This tutorial demonstrates how to configure your Internet-of-things (IoT) device and mobile application to use client certificates with API Shield.
Scenario details
This walkthrough uses the example of a device that captures temperature readings and transmits them by sending a POST request to a Cloudflare-protected API. A mobile application built in Swift for iOS retrieves those readings and displays them.
The example API code below saves a temperature and timestamp into KV when a POST is made and returns the most recent five temperatures when a GET request is made.
Step 1 — Validate API
POST sample data to API
To validate the API before adding mTLS authentication, POST a random temperature reading:
GET sample data from API
A GET request to the temps endpoint returns the most recent readings, including the one submitted in the example above:
Step 2 — Create Cloudflare-issued certificates
Before you can use API Shield to protect your API or web application, create Cloudflare-issued client certificates.
However, since most developers working at scale generate their own private keys and certificate signing requests via API, this example uses the Cloudflare API to create client certificates.
Step 3 — Embed the client certificate in your mobile app
To configure the mobile app to securely request temperature data submitted by the IoT device, embed the client certificate in the mobile app.
For simplicity, this example embeds a “bootstrap” certificate and key in the application bundle as a PKCS#12-formatted file:
In a real-world deployment, a bootstrap certificate should only be used in conjunction with users’ credentials to authenticate with an API endpoint that can return a unique user certificate. Corporate users will want to use mobile device management (MDM) to distribute certificates.
Embed the client certificate in an Android app
The following is an example of how you may use a client certificate in an Android app to make HTTP calls. You need to add the following permission in AndroidManifest.xml to allow an Internet connection.
For demonstration purposes, the certificate in this example is stored in app/src/main/res/raw/cert.pem and the private key is stored in app/src/main/res/raw/key.pem. You may also store these files in other secure manners.
The following example uses an OkHttpClient, but you may also use other clients such as HttpURLConnection in similar ways. The key is to use the SSLSocketFactory.
The above function returns an OkHttpClient embedded with the client certificate. You can now use this client to make HTTP requests to your API endpoint protected with mTLS.
Step 4 — Embed the client certificate on your IoT device
To prepare the IoT device for secure communication with the API endpoint, embed the certificate on the device and configure the device to use the certificate when making POST requests.
This example assumes the certificate and the private key are securely copied to /etc/ssl/private/sensor-key.pem and /etc/ssl/certs/sensor.pem.
The sample script is modified to point to these files:
When the script attempts to connect to https://shield.upinatoms.com/temps, Cloudflare requests that a client certificate is sent and the script sends the contents of /etc/ssl/certs/sensor.pem. Then, as required to complete the SSL/TLS handshake, the script demonstrates it has possession of /etc/ssl/private/sensor-key.pem.
Without the client certificate, the Cloudflare rejects the request:
When the IoT device presents a valid client certificate, the POST request succeeds and the temperature reading is recorded:
Step 5 — Enable mTLS
After creating Cloudflare-issued certificates, the next step is to enable mTLS for the hosts you want to protect with API Shield.
Step 6 — Configure API Shield to require client certificates
To configure API Shield to require client certificates, create a mTLS rule.