Skip to content

New mTLS implementation guide in reference architecture section #18506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 2, 2024
Merged

New mTLS implementation guide in reference architecture section #18506

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ae3ccff
New mTLS implementation guide
securitypedant Dec 2, 2024
e6f086b
Update src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx
securitypedant Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,24 @@
---
title: mTLS at Cloudflare
title: Use mTLS with Cloudflare protected resources
pcx_content_type: overview
sidebar:
order: 3
label: mTLS with Cloudflare
---

In this implementation guide we will be focusing on the L7 / Application Layer security for HTTP/S requests targeting [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames, including the [first connection](/ssl/origin-configuration/ssl-modes/) between client and Cloudflare.

Some common mTLS use cases are:

- Protect and verify legitimate API traffic by verifying Client Certificates provided during TLS/SSL handshakes.
- Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes.

There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences:

| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
| :---- | :---- | :---- |
| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [*cf.tls\_client\_auth.cert\_revoked*](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |
| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
| :-------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |
7 changes: 3 additions & 4 deletions src/content/docs/learning-paths/mtls/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,14 @@
---
title: mTLS at Cloudflare
title: Use mTLS with Cloudflare protected resources
type: developers-site
new_learning_path: true
pcx_content_type: learning-path
head:
- tag: title
content: mTLS at Cloudflare
content: Use mTLS with Cloudflare protected resources
description: Safeguarding APIs and devices on Cloudflare's network.

---

import { LearningPath } from "~/components"
import { LearningPath } from "~/components";

<LearningPath file="mtls" />
12 changes: 12 additions & 0 deletions ...ocs/reference-architecture/implementation-guides/application-security/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
title: Application Security
pcx_content_type: navigation
---

import { Description, DirectoryListing, Render } from "~/components";

Application security implementation guides walk you through the steps to secure your public applications, devices and APIs with Cloudflare.

## Application Security

- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/)
7 changes: 7 additions & 0 deletions ...docs/reference-architecture/implementation-guides/application-security/mtls.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
pcx_content_type: navigation
title: Use mTLS with Cloudflare protected resources
external_link: /learning-paths/mtls/
sidebar:
order: 2
---
6 changes: 5 additions & 1 deletion src/content/docs/reference-architecture/implementation-guides/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,14 @@ sidebar:

import { Description, DirectoryListing, Render } from "~/components";

Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal.
Implementation guides provide [step-by-step instructions](/reference-architecture/implementation-guides/) and practical guidance for how to effectively deploy and configure specific solutions or services. Implementation guides are focused on a specific implementation goal.

## Zero Trust

- [Secure your Internet traffic and SaaS apps](/learning-paths/secure-internet-traffic/)
- [Replace your VPN](/learning-paths/replace-vpn/)
- [Deploy Zero Trust Web Access](/learning-paths/zero-trust-web-access/)

## Application Security

- [Use mTLS with Cloudflare protected resources](/learning-paths/mtls/)
Loading