Authenticated origin pull

I have installed the Cloudflare Origin CA on my hosting provider, and works perfectly. Now with the Cloudflare Origin CA I can enable the authenticated origin pull option?



because the Cloudflare Origin RSA/ECC PEM is already in the Cloudflare Origin CA public key I don’t understand

Basically Authenticated Origin Pull is a way for you to verify whether the incoming connection is really coming from Cloudflare by verifying the client certificate presented by Cloudflare (a.k.a. Mutual TLS setup).

And yes, for maximum security you can enable that, but not all hosting provider provides the option to verify the incoming client certificate - you have to check that.

Hello @erictung thanks for your reply!
I tough that with the Cloudflare Origin CA I can enable that option, but it seems more complicated than I tough.
Another thing is that I have enabled it long time ago and everything worked fine.

On this guide Authenticated Origin Pulls – Cloudflare Help Center says that I have to put that .pem certificate on my server but is the same as my Cloudflare Origin CA public key.

Or is like that I have to put that .pem cert on my server and with the htaccess my server checks everything that .pem cert?


I found out the problem.
The problem is that SSLCACertificateFile can’t be use in .htaccess but only in httpd.conf.
And seems that there is no workaround

To be specific, you can only use SSLCACertificateFile at either a Server or a virtual host level. You cannot enable mTLS for part of a virtual host. Essentially, the TLS Certificate Request element of the connection is complete before the client asks for a particular URL. Theoretically it was possible to re-negotiate the session, but with TLS 1.3 that option is now gone away, and I don’t think any secure working implementations ever existed in legacy versions of TLS.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.