Client certificate

The Client Certificate device posture attribute checks if the device has a valid certificate signed by a trusted certificate authority (CA). The posture check can be used in Gateway and Access policies to ensure that the user is connecting from a managed device.

​​ Prerequisites

• A root CA that issues client certificates for your devices. You can use the Cloudflare PKI toolkit to generate a sample root CA for testing.
• Cloudflare WARP client is deployed on the device. For a list of supported modes and operating systems, refer to WARP client checks.
• A client certificate is installed and trusted on the device.

  System	Certificate store
  macOS	System Keychain
  Windows	Current User\Personal store
  Linux	NSSDB

​​ Configure the client certificate check

1. Use the Upload mTLS certificate endpoint Open API docs link to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with \n replacing the line breaks. The private key is only required if you are using this custom certificate for Gateway HTTPS inspection.

   The response will return a UUID for the certificate:

2. In Zero Trust , go to Settings > WARP Client.

3. Scroll down to WARP client checks and select Add new.

4. Select Client certificate.

5. You will be prompted for the following information:

   1. Name: Enter a unique name for this device posture check.
   2. Operating system: Select your operating system.
   3. Certificate ID: Enter the UUID of the root CA.
   4. Common name: Enter the common name of the client certificate (not the root CA).

6. Select Save.

Next, go to Logs > Posture and verify that the client certificate check is returning the expected results.

​​ How WARP checks for a client certificate

Learn how the WARP client determines if a client certificate is installed and trusted on the device.

For the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.