Skip to content

TLS Management

Mutual TLS (mTLS) adds an extra layer of protection to application connections by validating certificates on the server and the client. When building a SaaS application, you may want to enforce mTLS to protect sensitive endpoints related to payment processing, database updates, and more.

Minimum TLS Version allows you to choose a cryptographic standard per custom hostname. Cloudflare recommends TLS 1.2 to comply with the Payment Card Industry (PCI) Security Standards Council.

Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake. As a SaaS provider, you can specify configurations for cipher suites on your zone as a whole and cipher suites on individual custom hostnames via the API.

Enable mTLS

Once you have added a custom hostname, you can enable mTLS by using Cloudflare Access. Go to Cloudflare Zero Trust and add mTLS authentication with a few clicks.

Enable Minimum TLS Version

  1. Log in to the Cloudflare dashboard and navigate to your account and website.

  2. Select SSL/TLS > Custom Hostnames.

  3. Find the hostname to which you want to apply Minimum TLS Version. Select Edit.

  4. Choose the desired TLS version under Minimum TLS Version and click Save.

Cipher suites

For security and regulatory reasons, you may want to only allow connections from certain cipher suites. Cloudflare provides recommended values and full cipher suite reference in our Cipher suites documentation.

Restrict cipher suites for zone

Refer to Edit zone setting and use ciphers as the setting name in the URI path.

Restrict cipher suites for custom hostname

Refer to SSL properties of a custom hostname.

When making the request, make sure to include type and method within the ssl object, as well as the settings specifications.

Alerts for mutual TLS certificates

You can configure alerts to receive notifications before your mutual TLS certificates expire.

Access mTLS Certificate Expiration Alert

Who is it for?

Access customers that use client certificates for mutual TLS authentication. This notification will be sent 30 and 14 days before the expiration of the certificate.

Other options / filters

None.

Included with

Purchase of Access and/or Cloudflare for SaaS.

What should you do if you receive one?

Upload a renewed certificate.

Refer to Cloudflare Notifications for more information on how to set up an alert.