Goal is to use the fastest ECC cert created in the dashboard:
would it work if we upload the created Edge Cert “CF Origin ECC PEM” to the nginx server and add
ssl_client_certificate /etc/nginx/certs/Cloudflare.crt;
ssl_verify_client on;
So technically, with 2nd and 3rd method you can script your own custom CA root/CA Intermediate and use it to sign your own client TLS certs using ECC PEM for Cloudflare Authenticated Origin Pull configurations and upload them via CF API. So you can automate revocation/renewal.
Note: one important note is that you remember to record the id of your custom client TLS uploaded certificate from CF API upload command’s output. The reason is CF does not have an API endpoint to list custom client TLS uploaded certificates. So you won’t be able to update or remove the custom uploaded client TLS certificate without that id.
I create my own custom CA Root certificate/signed client TLS certs for custom hostnames via my own custom scripted process at https://github.com/centminmod/cfssl-ca-ssl (gen-client mode) using Cloudflare’s own cfssl as the underlying tool. The script is also used for my own Centmin Mod Nginx client TLS authentication processes outside of Cloudflare proxied configurations