Cloudflare Origin Pull Configuration

In order to set up per-hostname origin pull mTLS auth for Cloudflare Enterprise, you need to utilize the API to load in the certificate in the Cloudflare router. The following steps show you how to utilize the API to do that.

It isn’t exactly straightforward from the documentation here, so I’ve added a few extra steps, and missing parameters required in the API call that aren’t documented in the Cloudflare API documentation below.

Get your Auth Key from the Cloudflare dash -> My Profile -> API Tokens -> Global API Key, and ensure to change it after you are done using it for this operation.

Step 1: List Zones for Zone ID

Get the Zone ID for future calls

curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: $cloudflare_dash_email_address' \
  --header 'X-Auth-Key: $auth_key_from_profile'

Step 2: List Certs

If you already have a cert you want to attach, get the ID from here

curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones/$zone_id_from_step_1/origin_tls_client_auth/hostnames/certificates \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: $cloudflare_dash_email_address' \
  --header 'X-Auth-Key: $auth_key_from_profile'

Step 3 Add Cert if necessary

curl --request POST \
  --url https://api.cloudflare.com/client/v4/zones/$zone_id_from_step_1/origin_tls_client_auth/hostnames/certificates \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: $cloudflare_dash_email_address' \
  --header 'X-Auth-Key: $auth_key_from_profile' \
  --data '{
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEt\ncert\nfrom\norigin\ncertificate\npage\n-----END CERTIFICATE-----\n",
  "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIE\npriv\nkey\n-----END RSA PRIVATE KEY-----\n"
}'

Step 4: Enable hostname for Origin Pull

curl --request PUT \
  --url https://api.cloudflare.com/client/v4/zones/$zone_id_from_step_1/origin_tls_client_auth/hostnames \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: $cloudflare_dash_email_address' \
  --header 'X-Auth-Key: $auth_key_from_profile' \
  --data '{
  "config": [
    {
      "cert_id": "$cert_id_from_step_3",
      "enabled": true,
      "hostname": "hostname.from.origin.cert.com"
    }
  ]
}'

Step 5: Enable Configuration Rule for Origin Pull

If you are using multiple subdomains, and don’t want to apply this config to all hosts, you can add a host-level configuration under Configuration Rules to enable Origin Pull for a specific pattern.

Additionally, don’t forget to enable Origin Pull functionality on the zone, under SSL/TLS -> Origin Server -> Authenticated Origin Pulls.