diff --git a/src/content/docs/api-shield/security/mtls/configure.mdx b/src/content/docs/api-shield/security/mtls/configure.mdx index f0fb4c4ad3840f..f1bcba7c83b4e8 100644 --- a/src/content/docs/api-shield/security/mtls/configure.mdx +++ b/src/content/docs/api-shield/security/mtls/configure.mdx @@ -23,7 +23,10 @@ Before you can protect your API or web application with mTLS rules, you need to: - +:::caution + +By default, API Shield mTLS uses client certificates issued by a Cloudflare-managed CA. If you need to use certificates issued by another CA, you can use the API to [bring your own CA for mTLS](/ssl/client-certificates/byo-ca/). +::: ## Create an mTLS rule via the Cloudflare dashboard diff --git a/src/content/docs/api-shield/security/mtls/index.mdx b/src/content/docs/api-shield/security/mtls/index.mdx index 2c89f5322f33bf..587d81d91c8d76 100644 --- a/src/content/docs/api-shield/security/mtls/index.mdx +++ b/src/content/docs/api-shield/security/mtls/index.mdx @@ -6,11 +6,11 @@ sidebar: --- -import { GlossaryTooltip, Render } from "~/components" +import { GlossaryDefinition, Render } from "~/components"; -Mutual TLS (mTLS) authentication uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource. + ![mTLS sequence diagram](~/assets/images/api-shield/api-shield-call-sequence.png) diff --git a/src/content/docs/learning-paths/mtls/concepts/index.mdx b/src/content/docs/learning-paths/mtls/concepts/index.mdx index a41bec30a1f882..7b2347ad2aed80 100644 --- a/src/content/docs/learning-paths/mtls/concepts/index.mdx +++ b/src/content/docs/learning-paths/mtls/concepts/index.mdx @@ -6,7 +6,9 @@ sidebar: order: 1 --- -Mutual TLS [mTLS](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) authentication uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource. +import { GlossaryDefinition } from "~/components"; + + [TLS (Transport Layer Security)](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) is a widely-used protocol to ensure secure communication over a network. It ensures confidentiality and integrity by encrypting data and validating the server using digital certificates. diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx index d045e13d80ac06..fcc1c679a80e0f 100644 --- a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx +++ b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx @@ -20,5 +20,5 @@ There are two main ways to use mTLS at Cloudflare, either by using the Applicati | Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) | | Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. | | [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). | -| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | +| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. | | Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA.

For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. | diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx index 778ecade902c6d..a47ea43421266e 100644 --- a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx @@ -10,7 +10,7 @@ This implementation requires an active [Zone](/fundamentals/concepts/accounts-an API Shield is not required to use mTLS.
-By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each customer account, meaning that Client Certificates all validate against an account-level Cloudflare CA. +By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA and set at account-level. If you have an Enterprise account, you also have the option to [bring your own CA](/ssl/client-certificates/byo-ca/). ::: ## 1. Enable mTLS diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx index 03dcfe1afe6923..41418536d3587b 100644 --- a/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx @@ -33,7 +33,7 @@ Generally, ensure client certificates are rotated regularly and safely to reduce ## Forward a client certificate -There are multiple ways to [forward a client certificate](/ssl/client-certificates/enable-mtls/#forward-a-client-certificate) to your origin server. +There are multiple ways to [forward a client certificate](/ssl/client-certificates/forward-a-client-certificate/) to your origin server. ## Bring your own CA for mTLS @@ -132,7 +132,7 @@ This expression will check for a specific [Client Certificate serial number](/ru ## Rate Limiting by Client Certificates -By enabling [forwarding a certificate](/ssl/client-certificates/enable-mtls/#cloudflare-api) via the Cloudflare API, the first request of an mTLS connection will include the following headers: +By enabling [forwarding a certificate](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api) via the Cloudflare API, every request of an mTLS connection will include the following headers: - `Cf-Client-Cert-Der-Base64` (raw certificate in DER format, encoded as base64) - `Cf-Client-Cert-Sha256` (SHA256 fingerprint of the certificate) diff --git a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx index 8a105b074bdc54..5002b5e6ba098d 100644 --- a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx @@ -12,7 +12,7 @@ This requires an active Enterprise [Account](/fundamentals/concepts/accounts-and Setting up [mTLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/policies/access/) can help in cases where the customer: - Already has existing Client Certificates on devices. -- Needs to protect Access applications with Bring Your Own CA (BYOCA). +- Needs to protect Access applications with [Bring Your Own CA (BYOCA)](/ssl/client-certificates/byo-ca/). - Needs to integrate with a Zero Trust solution. ## 1. Create a CA diff --git a/src/content/docs/learning-paths/mtls/mtls-workers/index.mdx b/src/content/docs/learning-paths/mtls/mtls-workers/index.mdx index ad2edc8d907576..88931f32ff341c 100644 --- a/src/content/docs/learning-paths/mtls/mtls-workers/index.mdx +++ b/src/content/docs/learning-paths/mtls/mtls-workers/index.mdx @@ -17,7 +17,7 @@ Cloudflare Workers runs after the Cloudflare WAF and Cloudflare Access. Review t All Client Certificate details can be found in the [tlsClientAuth](/workers/runtime-apis/request#incomingrequestcfproperties) object in Cloudflare Workers. -Example Cloudflare Workers code to return all headers and gain visibility, including [Client Certificate headers](/ssl/client-certificates/enable-mtls/#cloudflare-workers): +Example Cloudflare Workers code to return all headers and gain visibility, including [Client Certificate headers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers): ```js diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx index e7e92381de555d..5b0dd9a34810c2 100644 --- a/src/content/docs/ssl/client-certificates/byo-ca.mdx +++ b/src/content/docs/ssl/client-certificates/byo-ca.mdx @@ -10,11 +10,11 @@ description: Cloudflare mTLS now supports client certificates that have not been --- -import { Render, APIRequest } from "~/components" +import { Render, APIRequest, Tabs, TabItem } from "~/components" -This page explains how you can manage mTLS using client certificates that have not been issued by Cloudflare CA. +This page explains how you can manage client certificates that have not been issued by Cloudflare CA. For a broader overview, refer to the [mTLS at Cloudflare learning path](/learning-paths/mtls/concepts/). -This is especially useful if you already have mTLS implemented and client certificates are already installed on devices. +Bring your own CA (BYOCA) is especially useful if you already have mTLS implemented and [client certificates are already installed](/ssl/client-certificates/#how-it-works) on devices. ## Availability @@ -78,6 +78,42 @@ This is especially useful if you already have mTLS implemented and client certif "action": "block" ``` +### Multiple CAs for one hostname + +There can be multiple CAs (Cloudflare-managed or BYOCA) associated with the same hostname. For BYOCA certificates, the most recently deployed certificate will be prioritized. + +If you wish to remove the association from the Cloudflare-managed certificate and only use your BYOCA certificate(s): + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and domain. +2. Go to **SSL/TLS** > **Client Certificates**. +3. On the **Hosts** section of the **Client Certificates** card, select **Edit**. +4. Select the cross next to the hostname you want to remove. The list of hostname associations will be updated. +5. Select **Save** to confirm. + + + +1. [List the hostname associations](/api/resources/certificate_authorities/subresources/hostname_associations/methods/get/) **without** the `mtls_certificate_id` parameter. + + + +2. Copy the `hostnames` array returned by the API and update it, removing the hostname that should no longer use the Cloudflare-managed CA. +3. Use the [Replace Hostname Associations endpoint](/api/resources/certificate_authorities/subresources/hostname_associations/methods/update/) **without** the `mtls_certificate_id` parameter to perform the action against the Cloudflare-managed CA. For `hostnames` use the list from the previous step. + +"] + }} +/> + + + ## Delete an uploaded CA If you want to remove a CA that you have previously uploaded, you must first remove any hostname associations that it has. diff --git a/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx b/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx index 4c9a4093e3f8d0..87c64e2c5792e9 100644 --- a/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx +++ b/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx @@ -2,7 +2,7 @@ pcx_content_type: tutorial title: Configure your mobile app or IoT device sidebar: - order: 4 + order: 9 --- This tutorial demonstrates how to configure your Internet-of-things (IoT) device and mobile application to use client certificates with [API Shield](/api-shield/). diff --git a/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx b/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx index aa02a0aa88f5dd..17d7ac6ff44f60 100644 --- a/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx +++ b/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx @@ -6,32 +6,37 @@ sidebar: --- -To create a client certificate in the Cloudflare dashboard: +import { Details } from "~/components"; -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and application. -2. Go to **SSL** > **Client Certificates**. -3. Select **Create Certificate**. +To create a client certificate on the Cloudflare dashboard: - :::caution +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and zone/domain. +2. Go to **SSL/TLS** > **Client Certificates**. +3. Select **Create Certificate** and fill in the required fields. You can choose one of the following options: - By default, client certificates are issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each account. + - Generate a private key and Certificate Signing Request (CSR) with Cloudflare. + - Use your own private key and CSR. This option allows you to also [label client certificates](/ssl/client-certificates/label-client-certificate/). - If you need to use certificates issued by another CA, use the API to [bring your own CA for mTLS](/ssl/client-certificates/byo-ca/). - ::: +
-4. For **Private key type**, select a value. + To generate and use your own CSR, you can run a command like the following: -5. For **Certificate Validity**, select a value. The default value is 10 years. + ```sh + openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -subj '/C=GB/ST=London/L=London/O=Organization/CN=CommonName' + ``` -6. Select **Create**. +
-7. To copy the certificate or private key to your clipboard, use the **click to copy** link. +:::note +Client certificates created on the dashboard are issued by a [Cloudflare-managed CA](/ssl/client-certificates/#how-it-works). If you need to use certificates issued by another CA, use the API to [bring your own CA](/ssl/client-certificates/byo-ca/) instead. +::: -8. To close the dialog, select **OK**. +4. Select a value for **Certificate Validity**, and choose **Create**. +5. Make sure to copy the certificate and private key as they will no longer be displayed after creation. +6. Select **OK** to confirm. ## Next steps -You can now use the client certificate for multiple things, including: +After creating the client certificate, make sure it is installed on the client devices and [enable mTLS](/ssl/client-certificates/enable-mtls/) for each hostname that should require a certificate from clients. -* Adding an mTLS certificate binding to your [Worker](/workers/runtime-apis/bindings/mtls/). -* Embedding a certificate in your [mobile app or IoT device](/ssl/client-certificates/configure-your-mobile-app-or-iot-device/). +Refer to our [mTLS at Cloudflare learning path](/learning-paths/mtls/concepts/) for further context. \ No newline at end of file diff --git a/src/content/docs/ssl/client-certificates/enable-mtls.mdx b/src/content/docs/ssl/client-certificates/enable-mtls.mdx index e0ffec87ca7e04..ddee6e4700ea5a 100644 --- a/src/content/docs/ssl/client-certificates/enable-mtls.mdx +++ b/src/content/docs/ssl/client-certificates/enable-mtls.mdx @@ -10,18 +10,28 @@ import { Render } from "~/components" You can enable mutual Transport Layer Security (mTLS) for any hostname. -## Enable mTLS +To enable mTLS for a host from the Cloudflare dashboard: -To enable mutual Transport Layer Security (mTLS) for a host from the Cloudflare dashboard: +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and domain. +2. Go to **SSL/TLS** > **Client Certificates**. +3. On the **Hosts** section of the **Client Certificates** card, select **Edit**. +4. Enter the name of a host in your current domain. +:::note +The domain (`example.com`) is automatically appended for you. This means that, if you want to enable mTLS for `abc.example.com`, you only need to type `abc`. +::: +5. Select **Save** to confirm. -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and application. -2. Go to **SSL** > **Client Certificates**. -3. To enable mTLS for a host, select **Edit** in the **Hosts** section of the **Client Certificates** card. -4. Enter the name of a host in your current application and press `Enter`. -5. Select **Save**. +## CAs in use -After enabling mTLS for your host, you can enforce mTLS with [API Shield](/api-shield/security/mtls/configure/). While API Shield is **not required** to use mTLS, many teams may use mTLS to protect their APIs. +As explained in the [Client certificates overview](/ssl/client-certificates/#how-it-works), Cloudflare validates client certificates against CAs set at account level. This means that these certificates can be used for validation across multiple zones/domains (`example.com`), as long as the zones are under the same Cloudflare account and you have enabled mTLS for the host. - +:::note[Bring your own CA] +If you need to use your own CA (instead of the Cloudflare Managed CA), refer to [BYOCA](/ssl/client-certificates/byo-ca/). This is an API-only option, available on Enterprise accounts. In this case, certificates and hostname associations are **not** listed on your dashboard. +::: - +## Next steps + +After enabling mTLS for your host, you can: + +- Enforce mTLS with a WAF custom rule. Select **Create mTLS Rule** on the dashboard to use a template, or refer to our [mTLS at Cloudflare learning path](/learning-paths/mtls/mtls-app-security/#3-validate-the-client-certificate-in-the-waf) for further guidance. +- Enforce mTLS with [API Shield](/api-shield/security/mtls/configure/). While