Issue related to the client certificate for 2 different domains under same cloudflare account

Hello,
I am using cloudflare account and add 2 different domains let say, abc.com & xyz.com.
Now I am using the full strict mode for ssl, and enable the mTLS for both domain settings,
I have created the client certificate for abc.com and I install the certificate in my client machine, when user want to access abc.com browser asks for the authorization, and after the authorization user can access the abc.com
Now I have also created the certificates for xyz.com domain, but the issue I am facing here is, the machine in which the abc.com domain certificate install that user can also access the xyz.com under the same certificate as the both domains are added into the same cloudflare account.
Please let me know what could be wrong in my approch, as i want to differentiate in both domains, like the authorized user for abc.com can not access xyz.com and vice versa.

Steps I followed,
I created the client certificate, and then i security I created the WAF rule the expression is below to block the user.

(http.host in {"abc.com"}) and (not cf.tls_client_auth.cert_verified)

And the same rule is set under xyz.com domain.

I am using the cloudflare pro plan, please advise me accordingly.
Looking forward.

As far as I used mTLS for IoT devices, Cloudflare generates a unique CA for each account, meaning it has affect for all the zones under the same CF account.

Could be I am wrong and I might have to double-check this with two doamins and try once again for future-proof.

Since Cloudflare validates client certificates with one CA, set at account level, these certificates can be used for validation across multiple zones, as long as the zones are under the same account and mTLS has been enabled for the requested hosts. This means that (a) if you bring your own CA, you can associate it with hosts in different zones and (b) if you use Cloudflare Managed CA, this is the default behavior.

Source article:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.