b
bart
We have a requirement to let customers/partners connect to our service with mutual TLS. API keys are not deemed secure enough. This is possible today with your own Cloudflare zone but it requires a bunch of steps because you must use custom certificates. These take priority over the standard Cloudflare for SaaS certificates issued.
To save others the trouble we went through:
  • Setup Cloudflare Business for your custom domain and proxy it to Render. This creates an O2O configuration.
  • Setup a custom certificate for the custom domain. This can be self-signed or from a 'real' certificate authority (CA).
  • Enable mTLS for the custom domain and require mTLS with a WAF custom rule.
  • You almost certainly will want to forward the client certificate details to your backend (we use managed transforms) so you use it for authentication logic.
  • Let the customer/partner create a certificate signing request (CSR), upload it into your Cloudflare dashboard and return the generated client certificate to them.
  • If you use a self-signed certificate or your own CA, don't forget to tell your customer/partner to trust it.
It would be great if this complexity can be collapsed down to two steps in the Render dashboard:
  • setup and enforce mTLS for a domain
  • upload CSR and download signed client certificate