cloudflare · jannes · Mar 18, 2026
@@ -197,7 +197,7 @@
 1. Generate a private key for the client:

   ```sh
    openssl genrsa -out client.key 2048
   ```

 2. Create a CSR for the client certificate:
@@ -354,6 +354,8 @@
 
 You will need to add the CRL to your server or enforce the revocation in a Cloudflare Worker. An example Worker Script can be found on the [Cloudflare GitHub repository](https://github.com/cloudflare/access-crl-worker-template).
 
+<Render file="add-client-certificate-rfc9440" product="ssl" />
+
 <Render file="forward-client-certificate" product="ssl" />
 
 ## Known limitations
@@ -370,5 +372,4 @@
 <AvailableNotifications
 	product="SSL/TLS"
 	notificationFilter="Access mTLS Certificate Expiration Alert"
-/>
-
+/>
@@ -15,7 +15,7 @@
 
 ## Expose mTLS headers
 
-All Client Certificate details can be found in the [tlsClientAuth](/workers/runtime-apis/request#incomingrequestcfproperties) object in Cloudflare Workers.
+All Client Certificate details can be found in the [tlsClientAuth](/workers/runtime-apis/request#incomingrequestcfproperties) object in Cloudflare Workers. Refer to [Client certificate variables](/ssl/client-certificates/client-certificate-variables/) for a full list of available properties.
 
 Example Cloudflare Workers code to return all headers and gain visibility, including [Client Certificate headers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers):
 
