← Barbican Identity Demo
mTLS

Mutual TLS

Client certificate authentication at the transport layer. No user login prompt — identity is the certificate.

Certificate Info

Client certificate (forwarded by Cloudflare)
If you reached this page, your client presented a valid certificate trusted by the configured CA.
Cloudflare forwards certificate details via request headers — these are only visible server-side.
See Cf-Client-Cert-* headers at your origin.

How This Works

Mutual TLS extends the standard TLS handshake: the server presents its certificate (normal TLS), and additionally requires the client to present a certificate signed by a trusted Certificate Authority. Cloudflare terminates TLS and validates the client certificate before the request reaches the origin.

If the client does not present a certificate, or presents one signed by an untrusted CA, Cloudflare blocks the request at the edge — the origin never sees it. There is no login redirect, no user interaction. Identity is entirely expressed through the certificate.

Cloudflare forwards the validated certificate's subject, issuer, and serial number as HTTP headers (Cf-Client-Cert-Der-Base64, Cf-Client-Cert-Sha256-Fingerprint) so the origin can make further decisions if needed.

Use case: mTLS is suited to machine-to-machine communication, IoT devices, or API clients where interactive login is not possible. It is also used for device-posture enforcement when combined with device management (e.g. certificates issued to managed devices only).

Cloudflare Configuration

1. Upload or Generate a CA

  1. Zero Trust → Access → Service Auth → Mutual TLS → Add mTLS Certificate
  2. Either upload your own CA certificate (PEM format), or use Cloudflare's certificate generation for testing
  3. Associate the CA with the hostname: barbicancloud.co.uk or mtls.barbicancloud.co.uk

2. Add Access Application

  1. Zero Trust → Access → Applications → Add an Application → Self-hosted
  2. Domain: barbicancloud.co.uk/mtls/* or mtls.barbicancloud.co.uk
  3. Add a policy: Action = Allow, Selector = Valid Certificate (or Certificate with specific Common Name)

Generating a Test Client Certificate

If using your own CA, generate a client certificate signed by it:

# Generate a client key and CSR
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/CN=test-client/O=Barbican Demo"

# Sign with your CA
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365

# Test with curl
curl --cert client.crt --key client.key https://mtls.barbicancloud.co.uk

Routing

Path-based
barbicancloud.co.uk/mtls/
Subdomain
mtls.barbicancloud.co.uk