r/CloudFlare: CloudflareD tunnel authentication w/ certificate

💡
This article archives a conversation, which took place in a subreddit post (original source linked below) and to which I contributed a solution or answer (with the u/MasterofSynapse handle), in a Q&A format.

Original Reddit post: https://www.reddit.com/r/CloudFlare/comments/yk76ug/cloudflared_tunnel_authentication_w_certificate/

Question

I’ve been trying to create and download a certificate for authentication with CloudflareD, but I’m failing to get it to work. Could use some pointers.

  1. Am I correct the certificate for authentication should be two parts, client certificate and private key
  2. Should they be created on domain level? mTLS or SSL?
  3. What is the correct format for certs to be installed in MacOS? RSA or ECC? What extension? PEM? Other?
  4. Same as 3. but for Windows.
  5. Any instructions how to install the cert for MacOS and Windows?

Thanks in advance!

Answer

Where did you read that you need certificates for cloudflared?

The tunnels based on cloudflared use tokens issued by Cloudflare One orgs.

Comment 1 on Answer

I understand that I don’t need a cert for CloudflareD. I want to use a certificate for client authentication, instead of using other means of authentication.

My response to comment 1

Are you sure that you mean cloudflared and not Cloudflare Access Applications?

The cloudflared daemon is just there to connect your network to the Cloudflare edge so you don't need port forwardings to access your services. There is no authentication involved with cloudflared tunnels.

Comment 1.1 on Answer

Ok, fair enough. Cloudflare access applications. Thanks

My response to comment 1.1

Do you now want to know how you can authenticate with certificates for Cloudflare Access Applications?

Comment 1.2 on Answer

I know it’s possible, but it’s unclear which cert to use. SSL? mTLS? Created on subdomain level? And installation of cert on client devices - should the cert be based on ECC or RSA, what file extension (pem, crt, pk7, der). Should both private key and cert be installed or just the cert. Etc.

Many details are not well described unfortunately.

Thanks

My response to comment 1.2

With Cloudflare Access Applications, the Cloudflare One platform doesn't handle authentication, since it is the SP (service provider). A connected IdP (Identity Provider) has to authenticate the user and then pass Cloudflare a token telling them the user details to check against the Access Application permissions.

Cloudflare One supports these IdPs:

  • Azure AD
  • Centrify
  • Facebook
  • GitHub
  • Google Workspace
  • Google
  • LinkedIn
  • Okta
  • OneLogin
  • OpenID Connect
  • SAML
  • Yandex

I am sure that some of them support authenticating with a device certificate. But since the authentication happens with the IdP, you have to check their documentation on what the cert requirements are, after choosing one from the list.

Comment 1.3 on Answer

I’m referring to this documentation. https://developers.cloudflare.com/cloudflare-one/policies/access/

Valid certificate is one of the options. So I presume a policy can be made that authenticates simply by certificate.

It only makes sense that the certificate can be fully controlled by the domain owner, meaning that the certificate sold be created on domain level to allow admins to control access.

Please let me know if your understanding is different than mine. The mTLS function on domain level should allow for handshake TLS cert to avoid access by those without certificate. Indeed, I’m able to activate mTLS and block access. But mTLS seems to work outside of Cloudflare application access, and so I am not sure what would be the best setup.

But yes, I’m pretty sure certificate-based access is possible with Cloudflare , either via Cloudflare access apps, or via firewall rule with mTLS certificate on sun domain level.

My response to comment 1.3

The PKI needed here for client certificate authentication should be self-signed, no need to buy a certificate. The trust for the PKI on Cloudflare's side is established by providing them the public Root CA cert used to sign the client certs. The first link posted by @alex-mayorga (https://developers.cloudflare.com/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) explains everything you want to know.

Comment 1.4 on Answer

Any pointers if the cert should be RSA or ECC?

My response to comment 1.4

Cloudflare should support both since they use Google's fork of OpenSSL, BoringSSL.