Access CN trust rule / policy

Reading zero-trust page below,

I tried using the Common Name (CN) rule / policy to Allow access for me if I present a client cert. The web browser doesn’t seem to prompt for it though - with/without the tunnel DNS cname in the coverage of the client SSL cert challenge.

I haven’t been able to make this work, testing with the following command:
cloudflared access ssh-gen --hostname*)

(*) not real hostname

cloudflared appears to be running okay on the server where it’s set as per the ssh example. Is there a way to get more debug info about the access client auth?

seems by having one identity provider (OTP) configured and not having it in a rule/policy then confused the system. Adding a rule for OTP made it work, or equivalently removing the OTP as IdP also seems to make it work.

I tell a lie, after clearing cache restarting browser it complains about no configured identity provider.

Perhaps CN can only be used with an IdP as well

I found an error in the server config file, incorrect protocol. So now I’m able to use ssh.

Question still remains about the Common Name rule / policy possibility.