Cloudflare Workers Fetch API with Client Certificate and Private Key

I tried to inject client certificate and private key as part of options to make a call from Client Workers fetch to example.com where it will only accept connections with valid client certificate. The response status of the call returned 403 error.

I tried the same piece of code from node js in my laptop and it works.

Here’s my code excerpt in Workers:

// I stored the cert and private key in KV

const certificate = await KV_APP_SETTINGS.get(`CLIENT_TO_SCANNER_CERT`)

const privateKey = await KV_APP_SETTINGS.get(`CLIENT_TO_SCANNER_PRIVATE_KEY`)

const options = {

  cert: certificate,

  key: privateKey,

  keepAlive: true

}

const sslConfiguredAgent = new https.Agent(options);

var url = 'https://example.com/hello';

const response = await fetch(url, {
  agent: sslConfiguredAgent, 
});

const responseBody = response.status;

console.log(responseBody); // now it returned 403

May I know how to make it work?

Cloudflare Workers does not run NodeJS. The Fetch API found in Workers is more akin to the one found in browser JS. You cannot use a client certificate with requests from Workers at the moment.

I hope this helps - even if it is not the answer you were looking for :slightly_smiling_face:

2 Likes

Ok well noted. Thanks for your info!

@steve1121 Were you able to find a workaround for this? I am also running into a similar situation where I am trying to implement mTLS with the worker being the client that needs to provide proof of itself.

Have you considered use HMAC signing instead?

@albert thanks for your answer! Is there any other way to accomplish this with help from other parts of the Cloudflare ecosystem?
With a worker being the first recipient of the client request wanting to send a request that has a custom CA (like in node new https.Agent({ pfx, passphrase, ca }))

Im new to Cloudflare, thanks in advance!

You can use Authenticated Origin Pull to have Cloudflare present a predefined client certificate during the TLS handshake. I’m not sure whether this would work for your use case, but I believe it’s the only way to use client certificates on Cloudflare.

2 Likes