This is my first post on this forum and since I am new to Cloudflare and also a newbie concerning SSL/TLS security, I need some help on generating/setting up a Cloudflare TLS client certificate for Android.
What I want to achieve is following: self-hosted Nextcloud server protected by Cloudflare WAF, basically the servers should be accessible only if the clients have a TLS client certificate installed on their device laptop/client.
So far the edge, origin certificates created through Cloudflare are working well, with encryption mode set on Full (strict). Regarding client certificates, I’ve done the following:
STEP 1: Generating Client Certificates
On the client certificate tab, I’ve created the first client certificate as the following:
- auto-generated private key and CSR with Cloudflare (private key type RSA 2048)
- Certificate Authority: Cloudflare Managed CA
- validity 10 years
after pressing next:
- key format: pem
- Certificate: saved as certificate.pem
- Private Key: saved as privatekey.pem
STEP 2: Create mTLS rule
I’ve created a mTLS rule for the domain which points to nextcloud server. The rulle works well, it blocks everything trying to access the nextcloud server and when disabled in cloudflare firewall it allows accessing the website.
STEP 3: Installing Client Certificates on devices
For installing the client certificate on devices, I’ve created a pfx file through following openssl command:
openssl pkcs12 -export -out client_cert.pfx -inkey privatekey.pem -in certificate.pem
I’ve transferred the client_cert.pfx on an Ubuntu computer n and on my Android devices.
- On Ubuntu: I’ve installed the client_cert.pfx in Firefox and in Brave browsers and after this step I can access my nextcloud server with mTLS rule enabled
- On Android 11: after installing the client_cert.pfx as a VPN & app user certificate, I am unable to access the nextcloud server throughout various browsers (firefox, duckduckgo). When I check under Settings/Security/Encryption & credentials/User credentials I can see my certificate and when I tap on it it says it contains one user key and one user certificate
However, my nextcloud server is not accessible from Android, i always get a Cloudflare error 1020: Access denied
I’ve also downloaded and installed a Cloudflare root certificate: cloudflare_origin_rsa_pem.crt but even with this step I get the Error 1020: Access denied
Please help me understand what might be the issue and how I can solve it. If there are any other methods on setting up a client certificate on Android please include some links.
Thanks in advance for your help