mTLS in front of Cloudflare Pages

I have a Cloudflare Pages site hosted at, say,

I want users to have a valid TLS Client Certificate installed in order to access this site.

I followed the instructions at to generate a certificate and key, and enabled mTLS in the zone for As per the instructions, I added a WAF rule configured to block requests matching ( in {""} and not cf.tls_client_auth.cert_verified)

However, all requests to are blocked by this rule. When I go to in Chrome, I would expect to see a popup asking me to choose a certificate to authenticate with, but I just get the cloudflare block page. When I try using curl with the --cert and --key options, I still get blocked. (The output of curl -v doesn’t even include Request CERT which I think signifies the server requesting a client cert.)

Is there anything else I need to configure to get this to work?

The zone in question is on the free plan if that matters.


Hi, did you solved this? I have the same issue. Thx

1 Like