You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/api-shield/security/mtls/configure.mdx
+13-11Lines changed: 13 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,10 +6,9 @@ sidebar:
6
6
head:
7
7
- tag: title
8
8
content: Configure mTLS
9
-
10
9
---
11
10
12
-
import { Render } from"~/components"
11
+
import { Render } from"~/components";
13
12
14
13
When you specify API hosts in [mTLS authentication](/api-shield/security/mtls/), Cloudflare will block all requests that do not have a [client certificate](/ssl/client-certificates/) for mTLS authentication.
15
14
@@ -40,20 +39,23 @@ The first expression — `not cf.tls_client_auth.cert_verified` — returns `tru
40
39
41
40
The second expression uses the `http.request.uri.path` field, combined with the `in` operator, to capture the URI paths your mTLS rule applies to.
42
41
43
-
Because the [action](/ruleset-engine/rules-language/actions/) for your rule is *Block*, only requests that present a valid client certificate can access the specified hosts.
44
-
45
-
For enhanced security, we recommend validating the SHA-256 certificate hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific fingerprint are allowed.
42
+
Because the [action](/ruleset-engine/rules-language/actions/) for your rule is _Block_, only requests that present a valid client certificate can access the specified hosts.
46
43
47
-
You can implement this by using the following expression:
48
-
`not (cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_fingerprint_sha256 eq "253E08C1AB67EB7630C61734D377D75D5DCCDE2F6E69986C221D66E848B64321")`
44
+
For enhanced security, Cloudflare recommends that you validate the SHA-256 certificate hash alongside the verified certificate field. This ensures that only requests presenting a valid client certificate with a specific fingerprint are allowed.
49
45
50
-
To retrieve the SHA-256 fingerprint of your client certificate, run the following OpenSSL command:
46
+
You can implement this by using an expression similar to the following:
not (cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_fingerprint_sha256 eq "253E08C1AB67EB7630C61734D377D75D5DCCDE2F6E69986C221D66E848B64321")
50
+
```
53
51
54
-
Example output:
52
+
To obtain the SHA-256 fingerprint of a client certificate stored in the `mtls.crt` file, you can run the following OpenSSL command:
@@ -69,5 +71,5 @@ When a request includes a revoked certificate, the `cf.tls_client_auth.cert_revo
69
71
70
72
:::caution
71
73
72
-
This check only applies to client certificates issued by the Cloudflare managed CA. Cloudflare currently does not check certificate revocation lists (CRL) for [CAs that have been uploaded](/ssl/client-certificates/byo-ca/).
74
+
This check only applies to client certificates issued by the Cloudflare managed CA. Cloudflare currently does not check certificate revocation lists (CRL) for [CAs that have been uploaded](/ssl/client-certificates/byo-ca/).
0 commit comments