If you disabled it and your site is still loading fine (not from the cache) that would suggest your site is not requiring client authentication and so it’s not really working and you would need to ensure your server is properly configured to actually enforce and require client certificate authentication.
Bottom line, if your server is properly configured and you disable it on Cloudflare, you should get an error message.
We have had the talk before about deactivating the SSL from my host, which I did. My CA is being served by CloudFlare but, as you know, disabling the Authenticated Origin Pulls doesn’t cause any errors. I think I know why and I would like confirmation from you if you could.
I think this is caused by our edge certificate. We had the Universal CA. Since we are using the Origin CA that means we don’t need the Edge CA, right? From all of the information you have already given, I believe I should disable the Universal CA so the Origin CA can work, correct?
So breaking it down Barney style, the CloudFlare Edge Certificate should always be enabled and the Origin CA is just the middle man protecting the traffic to the origin server if CloudFlare cannot provide the cached version of the request, yes?
More or less yes. I would not say “just” as the proxies will typically have to talk to the origin and this will certainly require the certificate on the origin side (whether that is an Origin certificate or any other publicly recognised certificate).
As you mentioned, only if the request is served from the cache, the origin certificate won’t be involved as there won’t be such a request.
As for your original question, client certificate authentication also plays a role only between the proxies and the origin and here you simply need to enable this on your server, so that it is enforced, as well as toggle the setting on Cloudflare, so that the request actually contains the certificate.
You can enhance your server logging and check if the certificate gets sent by Cloudflare, but that only checks that, not how your server responds when there’s no certificate and that’s what you want to check.
Authenticated Origin Pull, Edge Certificates and Cloudflare Origin Certificates are three separate features. You can use any or none on their own or together.
Origin Pull is a two step configuration.
The setting in the dashboard means Cloudflare will respond to a mTLS prompt from your Origin server.
You also have to configure your Origin server to require client certificates for all incoming connections.
If you never configure the Origin, then the dashboard setting does nothing. In order to use client certificate authentication (authenticated origin pull) the request to your web server must be using HTTPS.
You don’t have to use client certificate authentication, but if you do, you’ll also have to use the proxy certificate, as otherwise the request would be still on HTTP. Only exception would be if you are on an Enterprise plan and have Strict SSL-Only.