Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

Client certificates

Use Cloudflare public key infrastructure (PKI) to create client certificates. Use these certificates with Cloudflare API Shield or Cloudflare Workers to enforce mutual Transport Layer Security (mTLS) encryption.

​​ API Shield

To use API Shield to protect your API or web application, you must do the following:

  1. Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.

  2. Configure your mobile app or IoT device to use your Cloudflare-issued client certificate.

  3. Enable mTLS for the hosts you wish to protect with API Shield.

  4. Create WAF custom rules that require API requests to present a valid client certificate.

​​ Workers

To authenticate Workers requests using mTLS:

  1. Use Cloudflare’s fully hosted public key infrastructure (PKI) to create a client certificate.
  2. Create and use an mTLS binding to authenticate Workers connections.