TLS Client Certificate for Android

Dear Community,

This is my first post on this forum and since I am new to Cloudflare and also a newbie concerning SSL/TLS security, I need some help on generating/setting up a Cloudflare TLS client certificate for Android.

What I want to achieve is following: self-hosted Nextcloud server protected by Cloudflare WAF, basically the servers should be accessible only if the clients have a TLS client certificate installed on their device laptop/client.

So far the edge, origin certificates created through Cloudflare are working well, with encryption mode set on Full (strict). Regarding client certificates, I’ve done the following:

STEP 1: Generating Client Certificates

On the client certificate tab, I’ve created the first client certificate as the following:

  • auto-generated private key and CSR with Cloudflare (private key type RSA 2048)
  • Certificate Authority: Cloudflare Managed CA
  • validity 10 years

after pressing next:

  • key format: pem
  • Certificate: saved as certificate.pem
  • Private Key: saved as privatekey.pem

STEP 2: Create mTLS rule

I’ve created a mTLS rule for the domain which points to nextcloud server. The rulle works well, it blocks everything trying to access the nextcloud server and when disabled in cloudflare firewall it allows accessing the website.

STEP 3: Installing Client Certificates on devices

For installing the client certificate on devices, I’ve created a pfx file through following openssl command:

openssl pkcs12 -export -out client_cert.pfx -inkey privatekey.pem -in certificate.pem

I’ve transferred the client_cert.pfx on an Ubuntu computer n and on my Android devices.

  • On Ubuntu: I’ve installed the client_cert.pfx in Firefox and in Brave browsers and after this step I can access my nextcloud server with mTLS rule enabled
  • On Android 11: after installing the client_cert.pfx as a VPN & app user certificate, I am unable to access the nextcloud server throughout various browsers (firefox, duckduckgo). When I check under Settings/Security/Encryption & credentials/User credentials I can see my certificate and when I tap on it it says it contains one user key and one user certificate

However, my nextcloud server is not accessible from Android, i always get a Cloudflare error 1020: Access denied

I’ve also downloaded and installed a Cloudflare root certificate: cloudflare_origin_rsa_pem.crt but even with this step I get the Error 1020: Access denied

Please help me understand what might be the issue and how I can solve it. If there are any other methods on setting up a client certificate on Android please include some links.

Thanks in advance for your help

best regards,

I’ve not use client certs, but with a 1020, I’d expect to see that in the Firewall Events Activity Log. Do you see anything there for your requests?

Hi sdayman,

Thanks for your reply.

Yes I see the request from my android phone being blocked, as it can be seen in the picture.

Considering that the Ubuntu computer is using the same client certificate and is able to access the nextcloud server (with the same public IP) I can only think that somehow the client certificate is not properly recognized by android or is not properly generated for an android device…

1 Like

Short update:

So far I tried troubleshooting the issue by using the same client TLS certificate on various devices with different browsers.

I discovered that the TLS client certificate is working on IOS with safari and on android with brave browser (which asks if I want to use the client certificate)

It seems that somehow the android browsers based on Firefox are ignoring or not using the client certificates stored under: Settings/Security/Encryption & credentials/User credentials

Sadly also the Nextcloud app does not work as I am unable to reach the website.

For deeper troubleshooting, I’ve installed the HTTP-Toolkit witch acts as a MITM layer.
Throughout this tool I realized for example that the Nextcloud app is also getting an Error 1020…

In conclusion, at this point I am not sure if this hole issue is because the TLS client certificate is not properly generated, is not properly installed on Android or if there are other issues for which Android does not recognize/trust the user certificate. :thinking:

Any help is appreciated :slightly_smiling_face:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.