API Shield is **not required** to use mTLS, many teams may use mTLS to protect their APIs. \ No newline at end of file diff --git a/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx b/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx new file mode 100644 index 00000000000000..4958c7c91a7b26 --- /dev/null +++ b/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx @@ -0,0 +1,13 @@ +--- +pcx_content_type: how-to +title: Forward certificate to server +sidebar: + order: 6 + +--- + +Customers using [Cloudflare Access](/cloudflare-one/policies/access/) also have the option to forward client certificates to their origin server. + +import { Render } from "~/components"; + + \ No newline at end of file diff --git a/src/content/docs/ssl/client-certificates/index.mdx b/src/content/docs/ssl/client-certificates/index.mdx index 93140c2f0c94cf..2a52313b789da5 100644 --- a/src/content/docs/ssl/client-certificates/index.mdx +++ b/src/content/docs/ssl/client-certificates/index.mdx @@ -1,37 +1,56 @@ --- pcx_content_type: concept -title: Client certificates +title: Client certificates (mTLS) sidebar: order: 6 head: [] -description: Use Cloudflare public key infrastructure (PKI) to create client - certificates and enforce mutual Transport Layer Security (mTLS) encryption. +description: Use Cloudflare public key infrastructure (PKI) to create client certificates and enforce mutual Transport Layer Security (mTLS) encryption. --- -import { Render } from "~/components" +import { GlossaryDefinition, Render, DirectoryListing } from "~/components"; -Use Cloudflare public key infrastructure (PKI) to create client certificates. Use these certificates with Cloudflare [API Shield](/api-shield/) or [Cloudflare Workers](/workers/runtime-apis/bindings/mtls/) to enforce mutual Transport Layer Security (mTLS) encryption. +Use Cloudflare's public key infrastructure (PKI) to create client certificates, or [bring your own CA for mTLS](/ssl/client-certificates/byo-ca/). - + -## API Shield +:::note[mTLS at Cloudflare] +For a broader overview, refer to the [mTLS at Cloudflare learning path](/learning-paths/mtls/concepts/). +::: -To use API Shield to protect your API or web application, you must do the following: +--- + +## How it works + +Client certificates issued from a given CA are installed on client devices that should be granted access. Then, for any host that has [mTLS enabled](/ssl/client-certificates/enable-mtls/), Cloudflare - acting as the server in this case - requires a certificate from the client trying to access the hostname. + +Cloudflare then validates the client certificate against CAs set at account level. This means that these certificates can be used for validation across multiple zones/domains (`example.com`), as long as the zones are under the same Cloudflare account and mTLS has been enabled for the requested hosts (`host.example.com`). -1. Use Cloudflare’s fully hosted public key infrastructure (PKI) to [create a client certificate](/ssl/client-certificates/create-a-client-certificate/). +The account-level CAs can be: + +- The Cloudflare-managed CA: This is the default option. Certificates and hostname associations are listed on your [dashboard](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/). +- [BYOCA](/ssl/client-certificates/byo-ca/) certificates: This is an API-only option, available on Enterprise accounts. Certificates and hostname associations are **not** listed on your [dashboard](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/). + +--- -2. [Configure your mobile app or IoT device](/ssl/client-certificates/configure-your-mobile-app-or-iot-device/) to use your Cloudflare-issued client certificate. +## Use cases -3. [Enable mTLS](/ssl/client-certificates/enable-mtls/) for the hosts you wish to protect with API Shield. +As explained in the [mTLS learning path](/learning-paths/mtls/concepts/), there are different use cases and implementation options for mTLS. Consider the following links for specific guidance. -4. Create WAF custom rules that [require API requests to present a valid client certificate](/api-shield/security/mtls/configure/). +- [Application security](/learning-paths/mtls/mtls-app-security/) +- [mTLS for Zero Trust](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) (Cloudflare Access integration) +- [mTLS with API Shield](/api-shield/security/mtls/configure/) +- [mTLS Workers binding](/workers/runtime-apis/bindings/mtls/) - +Apart from the mTLS Workers binding, any of the above implementations can use your own CA instead of the Cloudflare-managed one. Refer to [Bring your own CA](/ssl/client-certificates/byo-ca/). -## Workers +### mTLS and Workers -To authenticate Workers requests using mTLS: +Use the [mTLS Workers binding](/workers/runtime-apis/bindings/mtls/) when you need your worker to present a client certificate to an external service. To authenticate requests from a client to your worker instead, refer to [SSL/TLS > Client certificates](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/) and the regular [mTLS for application security](/learning-paths/mtls/mtls-app-security/) implementation. -1. Use