SSL/TLS Client Certificate Authentication, how to really revoke a cerificate?

I’m testing if we can use Cloudflare for protecting our webservices.
In some cases we want to use ClientCertificate authentication, a main thing about this is that you can revoke certificates for example when a device get stolen etc.

I search and tried all kinds of different things, but i can not really revoke a certificate, tthey keep working.

I tried:

  • Revoke from the UI
  • Try to delete with the API (in reallity, it’s the same as revoking with the UI ??)
  • Follwing rule in the WAF:
    ( in {“myhost.mydomain.tld”}) and ((not cf.tls_client_auth.cert_verified) or (cf.tls_client_auth.cert_revoked))

Does the revoking not work in a free account (if so, does it work in a Pro account?)
How others go along with this ?

What is the status it shows? revoked?

Yes, they show revoked, after Revoking in the UI.
But also when deleting with the API (same as revoking).

Having the same problem. I would like to be able to revoke AND fully delete a client certificate from Cloudflare, but there’s not such option to do so.

Once the certificate is created, it is valid for certain years according to the duration you choose that matters. At the same time, if there’s mTLS rule is created that needs to be updated as well.

Yes, i also read the manual.
Did that, see my WAF rule.
does not work for some reason.

I find this a really strange construction.

  • Guys lets setup a secure way for the people to protect their websites/webservices
  • Yes, and as extra protection we offer security by Client Certicate Authentication
  • Cool, yes
  • Lets make there a button, to revoke issued certificates.
  • Yes let’s do that, but no way we gonna check the certificates on revocation.
    We’ll implement that years and years later …
    Just let the people guess for years why we have a revoke button.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.