Getting IDs of my Client Certs

Hello. I have found way to delete client certificates and it requires certificate ID. But I haven’t found a way to get it (maybe I don’t see something right in front of me)

Hello,

Yep, I saw that. But I can’t find the way to get the id of client cert to delete it

Are you referring to uploaded custom TLS client certificates via Cloudflare API for Cloudflare Authenticated Origin Pull custom TLS client certificates outlined at https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#per-hostname-authenticated-origin-pull-using-customer-certificates-per-hostname? If so, there are no CF API endpoint to list uploaded TLS client certificates right now.

I found out when I was creating my own custom Authenticated Origin Pull TLS client certificates. You need to record the client certificate ID at the time of CF API upload and then use that ID for future deletions.

Example of how I do it with custom CA SSL cert and signed TLS client certificate (/etc/cfssl/clientcerts/domain.com.pem) using cfssl GitHub - cloudflare/cfssl: CFSSL: Cloudflare's PKI and TLS toolkit

Upload TLS client certificate via CF API and pipe output to file /etc/cfssl/clientcerts/domain.com-cf-origin-tls-cleint-auth-cert-upload.txt

MYCERT=$(cfssl-certinfo -cert /etc/cfssl/clientcerts/domain.com.pem | jq '.pem' | sed -e 's|"||g')
MYKEY=$(cat /etc/cfssl/clientcerts/domain.com-key.pem | perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')
request_body="{ \"certificate\": \"$MYCERT\", \"private_key\": \"$MYKEY\" }" 

curl -sX POST https://api.cloudflare.com/client/v4/zones/$cfzoneid/origin_tls_client_auth/hostnames/certificates -H "X-Auth-Email: $cfemail" -H "X-Auth-Key: $cftoken" -H "Content-Type: application/json" -d "$request_body" | jq | tee /etc/cfssl/clientcerts/domain.com-cf-origin-tls-cleint-auth-cert-upload.txt

Grab the client cert id from saved /etc/cfssl/clientcerts/domain.com-cf-origin-tls-cleint-auth-cert-upload.txt file.

export clientcert_id=$(jq -r '.result.id' /etc/cfssl/clientcerts/domain.com-cf-origin-tls-cleint-auth-cert-upload.txt)
echo "$clientcert_id" > /etc/cfssl/clientcerts/domain.com-cf-origin-tls-cleint-auth-cert-upload-clientcert-id.txt

For the existing uploaded TLS client certificates, you can either leave them as is or contact CF support to see if they can delete them for you.

@cscharff @cloonan there really should be CF API support for listing custom TLS client certificates you upload via CF API :slight_smile:

1 Like