Client Certificate Not trusted Mac Keychain

I’m attempting to deploy a client certificate to Mac workstations using the “Generate private key and CSR with Cloudflare” option to allow devices past a WAF Custom Rule set to block access to one of our hosts.

That’s all working fine, but the client certificate shows “‘Cloudflare’ certificate is not trusted” in Keychain on the Macs when adding as a System Certificate either manually or through Mosyle MDM (our management software). I believe I need to deploy the Root CA certificate as well, but I’ve tried all the Cloudflare Root CA certs I can find with no luck. The certificate shows “Issued by: Managed CA” and none of the Root certs seem to match that.

To be clear, I’m not using WARP or Zero Trust. Just SSL/TLS > Client Certificates under the host.

Can anyone point me in the right direction?

Thanks!

1 Like

I should note we’re currently on the Cloudflare Pro Plan, if that’s a factor.

If you double-click a certificate in Keychain you can open the Trust section and set the certificate as trusted.

1 Like

Thanks for the suggestion. I am aware of that option. Unfortunately we’ll be deploying this to a couple hundred devices, so I’m looking for a solution that doesn’t require manual intervention on each one.

To follow up with additional efforts:

We do have a certificate from DigiCert and they publish the Root certificate that corresponds. I tried creating a client certificate through Cloudflare with the “Use my private key and CSR” option and the DigiCert CSR, but the “Select a Certificate Authority (CA) to sign the client certificate” section was greyed out and set to “Cloudflare Managed CA” so I wasn’t able to set the DigiCert CA.

At which point I’m not sure how I can use a trusted CA provider outside of Cloudflare. Is that functionality not available with a Pro plan?

Never mind. Saw that support for DigiCert certificates is being deprecated.

Same problem here. The option to choose another CA is greyed out and we there’s absolutely no option to download “Cloudflare Managed CA” for the account. This extremely frustrating as we can’t deploy to iOS without manual intervention.