Client certificates (mTLS)
Use Cloudflare's public key infrastructure (PKI) to create client certificates, or bring your own CA for mTLS.
Mutual TLS (mTLS) authentication is a common security practice that uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource.
Client certificates issued from a given CA are installed on client devices that should be granted access. Then, for any host that has mTLS enabled, Cloudflare - acting as the server in this case - requires a certificate from the client trying to access the hostname.
Cloudflare then validates the client certificate against CAs set at account level. This means that these certificates can be used for validation across multiple zones/domains (example.com), as long as the zones are under the same Cloudflare account and mTLS has been enabled for the requested hosts (host.example.com).
The account-level CAs can be:
- The Cloudflare-managed CA: This is the default option. Certificates and hostname associations are listed on your dashboard ↗.
- BYOCA certificates: This is an API-only option, available on Enterprise accounts. Certificates and hostname associations are not listed on your dashboard ↗.
As explained in the mTLS learning path, there are different use cases and implementation options for mTLS. Consider the following links for specific guidance.
- Application security
- mTLS for Zero Trust (Cloudflare Access integration)
- mTLS with API Shield
- mTLS Workers binding
Apart from the mTLS Workers binding, any of the above implementations can use your own CA instead of the Cloudflare-managed one. Refer to Bring your own CA.
Use the mTLS Workers binding when you need your worker to present a client certificate to an external service. To authenticate requests from a client to your worker instead, refer to SSL/TLS > Client certificates ↗ and the regular mTLS for application security implementation.
flowchart LR
accTitle: mTLS from client to worker versus mTLS from worker to external service
accDescr: Diagram showing two different implementations that can be considered for mTLS with Cloudflare Workers.
A[Client] <--App security mTLS--> B((Cloudflare))<--mTLS worker binding--> C[(External service)]
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark