Mutual TLS (mTLS)

Require clients to present a valid X.509 certificate before they can reach a protected endpoint.

✓ If you can read this over https://, the page itself loaded. mTLS enforcement is applied by Cloudflare on the protected route (see below).

📖 Read the full mTLS implementation guide

Live client-certificate check

This calls a protected endpoint and shows what the edge reports about your client certificate.

(not checked yet)

Browsers only send a client cert if one is installed and the site requests it. The check hits /cdn-cgi/access/get-identity style data via a Worker route; in this lab it returns the cf-client-cert-* headers if mTLS is configured.

How to configure (Cloudflare)

SSL/TLS → Client Certificates: create or upload a CA, then enable a hostname for mTLS.
Security → WAF → Custom rules: add a rule like not cf.tls_client_auth.cert_verified → Block for this path.
For APIs, enable API Shield → mTLS and bind the client-cert to your endpoints.

Test from the CLI

Generate a client cert from your CA, then call the endpoint with it:

# create a client key + CSR, sign with your CA
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/CN=lab-client"
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client.crt -days 365

# call WITHOUT a cert (should be blocked once mTLS is enforced):
curl -i https://mtls.pimenta.fun/

# call WITH the client cert (should succeed):
curl -i --cert client.crt --key client.key https://mtls.pimenta.fun/

← Back to tests