search
Ctrlk

Certificate based authentication

Time Required

15 Minutes

Difficulty

Easy

Required Knowledge

DNS, Zero Trust, Shell

hashtag
Prerequisites

  • Domain managed by Cloudflare

  • Zero Trust configured

  • Cloudflare Tunnels configured

hashtag
Client Certificate

circle-info

This section only needs to be done for 1 domain

hashtag
Generate a certificate

  1. Log into Cloudflare and select your domain

  2. In the search box, input Client Certificates and open the page

  3. Click on Create Certificate on the right

    Setting
    Entry

    Private Key Type

    RSA 2048

    Certificate Validity

    Your choice

  4. Click on Create and ensure your key format is PEM

hashtag
Save your Certificate

You will be presented with a certificate and a private key

  1. Under Certificate, click on Click to copy

  2. Open a text editor, paste the contents and save the file as certificate.pem

  3. Under Private key, click on Click to copy

    triangle-exclamation

    Do not share your private key - anyone with this can bypass your Zero Trust

  4. Open a text editor, paste the contents and same the file as certificate.key

  5. You should have something similar to the below:

hashtag
Generate your PFX file

  1. Download and install the relevant OpenSSL version for your machine from here: https://slproweb.com/products/Win32OpenSSL.htmlarrow-up-right

  2. Launch OpenSSL - you will be prompted with a terminal window

  3. CD to the directory with your certificate files

  4. Run the below command, and provide password when prompted openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.pem

  5. You will now have a certificate.pfx file - this is the file you can import to your end user devices

    triangle-exclamation

    Do not share your PFX file - anyone with this can bypass your Zero Trust

  6. Save your 3 files to somewhere secure

hashtag
Import / install your PFX file

You will need to import the PFX file on any devices you wish to authenticate using the certificate

  1. Get the PFX file onto your machine

  2. Double click the file to open it

  3. Certificate Import Wizard page:

    1. Store location: Current User

    2. Click next

  4. On the file to import page

    1. Click on next

  5. Private Key protection page

    1. Input the password set above

    2. Click on next

  6. Certificate store page

    1. Tick "place all certificates in the following store"

    2. Click on browse

      1. select Trusted Root Certification Authorities

      2. Click ok OK

    3. click on next

  7. Click on Finish

hashtag
Configure host addresses that can use the client certificate

In this example, we will set a wildcard - this means all subdomains will use the client certificate.

  1. Go back to the Cloudflare Client Certificates page

  2. Under hosts, click on edit and input *, then select *.your.domain from the dropdown

  3. Confirm the domain looks valid (eg not *..your.domain)

  4. Click on save

triangle-exclamation

I have broken WSS connection from Pterodactyl Panel to Wings enabling this on a domain that Pterodactyl was hosted on

hashtag
Configure Zero Trust

hashtag
Create your Certificate authentication policy

  1. Click on your name in the top left

  2. On the left hand menu, select Zero Trust

  3. On the left, expand Access controls and select Policies

  4. Click on Add a policy

Last updated