Detecting client certificate issued by custom CA


I’m exposing an API via Cloudflare and it sometimes happen that one of my partners accessing the API is blocked because the IP he’s connecting from is being categorized as “low security”, which means his requests are being dropped by the firewall.

As a workaround, I’m whitelisting his IP so that he’s able to bypass that rule, but being this application hosted on a cloud provider, it sometimes happen that his IP changes, which means I have to whitelist it again. Now, in order to connect to the API this partner uses a client certificate issued by my certification authority and I’d like to whitelist him not based on the IP address, but on the fact he’s using a client certificate issued by my Certification Authority.

In order to test if this is possibe, I’m logging the requests to this hostname in the Firewall with a rule:


Unfortunately, no request is being logged, as if Cloudflare wouldn’t detect that a client certificate is being used.

I have now two questions:

  1. Is there a way to configure Cloudflare (or Cloudflare Zero Trust access) so that I can “recognize” a connection coming with a client certificate issued by my Certification Authority and whitelist it on CF’s Firewall?

  2. Is it possible not to enforce mTLS ? The API is also accessed without client certificates, so enforcing mTLS is not an option.



This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.