Shield API: Create client certificate on demand via API

I have this scenario - users are getting registered to my website and using my API. I want to allow them to create a client certificate and download it, in order to use it to communicate with the my API.

Is creating a client certificate is part of the API of Cloudflare? or I need to do it manually for each customer request?

There is a limitation regarding the number of client certificate per domain account on Cloudflare?

What is the pricing for using Shield API with multiple certificates?

Beside limiting the users to must have the right Client certificate - is this also possible to use Cloudflare firewall to limit also the customer IP address(es)? So the firewall rule will be:

  1. Must have a specific client certificate
  2. Client origin IP must be
    Otherwise, block.


Can you not build this with the firewall rules? ie If there is not a valid cert or the IP address does not equal X then block.

A question for me to Cloudflare is how do you revoke client certs that are issued? Am I missing something here? Seems fairly fundamental for it to be used.