+You can now authenticate to the application using a client certificate. For instructions on how to present a client certificate, refer to [Test mTLS](#test-mtls).
 
 ## Test mTLS
 
@@ -125,9 +127,114 @@ Assuming your browser uses the macOS system store, you can now connect to the mT
 
 ## Generate mTLS certificates
 
+You can use open source private key infrastructure (PKI) tools to generate certificates to test the mTLS feature in Cloudflare Access.
+
+### OpenSSL
+
+This section covers how to use [OpenSSL](https://www.openssl.org/) to generate a root and intermediate certificate, and then issue client certificates that can authenticate against the CA chain.
+
+#### Generate the root CA
+
+1. Generate the root CA private key:
+
+	```sh
+	 openssl genrsa -aes256 -out rootCA.key 4096
+	 ```
+
+	When prompted, enter a password to use with `rootCA.key`.
+
+2. Create a self-signed root certificate called `rootCA.pem`:
+
+	```sh
+	openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
+	```
+
+	You will be prompted to enter your private key password and fill in some optional fields. For testing purposes, you can leave the optional fields blank.
+
+#### Generate an intermediate certificate
+
+1. Generate the intermediate CA private key:
+
+	```sh
+	 openssl genrsa -aes256 -out intermediate.key 4096
+	 ```
+
+	When prompted, enter a password to use with `intermediate.key`.
+
+2. Create a certificate signing request (CSR) for the intermediate certificate:
+
+	```sh
+	openssl req -new -sha256 -key intermediate.key -out intermediate.csr
+	```
+
+	You will be prompted to enter your private key password and fill in some optional fields. For testing purposes, you can leave the optional fields blank.
+
+3. Create a CA Extension file called `v3_intermediate_ca.ext`. For example,
+
+	```txt
+	subjectKeyIdentifier = hash
+	authorityKeyIdentifier = keyid:always,issuer
+	basicConstraints = critical, CA:true
+	keyUsage = critical, cRLSign, keyCertSign
+	```
+
+	Make sure that `basicConstraints` includes the `CA:true` property. This property allows the intermediate certificate to act as a CA and sign client certificates.
+
+4. Sign the intermediate certificate with the root CA:
+
+	```sh
+	 openssl x509 -req -in intermediate.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out intermediate.pem -days 1825 -sha256 -extfile v3_intermediate_ca.ext
+	 ```
+
+#### Create a CA chain file
+
+1. Combine the intermediate and root certificates into a single file:
+
+	```sh
+	cat intermediate.pem rootCA.pem > ca-chain.pem
+	```
+
+	The intermediate certificate should be at the top of the file, followed by its signing certificate.
+
+2. Upload the contents of `ca.pem` to Cloudflare Access. For instructions, refer to [Add mTLS to your Access application](#add-mtls-to-your-access-application).
+
+#### Generate a client certificate
+
+1. Generate a private key for the client:
+
+	```sh
+	 openssl genrsa -out client.key 2048
+	 ```
+
+2. Create a CSR for the client certificate:
+
+	```sh
+	openssl req -new -key client.key -out client.csr
+	```
+
+	You will be prompted to fill in some optional fields. For testing purposes, you can set **Common Name** to something like `John Doe`.
+
+3. Sign the client certificate with the intermediate certificate:
+
+	```sh
+	 openssl x509 -req -in client.csr -CA intermediate.pem -CAkey intermediate.key -CAcreateserial -out client.pem -days 365 -sha256
+	 ```
+
+4. Validate the client certificate against the certificate chain:
+
+	```sh
+	openssl verify -CAfile ca-chain.pem client.pem
+	```
+
+	```sh output
+	client.pem: OK
+	```
+
+You can now use the client certificate (`client.pem`) and its key (`client.key`) to [test mTLS](#test-mtls).
+
 ### Cloudflare PKI
 
-You can use Cloudflare's open source tools for private key infrastructure (PKI) to test the mTLS feature in Cloudflare Access. This guide details the process to generate a Root Client Authority (CA), add it to the Cloudflare dashboard, and issue client certificates that can authenticate against the root CA and reach a protected resource.
+This guide uses [Cloudflare's PKI toolkit](https://github.com/cloudflare/cfssl) to generate a root CA and client certificates from JSON files.
 
 #### 1. Install dependencies
 
@@ -139,9 +246,9 @@ The process requires two packages from Cloudflare's PKI toolkit:
 You can install these packages from the [Cloudflare SSL GitHub repository](https://github.com/cloudflare/cfssl). You will need a working installation of Go, version 1.12 or later. Alternatively, you can [download the packages](https://github.com/cloudflare/cfssl) directly.
 Use the instructions under Installation to install the toolkit, and ensure that you install all of the utility programs in the toolkit.
 
-#### 2. Generate the Root CA
+#### 2. Generate the root CA
 
-1. Create a new directory to store the Root CA.
+1. Create a new directory to store the root CA.
 
 2. Within that directory, create two new files:
 
@@ -188,27 +295,27 @@ Use the instructions under Installation to install the toolkit, and ensure that
      }
      ```
 
-3. Now, run the following command to generate the Root CA with those files.
+3. Now, run the following command to generate the root CA with those files.
 
    ```sh
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca
    ```
 
-4. Within the directory, check its content to confirm the output was successful.
+4. The command will output a root certificate (`ca.pem`) and its key (`ca-key.pem`).
 
    ```sh
    ls
    ```
 
-   The output should now return the following content:
-
-   ```sh
+   ```sh output
    ca-config.json ca-csr.json ca-key.pem ca.csr  ca.pem
    ```
 
+5. Upload the contents of `ca.pem` to Cloudflare Access. For instructions, refer to [Add mTLS to your Access application](#add-mtls-to-your-access-application).
+
 #### 3. Generate a client certificate
 
-Returning to the terminal, generate a client certificate that will authenticate against the Root CA uploaded.
+To generate a client certificate that will authenticate against the uploaded root CA:
 
 1. Create a file named `client-csr.json` and add the following JSON blob:
 
@@ -238,11 +345,7 @@ Returning to the terminal, generate a client certificate that will authenticate
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem  -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client
    ```
 
-3. You can now test the client certificate with the following `cURL` command.
-
-   ```sh
-   curl -v --cert client.pem --key client-key.pem https://iot.widgetcorp.tech
-   ```
+The command will output a client certificate file (`client.pem`) and its key (`client-key.pem`). You can now use these files to [test mTLS](#test-mtls).
 
 #### Create a certificate revocation list
 