Cloudflare’s fully hosted public key infrastructure (PKI) to [create a client certificate](/ssl/client-certificates/create-a-client-certificate/). -2. Create and use an [mTLS binding](/workers/runtime-apis/bindings/mtls/) to authenticate Workers connections. +```mermaid +flowchart LR + accTitle: mTLS from client to worker versus mTLS from worker to external service + accDescr: Diagram showing two different implementations that can be considered for mTLS with Cloudflare Workers. + A[Client] <--App security mTLS--> B((Cloudflare))<--mTLS worker binding--> C[(External service)] +``` \ No newline at end of file diff --git a/src/content/docs/ssl/client-certificates/troubleshooting.mdx b/src/content/docs/ssl/client-certificates/troubleshooting.mdx index 560beda9311e83..2a7eeb76b86373 100644 --- a/src/content/docs/ssl/client-certificates/troubleshooting.mdx +++ b/src/content/docs/ssl/client-certificates/troubleshooting.mdx @@ -2,7 +2,7 @@ title: Troubleshooting pcx_content_type: troubleshooting sidebar: - order: 9 + order: 10 head: - tag: title content: Troubleshooting client certificates diff --git a/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx b/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx index 33da597835800c..677e7b99b476c9 100644 --- a/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx +++ b/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx @@ -3,6 +3,6 @@ pcx_content_type: navigation title: mTLS for Zero Trust external_link: /cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/ sidebar: - order: 10 + order: 14 --- diff --git a/src/content/glossary/ssl.yaml b/src/content/glossary/ssl.yaml index 40d875d910a4a9..6e9735546f0ded 100644 --- a/src/content/glossary/ssl.yaml +++ b/src/content/glossary/ssl.yaml @@ -93,7 +93,7 @@ entries: - term: mTLS (mutual TLS) general_definition: |- - mTLS is a common security practice that uses TLS certificates to ensure that traffic between a client and server is secure and trusted in both directions. + [Mutual TLS (mTLS)](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) authentication is a common security practice that uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource. associated_products: - API Shield - Cloudflare One diff --git a/src/content/notifications/index.yaml b/src/content/notifications/index.yaml index d5f556608d24da..04b87c5d8df1cc 100644 --- a/src/content/notifications/index.yaml +++ b/src/content/notifications/index.yaml @@ -394,7 +394,7 @@ entries: availability: |- [Bring your own CA](/ssl/client-certificates/byo-ca/). - The mTLS Certificate Store refers to customer uploaded certificates and does not include client certificates generated with the [Cloudflare CA](/ssl/client-certificates/create-a-client-certificate/). + The mTLS Certificate Store refers to customer uploaded certificates and does not include client certificates generated with the [Cloudflare CA](/ssl/client-certificates/#how-it-works). associatedProducts: SSL/TLS nextSteps: Upload a renewed certificate. otherFilters: None. diff --git a/src/content/partials/ssl/client-cert-shared.mdx b/src/content/partials/ssl/client-cert-shared.mdx deleted file mode 100644 index 55fc237da227df..00000000000000 --- a/src/content/partials/ssl/client-cert-shared.mdx +++ /dev/null @@ -1,13 +0,0 @@ ---- -{} - ---- - -:::caution - - -Since Cloudflare validates client certificates with one CA, set at account level, these certificates can be used for validation across multiple zones, as long as the zones are under the same account and mTLS has been enabled for the requested hosts. -This means that (a) if you [bring your own CA](/ssl/client-certificates/byo-ca/), you can associate it with hosts in different zones and (b) if you use Cloudflare Managed CA, this is the default behavior. - - -::: diff --git a/src/content/partials/ssl/cloudflare-managed-client-cert.mdx b/src/content/partials/ssl/cloudflare-managed-client-cert.mdx deleted file mode 100644 index 0f978a5667c9be..00000000000000 --- a/src/content/partials/ssl/cloudflare-managed-client-cert.mdx +++ /dev/null @@ -1,11 +0,0 @@ ---- -{} - ---- - -:::caution - -By default, API Shield mTLS uses client certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each account. - -If you need to use certificates issued by another CA, you can use the API to [bring your own CA for mTLS](/ssl/client-certificates/byo-ca/). -::: diff --git a/src/content/partials/ssl/forward-client-certificate.mdx b/src/content/partials/ssl/forward-client-certificate.mdx index d9f5687fccee5a..b366799d7eb4cb 100644 --- a/src/content/partials/ssl/forward-client-certificate.mdx +++ b/src/content/partials/ssl/forward-client-certificate.mdx @@ -36,7 +36,7 @@ The most common approach to forwarding a certificate is to use the Cloudflare AP }} /> -Once `client_certificate_forwarding` is set to `true`, the first request of an mTLS connection will now include the following headers: +Once `client_certificate_forwarding` is set to `true`, every request within an mTLS connection will now include the following headers: * `Cf-Client-Cert-Der-Base64` * `Cf-Client-Cert-Sha256`