Certificate based authentication

Time Required

15 Minutes

Difficulty

Easy

Required Knowledge

DNS, Zero Trust, Shell

Prerequisites

  • Domain managed by Cloudflare

  • Zero Trust configured

  • Cloudflare Tunnels configured

Client Certificate

circle-info

This section only needs to be done for 1 domain

Generate a certificate

  1. Log into Cloudflare and select your domain

  2. In the search box, input Client Certificates and open the page

  3. Click on Create Certificate on the right

    Setting
    Entry

    Private Key Type

    RSA 2048

    Certificate Validity

    Your choice

  4. Click on Create and ensure your key format is PEM

Save your Certificate

You will be presented with a certificate and a private key

  1. Under Certificate, click on Click to copy

  2. Open a text editor, paste the contents and save the file as certificate.pem

  3. Under Private key, click on Click to copy

    triangle-exclamation
  4. Open a text editor, paste the contents and same the file as certificate.key

  5. You should have something similar to the below:

Generate your PFX file

  1. Download and install the relevant OpenSSL version for your machine from here: https://slproweb.com/products/Win32OpenSSL.htmlarrow-up-right

  2. Launch OpenSSL - you will be prompted with a terminal window

  3. CD to the directory with your certificate files

  4. Run the below command, and provide password when prompted openssl pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.pem

  5. You will now have a certificate.pfx file - this is the file you can import to your end user devices

    triangle-exclamation
  6. Save your 3 files to somewhere secure

Import / install your PFX file

You will need to import the PFX file on any devices you wish to authenticate using the certificate

  1. Get the PFX file onto your machine

  2. Double click the file to open it

  3. Certificate Import Wizard page:

    1. Store location: Current User

    2. Click next

  4. On the file to import page

    1. Click on next

  5. Private Key protection page

    1. Input the password set above

    2. Click on next

  6. Certificate store page

    1. Tick "place all certificates in the following store"

    2. Click on browse

      1. select Trusted Root Certification Authorities

      2. Click ok OK

    3. click on next

  7. Click on Finish

Configure host addresses that can use the client certificate

In this example, we will set a wildcard - this means all subdomains will use the client certificate.

  1. Go back to the Cloudflare Client Certificates page

  2. Under hosts, click on edit and input *, then select *.your.domain from the dropdown

  3. Confirm the domain looks valid (eg not *..your.domain)

  4. Click on save

triangle-exclamation

Configure Zero Trust

Create your Certificate authentication policy

  1. Click on your name in the top left

  2. On the left hand menu, select Zero Trust

  3. On the left, expand Access controls and select Policies

  4. Click on Add a policy

Last updated