Shield API: Create client certificate on demand via API

I have this scenario - users are getting registered to my website and using my API. I want to allow them to create a client certificate and download it, in order to use it to communicate with the my API.

Is creating a client certificate is part of the API of Cloudflare? or I need to do it manually for each customer request?

There is a limitation regarding the number of client certificate per domain account on Cloudflare?

What is the pricing for using Shield API with multiple certificates?

Beside limiting the users to must have the right Client certificate - is this also possible to use Cloudflare firewall to limit also the customer IP address(es)? So the firewall rule will be:

  1. Must have a specific client certificate
  2. Client origin IP must be
    Otherwise, block.


Can you not build this with the firewall rules? ie If there is not a valid cert or the IP address does not equal X then block.

A question for me to Cloudflare is how do you revoke client certs that are issued? Am I missing something here? Seems fairly fundamental for it to be used.

¡Hola y’all!

We’ve posed the questions in this thread to the API shield engineering team.
Please find their responses below.


Alex M. he/him/his | Technical Support Engineer

You can issue a certificate via API only. Section 2 of this blog post describes the steps that you need to take to generate certificates without accessing the dashboard.

At the moment, the API Shield allows users to create and use up to 100 certificates per zone.

The current offering of API Shield is available to everyone and free. So no charges for using the 100 certificates.

Correct! The mTLS functionality of the Shield allows you to build rules by mixing a check on certificates as well as using any other field available in the rule builder. You can therefore build a rule that checks for valid certificates (by using the boolean field called Client Certificate Verified) and specify what IP addresses are allowed.

For this first version of the API Shield, you can issue up to 100 certificates and create a rule that checks for the validity of any certificate. We are currently working on adding more functionalities such as the ability to delete or revoke a specific certificate. This will be released in the near future.

Yes, the rule will be something like this:
(not cf.tls_client_auth.cert_verified) or (ip.src ne -> Block

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.