To whom it may concern,
We are currently investigating the introduction of Cloudflare into our infrastructure. We’re running a multi-tenant platform, fronted by a load balancer that takes care of the TLS/SSL offloading.
For our platform, we rely heavily on mutual TLS with client certificates issued by various certification authorities (GlobalSign, Cybertrust, etc.). Allowed CAs are configured by our tenants, so we typically send out multiple allowed root certificates during the TLS handshake.
Now, looking at the Cloudflare mTLS documentation (https://developers.cloudflare.com/access/service-auth/mtls), a couple of questions arise:
- Will Cloudflare allow us to configure multiple allowed root certificates? (The documentation mentions one certificate.)
- Will Cloudflare offload the client certificate and make it available to the application or will the certificate information still be present on the incoming connection to our load balancer? (The documentation mentions a JWT, but it doesn’t seem to include the raw certificate content. We require the raw certificate to do additional checks on the application side.)
- Barring all this, can we just use Cloudflare without mTLS functionality, and continue to use our current setup (i.e. offloading the client certificate on our load balancer)?
Looking forward to your reply,