IIS Client-Certificate getting 403.16

Dear community,

i created an “origin server certificate” via cloudflare and tried to authenticate against my iis webserver. when i get tried that through the cloudflare proxie, I get the following iis error 403.16 (0x800b0109) on the web server. Then i have tried using the “origin server
certificate” on my client (without cloudflare) for authentication against the website, that works well and everything looks good.

i understand the procedure as follows: the reverse proxie from cloudflare shows my browser a self-signed certificate. meanwhile, cloudflare uses the “origin server certificate” to authenticate to my webserver. depending on whether my web server accepts the certificate or not, the request should be successful or not.
meanwhile i’m not sure if i have understood this function correctly.


In Cloudflare:

Web server (Windows Server 2019 with IIS 10.0):

i hope someone can help me through this problem

best regards



has anyone an idea?

I am afraid you seem to have mixed up a few things here. Origin certificates are standard server certificates and are not related to client certificate authentication, but you still seem to have configured the certificate for that.

What is it you actually want to achieve? Just to configure an Origin certificate for your website? In that case drop all the other configuration settings and just configure the certificate.

You’ll find all the details at https://developers.cloudflare.com/ssl/origin-configuration/origin-ca

1 Like

Hello Sandro,

Thx for your answer. With every request, I want to authenticate cloudflare through this procedure. So nobody can access my site without using cloudflare. I don’t want to use ip whitelists on my Webserver, im afraid that cloudflare uses ip ranges that are not documented, which means user cannot access my site.

I also tried using a certificate for client authentication, but the iis always says there is no trusted root. I’m unable to find the root ca for this certificate signed from cloudflare.

In that case you are not after an Origin certificate, but want to configure Cloudflare’s certificate for that particular feature. Check out https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up for more details.

That being said, there are no unknown IP address ranges and the addresses advertised at cloudflare.com/ips rarely change. You can certainly set up the authentication bit, but it’s not necessary.

Hello Sandro,

Thank you for your answer. I will have a look at this documentation. If I had any further questions, I will ask it here again.


Sure :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.