Manual Authenticated Origin Pulls verification

I’m using a Http.sys net core application. I have done various researches (I could also be wrong) but the only way to enable “Authenticated Origin Pulls” seems to be to create a middleware that verify the certificate “origin-pull-ca.pem” installed on my server (root local machine) and comparing it with the client one.

Well, actually only when I enable Authenticated Origin Pulls I receive the Cloudflare pull origin certificate from the client. Correct. My problem is that I don’t find anything comparable with the “origin-pull-ca.pem”. The public key is different, the thumbprint is different.

So, how I should compare the “origin-pull-ca.pem” certificate with the one received from the client?

Are you sure that the certificate you have is up-to-date? Cloudflare has recently replaced their origin pull certificate so it’s possible that you still have the previous one.
You can find the current certificate at

1 Like

Yes, certificate installed on local machine/root on my machine is Thumbprint is 1F5BA8DCF83*******06710901AD641 and subject, S=California, L=San Francisco, OU=Origin Pull, O=“CloudFlare, Inc.”, C=US.

However, from request client certificate I receive always:
Thumbprint: A27996CBA564*******C48920C1F7D4AA3
Subject: OU=Origin Pull, O=“Cloudflare, Inc.”, L=San Francisco, S=California, C=US

Shouldn’t I receive the same certificate from client request?

This topic was automatically closed after 30 days. New replies are no longer allowed.