Set up authenticated origin pulls

Set up authenticated origin pulls via one of the following options:

• Zone-Level Authenticated Origin Pull using Cloudflare certificates
• Zone-Level Authenticated Origin Pull using customer certificates
• Per-Hostname Authenticated Origin Pull using customer certificates

Authenticated Origin Pull does not work when your SSL/TLS encryption mode is set to Off or Flexible.

​​ Zone-Level — Cloudflare certificate

​​ Certificate value

Cloudflare uses a specific CA to sign certificates for the Authenticated Origin Pull service.

If you need the value for that CA, download the .PEM file .

​​ Setup instructions

To enable Authenticated Origin Pull globally on a zone:

1. Install the above certificate at the origin web server to authenticate all connections.

2. For your SSL/TLS encryption mode, select Full.

3. Configure your origin web server to accept client certificates:

   Apache example

   For this example, you would have saved the certificate /path/to/origin-pull-ca.pem.

   SSLVerifyClient require
   SSLVerifyDepth 1
   SSLCACertificateFile /path/to/origin-pull-ca.pem

   NGINX example

   For this example, you would have saved the certificate to /etc/nginx/certs/cloudflare.crt.

   ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
   ssl_verify_client on;

4. Enable Authenticated Origin Pulls:

   • In the dashboard Open external link , go to Authenticated Origin Pulls and select On.
   • For the API, change the TLS Client Auth setting Open external link :

​​ Zone-Level — customer certificates

1. For your SSL/TLS encryption mode, select Full.

2. Upload a custom certificate following these instructions , but use the origin_tls_client_auth endpoint Open external link .

3. Enable Authenticated Origin Pulls:

   • In the dashboard Open external link , go to Authenticated Origin Pulls and select On.
   • For the API, set the enablement for a zone Open external link :

​​ Per-Hostname — customer certificates

When enabling Authenticated Origin Pull per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. Customers can use client certificates from their Private PKI to authenticate connections from Cloudflare.

1. Upload a custom certificate following these instructions , but use the /origin_tls_client_auth/hostnames/certificates endpoint Open external link .

1. On a specific hostname, enable Authenticated Origin Pull Open external link .

​​ Replace a client cert (without downtime)

For hostname:

1. Upload the new certificate Open external link .

2. Enable Authenticated Origin Pull for that specific hostname Open external link .

For global:

1. Upload the new certificate Open external link .

2. Check whether new certificate is Active Open external link .

3. Once certificate is active, then delete the old certificate Open external link .

​​ To apply a different client certificate simultaneously at both the zone and hostname level

1. Upload a certificate following steps in Zone-Level Authenticated Origin Pull

2. Upload multiple certificates following the steps in Per-Hostname Authenticated Origin Pull

​​ Delete a certificate

Client certificates are not deleted from Cloudflare upon expiration unless a delete Open external link or replace Open external link request is sent to the Cloudflare API.

However, requests are dropped at your origin if your origin only accepts a valid client certificate.