cloudflare · dcpena · Nov 21, 2024 · Nov 5, 2024 · Nov 5, 2024 · Nov 13, 2024
@@ -0,0 +1,15 @@
+---
+title: Benefits of mTLS
+pcx_content_type: overview
+sidebar:
+  order: 2
+---
+
+- **Stronger Authentication**: mTLS ensures mutual verification between the client and server, confirming that both parties are who they claim to be. This two-way authentication mechanism prevents impersonation and man-in-the-middle attacks, significantly enhancing the overall security.
+
+- **End-to-End Encryption**: All communication between the client and server is encrypted, providing robust protection against eavesdropping and interception. Even if the data is captured by unauthorized parties, it remains secure and unreadable due to encryption.
+
+- **Preserved Data Integrity**: mTLS ensures that data remains unaltered during transit. The protocol verifies the integrity of transmitted information, protecting it from tampering or manipulation by malicious actors, ensuring the data's authenticity.
+
+- **Defense Against Insider Threats**: mTLS strengthens internal network security by adding protection against insider threats. Unlike traditional "castle-and-moat" networking, which trusts anything inside the perimeter, mTLS enforces mutual authentication, ensuring all internal communications are verified and secure.
+
@@ -0,0 +1,13 @@
+---
+title: Introducing mTLS
+pcx_content_type: overview
+sidebar:
+  label: Introducing mTLS
+  order: 1
+---
+
+Mutual TLS ([mTLS](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/)) authentication uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource.
+
+[TLS (Transport Layer Security)](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) is a widely-used protocol to ensure secure communication over a network. It ensures confidentiality and integrity by encrypting data and validating the server using digital certificates.
+
+Mutual TLS (mTLS) adds an extra layer by authenticating both parties involved in the communication. The client presents a certificate to the server (in this case Cloudflare) and vice versa.
@@ -0,0 +1,22 @@
+---
+title: mTLS at Cloudflare
+pcx_content_type: overview
+sidebar:
+  order: 3
+---
+
+In this implementation guide we will be focusing on the L7 / Application Layer security for HTTP/S requests targeting [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames, including the [first connection](/ssl/origin-configuration/ssl-modes/) between client and Cloudflare. Use Cloudflare Public Key Infrastructure (PKI) to create Client Certificates.
+
+Some common mTLS use cases are:
+- Protect and verify legitimate API traffic by verifying Client Certificates they provide during TLS/SSL handshakes.
+- Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes.
+
+There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences:
+
+| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
+| :---- | :---- | :---- |
+| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
+| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
+| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca)  | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
+| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
+| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [*cf.tls\_client\_auth.cert\_revoked*](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |
@@ -0,0 +1,15 @@
+---
+title: mTLS at Cloudflare
+type: developers-site
+new_learning_path: true
+pcx_content_type: learning-path
+head:
+  - tag: title
+    content: mTLS at Cloudflare
+description: Safeguarding APIs and devices on Cloudflare's network.
+
+---
+
+import { LearningPath } from "~/components"
+
+<LearningPath file="mtls" />
@@ -0,0 +1,91 @@
+---
+title: mTLS with Application Security
+pcx_content_type: overview
+sidebar:
+  order: 1
+---
+
+:::note
+This implementation requires an active [Zone](/fundamentals/setup/accounts-and-zones/#zones), a valid [Edge Certificate](/ssl/edge-certificates/), and [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostname. <br />
+
+API Shield is not required to use mTLS. <br />
+
+By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each customer account, meaning that Client Certificates all validate against an account-level Cloudflare CA.
+:::
+
+## 1. Enable mTLS
+
+1. Go to your Cloudflare dashboard and select your account.
+2. Select **SSL/TLS** > **[Client Certificates](/ssl/client-certificates/)** tab and add the Hosts (hostnames) you want to [enable mTLS](/ssl/client-certificates/enable-mtls/) for. 
+
+    Example host: `mtls-test.example.com`
+
+3. Select **Create Certificate** to generate the private key (usually referred to as Private Certificate) and Certificate Signing Request (CSR) with Cloudflare (which includes the Public Certificate), or use your own private key and CSR. Using your own allows you to also [label client certificates](/ssl/client-certificates/label-client-certificate/).
+
+To generate and use your own CSR, you can run a command like the following:
+
+```txt
+openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -subj '/C=GB/ST=London/L=London/O=Organization/CN=CommonName'
+```
+
+Or use a script like this one from [GitHub](https://github.com/erfianugrah/rootcatest/blob/main/fullgenerator.py).
+
+Do not forget to copy the values shown when creating the certificate as they become unavailable after creation.
+
+## 2. Install the client certificate
+
+In order for a client to utilize the Client Certificate you created, it must be on the devices that you want to use them on. You will want to place them in the same directory as your process / script that targets your APIs / hostnames.
+
+We generally recommended using one Client Certificate per device. Configuring your system to actually use the Public and Private Certificates is especially important.
+
+An example is to [add both certificates to the Keychain](https://support.apple.com/en-gb/guide/keychain-access/kyca2431/mac) on a MacBook laptop. 
+
+Another example is to generate a [PKCS12 (P12) certificate](https://en.wikipedia.org/wiki/PKCS_12) file and then [add it to your browser](https://www.ibm.com/docs/en/engineering-lifecycle-management-suite/lifecycle-management/7.0.2?topic=dashboards-importing-certificates-configuring-browsers):
+
+```txt
+openssl pkcs12 -export -out certificate.p12 -inkey private-cert.pem -in cert.pem
+```
+
+Use the values from the previous step.
+
+Example using cURL command:
+
+```cURL
+curl -v --cert cert.pem --key private-cert.pem <HOSTNAME>
+```
+
+Use the values from the previous step.
+
+## 3. Validate the client certificate in the WAF
+
+mTLS is verified and checked in the [Cloudflare WAF phase](/waf/reference/phases/). This is done by creating WAF [Custom Rules](/waf/custom-rules/) using the dynamic fields.
+
+All Client Certificate details can be found in the [`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields in the [Cloudflare Ruleset Engine](/ruleset-engine/).
+
+Example WAF Custom Rule with action block:
+
+![Example of a WAF custom rule with an action block in the Cloudflare dashboard during the validate client certificate step](~/assets/images/learning-paths/mtls/waf-custom-rule-action-block.png)
+
+## Demo
+
+:::note
+Ensure you're not using a VPN that could interfere with certificates or TLS decryption. If needed, enable [Split Tunnels](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) for specific hostnames to bypass the VPN for trusted services, such as the mTLS hostnames.
+:::
+
+With the Public and Private Certificates in the same directory, with this cURL command, we will gain access:
+
+```curl
+curl -I --cert cert.pem --key private-cert.pem https://mtls-test.example.com/mtls-test
+
+HTTP/2 200 
+server: cloudflare
+```
+
+Without the certificates, we would see the following:
+
+```curl
+$ curl -I https://mtls-test.example.com/mtls-test
+
+HTTP/2 403
+server: cloudflare
+```