Bring your own CA for client certificate validation with API Shield

On July 11, 2023 at 2:00 PM, Dina Kozlov announced that Cloudflare's API Shield now allows customers to bring their own Certificate Authority (CA) for mutual TLS client authentication. This development aims to enhance security while maintaining control over the Mutual TLS configuration. Mutual TLS establishes a two-way channel of trust by having both clients and servers present certificates, allowing the server to verify client identity and authorization. API Shield's mTLS capability helps secure thousands of endpoints but requires customers to install new client certificates on devices, which can be challenging in some cases. The option to use a customer-provided CA addresses these issues and provides flexibility for regulatory requirements or existing Mutual TLS setups. Enterprise customers may upload up to five CAs using an account level endpoint that supports both API Shield and Gateway usage, with Firewall rules available for validation testing before enforcing client certificate checks on specific hostnames.