# Certificate based authentication

<table data-view="cards"><thead><tr><th></th><th></th></tr></thead><tbody><tr><td>Time Required</td><td>15 Minutes</td></tr><tr><td>Difficulty</td><td>Easy</td></tr><tr><td>Required Knowledge</td><td>DNS, Zero Trust, Shell</td></tr></tbody></table>

## Prerequisites

* Domain managed by Cloudflare
* Zero Trust configured
* Cloudflare Tunnels configured

## Client Certificate

{% hint style="info" %}
This section only needs to be done for 1 domain
{% endhint %}

### Generate a certificate

1. Log into Cloudflare and select your domain

2. In the search box, input `Client Certificates` and open the page<br>

   <figure><img src="/files/R72wV7ZSEbGg1MHk6yOD" alt=""><figcaption></figcaption></figure>

3. Click on Create Certificate on the right

   | Setting              | Entry       |
   | -------------------- | ----------- |
   | Private Key Type     | RSA 2048    |
   | Certificate Validity | Your choice |
   |                      |             |

4. Click on Create and ensure your key format is `PEM`

### Save your Certificate

You will be presented with a certificate and a private key

1. Under Certificate, click on `Click to copy`&#x20;
2. Open a text editor, paste the contents and save the file as `certificate.pem`
3. Under Private key, click on `Click to copy`

   <div data-gb-custom-block data-tag="hint" data-style="danger" class="hint hint-danger"><p>Do not share your private key - anyone with this can bypass your Zero Trust</p></div>
4. Open a text editor, paste the contents and same the file as `certificate.key`&#x20;
5. You should have something similar to the below:

   <figure><img src="/files/OcYNXKqSgWZTxLP660QL" alt=""><figcaption></figcaption></figure>

### Generate your PFX file

1. Download and install the relevant OpenSSL version for your machine from here: <https://slproweb.com/products/Win32OpenSSL.html>
2. Launch OpenSSL - you will be prompted with a terminal window
3. CD to the directory with your certificate files
4. Run the below command, and provide password when prompted\
   `openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.pem`&#x20;
5. You will now have a *certificate.pfx* file - this is the file you can import to your end user devices<br>

   <figure><img src="/files/aqDlg6xjaoM8MFtP2g6S" alt=""><figcaption></figcaption></figure>

   <div data-gb-custom-block data-tag="hint" data-style="danger" class="hint hint-danger"><p>Do not share your PFX file - anyone with this can bypass your Zero Trust</p></div>
6. Save your 3 files to somewhere secure

### Import / install your PFX file

You will need to import the PFX file on any devices you wish to authenticate using the certificate

{% tabs %}
{% tab title="Windows" %}

1. Get the PFX file onto your machine
2. Double click the file to open it
3. Certificate Import Wizard page:
   1. Store location: Current User
   2. Click next
4. On the file to import page
   1. Click on next
5. Private Key protection page
   1. Input the password set above
   2. Click on next
6. Certificate store page
   1. Tick "place all certificates in the following store"
   2. Click on browse
      1. select Trusted Root Certification Authorities
      2. Click ok OK
   3. click on next
7. Click on Finish
   {% endtab %}

{% tab title="Android" %}

1. Get the PFX file onto your device
2. Use a file browser to open it
3. On the extract certificate page,
   1. input the password
   2. Click on OK
4. On the certificate type page,
   1. Select app user certificate
   2. Click on OK
5. On the certificate name page,
   1. Input the name of the domain
   2. click on OK
      {% endtab %}
      {% endtabs %}

### Configure host addresses that can use the client certificate

In this example, we will set a wildcard - this means all subdomains will use the client certificate.

1. Go back to the Cloudflare Client Certificates page
2. Under hosts, click on edit and input `*`, then select `*.your.domain` from the dropdown
3. Confirm the domain looks valid (eg not `*..your.domain`)
4. Click on save

{% hint style="danger" %}
I have broken WSS connection from Pterodactyl Panel to Wings enabling this on a domain that Pterodactyl was hosted on
{% endhint %}

## Configure Zero Trust

### Create your Certificate authentication policy

1. Click on your name in the top left
2. On the left hand menu, select Zero Trust
3. On the left, expand Access controls and select Policies
4. Click on Add a policy


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.trentbauer.com/guides/other-guides/cloudflare/cloudflare-zero-trust/certificate-based-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.