What I did (for one-to-one mapping):
- Enabled AOP in my account
- Downloaded the certificate
- Added the certificate in IIS:
- Certificate: base64-encoded certificate, removing newline characters
- Username and Password: Leave empty
- Site>SSL Settings>Check Require SSL
- Select Require under Client Certificates
- Disable Anonymous Authentication
If you leave “Ignore” selected under SSL Settings you should get a 401 Unauthorized. This indicates that it’s set up correctly. Select “Require” and you will get the web resource at the origin (403 in my case since it’s just an empty folder).
For the many-to-one the process is similar, as @simon posted. But you have to look at the <add/> documentation to get anywhere.
- In this instance, you only need to download the origin-pull certificate to see what the subject line looks like.
The steps are as follows (after step 2 above):
- Add item:
- name can be anything
- userName, password must be filled in, but don’t have to tie to anything
- Click rules
- Add: certificateField: Subject, SubField: CN, matchCriteria: origin-pull.Cloudflare.net
- Follow with step 4 above
And that was it. I didn’t have to add the certificate anywhere else. This particular test used the Origin CA certificate option so I get a privacy error when I go the website outside of Cloudflare, but I’m pretty confident that you would just get a 401 as in the test above.
Given the criteria that the many-to-one uses, it seems to be more secure to use the one-to-one and validate against the entire certificate.
Additional Note: There is no UI so I used the Configuration Editor from within the IIS site itself.