Set up authenticated origin pulls
Set up authenticated origin pulls via one of the following options:
- Zone-Level Authenticated Origin Pull using Cloudflare certificates
- Zone-Level Authenticated Origin Pull using customer certificates
- Per-Hostname Authenticated Origin Pull using customer certificates
Authenticated Origin Pull does not work when your SSL/TLS encryption mode is set to Off or Flexible.
Zone-Level — Cloudflare certificate
Certificate value
Cloudflare uses a specific CA to sign certificates for the Authenticated Origin Pull service.
If you need the value for that CA, download the .PEM file .
Setup instructions
To enable Authenticated Origin Pull globally on a zone:
-
Install the above certificate at the origin web server to authenticate all connections.
-
For your SSL/TLS encryption mode, select Full.
-
Configure your origin web server to accept client certificates:
Apache example
For this example, you would have saved the certificate to
/path/to/origin-pull-ca.pem
.SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile /path/to/origin-pull-ca.pem
NGINX example
For this example, you would have saved the certificate to
/etc/nginx/certs/cloudflare.crt
.ssl_client_certificate /etc/nginx/certs/cloudflare.crt; ssl_verify_client on;
-
Enable Authenticated Origin Pulls:
- In the dashboard, go to Authenticated Origin Pulls and select On.
- For the API, change the TLS Client Auth setting:
Zone-Level — customer certificates
-
For your SSL/TLS encryption mode, select Full.
-
Upload a custom certificate following these instructions , but use the
origin_tls_client_auth
endpoint. -
Enable Authenticated Origin Pulls:
- In the dashboard, go to Authenticated Origin Pulls and select On.
- For the API, set the enablement for a zone:
Per-Hostname — customer certificates
When enabling Authenticated Origin Pull per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. Customers can use client certificates from their Private PKI to authenticate connections from Cloudflare.
- Upload a custom certificate following
these instructions
, but use the
/origin_tls_client_auth/hostnames/certificates
endpoint.
- On a specific hostname, enable Authenticated Origin Pull.
Replace a client cert (without downtime)
For hostname:
For global:
-
Once certificate is active, then delete the old certificate.
To apply a different client certificate simultaneously at both the zone and hostname level
-
Upload a certificate following steps in Zone-Level Authenticated Origin Pull
-
Upload multiple certificates following the steps in Per-Hostname Authenticated Origin Pull
Delete a certificate
Client certificates are not deleted from Cloudflare upon expiration unless a delete or replace request is sent to the Cloudflare API.
However, requests are dropped at your origin if your origin only accepts a valid client certificate.