@@ -95,9 +95,9 @@
  "X-CERT-ISSUER-DN-L": "/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./OU=www.cloudflare.com/CN=Managed CA abcdefghijklmnopq123456789",
  "X-CERT-SUBJECT-DN-L": "/C=US/CN=Cloudflare",
  "X-CERT-SERIAL": "37C52778E2F1820CC6342172A0E0ED33A4555F8B",
  "X-CERT-FINGER": "161e3a2089add0b2134ec43c9071f460e9f4b898",
  "X-CERT-NOTBE": "May 25 23:11:00 2024 GMT",
  "X-CERT-NOTAF": "May 23 23:11:00 2034 GMT"
 }
 ```

@@ -105,4 +105,4 @@
 The client certificate serial number is a unique identifier assigned to each certificate by the CA, ensuring that no two certificates issued by the same CA have the same serial number. This can be useful to track and monitor certificate usage or abuse.
 :::
 
-This approach can also be useful to handle additional checks and logic on the mTLS via the Cloudflare Workers.
+This approach can also be useful to handle additional checks and logic on the mTLS via the Cloudflare Workers.
@@ -0,0 +1,42 @@
+---
+pcx_content_type: reference
+title: Client certificate variables
+sidebar:
+  order: 10
+---
+
+When a request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/), Cloudflare exposes certificate details as variables in the Ruleset Engine and as properties on the Workers `request.cf` object.
+
+## Ruleset Engine fields
+
+Client certificate fields are available as [mTLS fields](/ruleset-engine/rules-language/fields/reference/?field-category=mTLS) in Ruleset Engine-based products such as [WAF custom rules](/waf/custom-rules/) and [request header modification rules](/rules/transform/request-header-modification/).
+
+## Workers variables
+
+These variables are also available as part of the [`request.cf.tlsClientAuth`](/workers/runtime-apis/request/#incomingrequestcfproperties) object via Cloudflare Workers. See the linked Ruleset field for the definition.
+
+:::note
+Some tlsClientAuth properties have a different type than their Ruleset field equivalent. Those are called out below.
+:::
+
+- [`request.cf.tlsClientAuth.certRevoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/) — In Workers, this is a string (`"1"` for revoked, `"0"` for not revoked) rather than a boolean.
+- [`request.cf.tlsClientAuth.certVerified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) — In Workers, this is a string (`"SUCCESS"` when valid, `"NONE"` when not present) rather than a boolean. On failure, the string contains the error reason (for example, `"FAILED:unable to get local issuer certificate"`).
+- [`request.cf.tlsClientAuth.certPresented`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_presented/) — In Workers, this is a string (`"1"` when a certificate is presented, `"0"` otherwise) rather than a boolean.
+- [`request.cf.tlsClientAuth.certIssuerDN`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn/)
+- [`request.cf.tlsClientAuth.certSubjectDN`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn/)
+- [`request.cf.tlsClientAuth.certIssuerDNRFC2253`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn_rfc2253/)
+- [`request.cf.tlsClientAuth.certSubjectDNRFC2253`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn_rfc2253/)
+- [`request.cf.tlsClientAuth.certIssuerDNLegacy`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn_legacy/)
+- [`request.cf.tlsClientAuth.certSubjectDNLegacy`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn_legacy/)
+- [`request.cf.tlsClientAuth.certSerial`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_serial/)
+- [`request.cf.tlsClientAuth.certIssuerSerial`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_serial/)
+- [`request.cf.tlsClientAuth.certFingerprintSHA256`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha256/)
+- [`request.cf.tlsClientAuth.certFingerprintSHA1`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha1/)
+- [`request.cf.tlsClientAuth.certNotBefore`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_not_before/)
+- [`request.cf.tlsClientAuth.certNotAfter`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_not_after/)
+- [`request.cf.tlsClientAuth.certSKI`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_ski/)
+- [`request.cf.tlsClientAuth.certIssuerSKI`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_ski/)
+- [`request.cf.tlsClientAuth.certRFC9440`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_rfc9440/)
+- [`request.cf.tlsClientAuth.certRFC9440TooLarge`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_rfc9440_too_large/)
+- [`request.cf.tlsClientAuth.certChainRFC9440`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_chain_rfc9440/)
+- [`request.cf.tlsClientAuth.certChainRFC9440TooLarge`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_chain_rfc9440_too_large/)
@@ -5,8 +5,8 @@ sidebar:
   order: 6
 ---
 
-Customers using [Cloudflare Access](/cloudflare-one/access-controls/policies/) also have the option to forward client certificates to their origin server.
-
 import { Render } from "~/components";
 
-<Render file="forward-client-certificate" product="ssl" />
+<Render file="add-client-certificate-rfc9440" product="ssl" />
+
+<Render file="forward-client-certificate" product="ssl" />
@@ -3,7 +3,7 @@ title: Troubleshooting
 pcx_content_type: troubleshooting
 description: Troubleshoot issues with client certificates
 sidebar:
-  order: 10
+  order: 11
 head:
   - tag: title
     content: Troubleshooting client certificates
@@ -110,4 +110,3 @@ You can use [Cloudflare Workers](/workers/) to debug client certificate validati
      "certVerified": "NONE",
    },
    ```
-
@@ -4,5 +4,4 @@ title: mTLS for Zero Trust
 external_link: /cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/
 sidebar:
   order: 14
-
----
+---
@@ -257,7 +257,7 @@ All plans have access to:
 
 * `tlsClientAuth` Object | null
 
-  * Only set when using Cloudflare Access or API Shield (mTLS). Object with the following properties: `certFingerprintSHA1`, `certFingerprintSHA256`, `certIssuerDN`, `certIssuerDNLegacy`, `certIssuerDNRFC2253`, `certIssuerSKI`, `certIssuerSerial`, `certNotAfter`, `certNotBefore`, `certPresented`, `certRevoked`, `certSKI`, `certSerial`, `certSubjectDN`, `certSubjectDNLegacy`, `certSubjectDNRFC2253`, `certVerified`.
+  * Various details about the client certificate (for mTLS connections). Refer to [Client certificate variables](/ssl/client-certificates/client-certificate-variables/) for more details.
 
 * `tlsClientCiphersSha1` string
 
@@ -454,4 +454,4 @@ Incoming `Request` objects passed to the [`fetch()` handler](/workers/runtime-ap
 * [Examples: Modify request property](/workers/examples/modify-request-property/)
 * [Examples: Accessing the `cf` object](/workers/examples/accessing-the-cloudflare-object/)
 * [Reference: `Response`](/workers/runtime-apis/response/)
-* Write your Worker code in [ES modules syntax](/workers/reference/migrate-to-module-workers/) for an optimized experience.
+* Write your Worker code in [ES modules syntax](/workers/reference/migrate-to-module-workers/) for an optimized experience.