mTLS firewall rule - is only my cert permitted?


I’ve recently setup Cloudflare tunnels, and I’ve also put an mTLS WAF rule in front of all the tunnel domains. I’ve generated the client cert as per these docs and distributed it onto a few devices, and everything seems to be working fine.

My firewall rule (created with the Create mTLS Rule button) looks like:

( in {"" "" ...} and not cf.tls_client_auth.cert_verified)

My question is - does the client cert validation only allow the certs created in my account, for my domain? If someone generated a Cloudflare client cert for their own domain, would the firewall rule accept it?


Edit: Also, if the rule solely is not cf.tls_client_auth.cert_verified, will mTLS be required for all hosts in the domain?

It’s for client TLS certificates generated for each unqiue Cloudflare Account as it’s tied to the generated CA cert generated for your CF Account. So in theory it will work for other domain zones within your Cloudflare Account. But not domains not zones within your CF Account.

from your linked docs

You can only use API Shield with a certificate authority (CA) that is fully managed by Cloudflare. Cloudflare generates a unique CA for each account.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.