APIs account for more than half of the total traffic of the Internet. They are the building blocks of many modern web applications. As API usage grows, so does the number of API attacks. And so now, more than ever, itâs important to keep these API endpoints secure. Cloudflareâs API Shield solution offers a comprehensive suite of products to safeguard your API endpoints and now weâre excited to give our customers one more tool to keep their endpoints safe. Weâre excited to announce that customers can now bring their own Certificate Authority (CA) to use for mutual TLS client authentication. This gives customers more security, while allowing them to maintain control around their Mutual TLS configuration.
The power of Mutual TLS (mTLS)
Traditionally, when we refer to TLS certificates, we talk about the publicly trusted certificates that are presented by servers to prove their identity to the connecting client. With Mutual TLS, both the client and the server present a certificate to establish a two-way channel of trust. Doing this allows the server to check who the connecting client is and whether or not theyâre allowed to make a request. The certificate presented by the client â the client certificate â doesnât need to come from a publicly trusted CA. In fact, it usually comes from a private or self-signed CA. Thatâs because the only party that needs to be able to trust it is the connecting server. As long as the connecting server has the client certificate and can check its validity, it doesnât need to be public.
Securing API endpoints with Mutual TLS
Mutual TLS plays a crucial role in protecting API endpoints. When it comes to safeguarding these endpoints, itâs important to have a security model in place that only allows authorized clients to make requests and keeps everyone else out.
Thatâs why when we launched API Shield in 2020 â a product thatâs centered around securing API endpoints â we included mutual TLS client certificate validation as a part of the offering. We knew that mTLS was the best way for our customers to identify and authorize their connecting clients.
When we launched mutual TLS for API Shield, we gave each of our customers a dedicated self-signed CA that they could use to issue client certificates. Once the certificates are installed on devices and mTLS is set up, administrators can enforce that connections can only be made if they present a client certificate issued from that self-signed CA.
This feature has been paramount in securing thousands of endpoints, but it does require our customer to install new client certificates on their devices, which isnât always possible. Some customers have been using mutual TLS for years with their own CA, which means that the client certificates are already in the wild. Unless the application owner has direct control over the clients, itâs usually arduous, if not impossible, to replace the client certificates with ones issued from Cloudflareâs CA. Other customers may be required to use a CA issued from an approved third party in order to meet regulatory requirements.
To help all of our customers keep their endpoints secure, weâre extending API Shieldâs mTLS capability to allow customers to bring their own CA.
Get started today
To simplify the management of private PKI at Cloudflare, we created one account level endpoint that enables customers to upload self-signed CAs to use across different Cloudflare products. Today, this endpoint can be used for API shield CAs and for Gateway CAs that are used for traffic inspection.
If youâre an Enterprise customer, you can upload up to five CAs to your account. Once youâve uploaded the CA, you can use the API Shield hostname association API to associate the CA with the mTLS enabled hostnames. That will tell Cloudflare to start validating the client certificate against the uploaded CA for requests that come in on that hostname. Before you enforce the client certificate validation, you can create a Firewall rule that logs an event when a valid or invalid certificate is served. That will help you determine if youâve set things up correctly before you enforce the client certificate validation and drop unauthorized requests.
To learn more about how you can use this, refer to our developer documentation.
If youâre interested in using mutual TLS to secure your corporate network, talk to an account representative about using our Access product to do so.
Source: cloudflare.com