Hostname Client Certificate Upload Error 1600

Hello people of the Cloudflare Forum,

Today I was trying out the Cloudflare Client Certificate-Option;
From my understanding I should be able to, using the api, install a certificate I generated into a Zone to use for authorised Client pulls.
Nice! An additional layer of security.

The zone I am trying to do this on is under the free plan.
The API does say this should work on the free plans too Cloudflare API v4 Documentation

So, now to my issue:
I have a TLS-Client certificate that’s SHA-256 signed with a 4096-bit RSA key I want to install using the method (API) seen here:
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull#zone-level--customer-certificates

I have re-created the certificate multiple times with different signature types and following the same certificate extensions Cloudflare uses if you don’t enroll your own certificate with the same result.
I always get the following error:

{"success":false,"errors":[{"code":1600,"message":"Internal Server Error"}],"messages":[]}

The request I use is (example):

curl -X POST "https://api.cloudflare.com/client/v4/zones/01234567890987654321012345678901/origin_tls_client_auth" \
-H "X-Auth-Email: [email protected]" -H "X-Auth-Key: feed00face00caffee0123456789098765432" \
-H "Content-Type: application/json" \
--data '{"certificate":"-----BEGIN CERTIFICATE-----\nMI...aw==\n-----END CERTIFICATE-----\n","private_key":"-----BEGIN RSA PRIVATE KEY-----\nMI...mw=\n-----END RSA PRIVATE KEY-----\n"}'

I can’t make sense of this, if anyone knows what I’m doing wrong please do let me know!

Thanks

  • Five

Quick update:

  • If the certificate is a CA of any type you get the error code 1412 with the message “Only leaf certificate is allowed”. That at least tells me that I’m not completely wrong here
  • You also get a specific error if the extendedKeyUsage doesn’t include clientAuth which is to be expected
    I still don’t see what I could be doing wrong

I’m going to put in a support ticket now. I really don’t know what I could still be doing wrong :frowning:

Well, I am disappointed. Did not get help and nobody could point me in the right direction. I am still looking for a solution, but I am going to postpone this for a while