New mTLS Certificate Fields in Transform Rules
Cloudflare has added four new fields to the Transform Rules phase that expose client certificate data in the standardized RFC 9440 format. Previously, forwarding client certificate information to origin servers required manual parsing of PEM-encoded fields or custom HTTP header formats.
Available Fields
The new fields provide comprehensive certificate handling:
cf.tls_client_auth.cert_rfc9440– The client leaf certificate in RFC 9440 format (empty if no certificate presented)cf.tls_client_auth.cert_rfc9440_too_large– Boolean flag indicating if the leaf certificate exceeded 16 KBcf.tls_client_auth.cert_chain_rfc9440– Intermediate certificates as a comma-separated list in RFC 9440 formatcf.tls_client_auth.cert_chain_rfc9440_too_large– Boolean flag for intermediate chain size exceeding 16 KB
Each certificate is DER-encoded, Base64-encoded, and wrapped in colons (e.g., :MIIDsT...Vw==:). The chain follows TLS handshake ordering, with the certificate closest to the leaf appearing first.
Usage Example
To forward standardized client certificate headers to your origin, create a request header transform rule with the expression:
cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked
Then set the headers:
Client-Cert→cf.tls_client_auth.cert_rfc9440Client-Cert-Chain→cf.tls_client_auth.cert_chain_rfc9440
Recommended Setup
Upload your client CA certificate to Cloudflare so it validates client certificates at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked fields. This enables you to conditionally forward certificates based on verification and revocation status.