添加链接 注册    登录
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
相关文章推荐
无邪的八宝粥  ·  Cloudflare 大崩溃后遗症? - ...·  1 月前    · 
粗眉毛的松鼠  ·  免费CDN加速,零成本提升网站速度! - ...·  1 月前    · 
刚分手的足球  ·  有遇到Flink CDC中oracle ...·  1 年前    · 
打篮球的卤蛋  ·  Android之WebView ...·  1 年前    · 
神勇威武的领结  ·  C# 16进制与字符串、字节数组之间的转换 ...·  2 年前    · 
耍酷的柑橘  ·  试图在安卓系统上捕捉带有时间戳的视频·  2 年前    · 
含蓄的火柴  ·  java:html转pdf时,border不 ...·  2 年前    · 
link管理  ›  Install certificate manually · Cloudflare Zero Trust docs
cloudflare
https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/
个性的山楂
4 月前
Skip to content
Cloudflare Docs

Install certificate manually

If your device does not support certificate installation via WARP , you can manually install a Cloudflare certificate. You must add the certificate to both the system keychain and to individual application stores . These steps must be performed on each new device that is to be subject to HTTP filtering.

Zero Trust will only inspect traffic using installed certificates set to Available and In-Use .

Download the Cloudflare root certificate

First, generate and download a Cloudflare certificate. The certificate is available in both .pem and .crt file format. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.

  • In Zero Trust , go to Settings > Resources .
  • In Certificates , select Manage .
  • Select the certificate you want to download.
  • Depending on which format you want, choose Download .pem and/or Download .crt .

    • Alternatively, you can download and install a certificate using WARP . WARP will add the certificates to the device's system certificate store in installed_certs/<certificate_id>.pem .

    Verify the downloaded certificate

    To verify your download, use a terminal to check that the downloaded certificate's hash matches the thumbprint listed under Certificate thumbprint . For example:

    SHA1 .crt example 
    openssl x509 -noout -fingerprint -sha1 -inform der -in <certificate.crt>
    SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
    SHA1 .pem example 
    openssl x509 -noout -fingerprint -sha1 -inform pem -in <certificate.pem>
    SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C

    SHA256

    SHA256 .crt example 
    openssl x509 -noout -fingerprint -sha256 -inform der -in <certificate.crt>
    sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
    SHA256 .pem example 
    openssl x509 -noout -fingerprint -sha256 -inform pem -in <certificate.pem>
    sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF

    Convert the certificate

    Some applications require a certificate formatted in the .cer file type. You can convert your downloaded certificate using OpenSSL :

    1. Install OpenSSL .
    2. Download a Cloudflare certificate in .pem format.
    3. In a terminal, convert the certificate to DER format with the .cer file type:
      Terminal window 
      openssl x509 -inform PEM -in ~/Downloads/certificate.pem -outform DER -out ~/Downloads/certificate.cer
    4. Install OpenSSL for Windows .
    5. Download a Cloudflare certificate in .pem format.
    6. In a PowerShell terminal, convert the certificate to DER format with the .cer file type:
      PowerShell 
      openssl x509 -inform PEM -in "$HOME\Downloads\certificate.pem" -outform DER -out "$HOME\Downloads\certificate.cer"

      Add the certificate to operating systems

      macOS

      In macOS, you can choose the keychain in which you want to install the certificate. Each keychain impacts which users will be affected by trusting the root certificate.

      Keychain Access scope
      login The logged in user
      Local Items Users with access to cached iCloud passwords
      System All users on the system

      To install a Cloudflare certificate in macOS, you can use either the Keychain Access application or a terminal. Both methods require you to download a certificate in .crt format.

      1. Download a Cloudflare certificate.
      2. Open the .crt file in Keychain Access. If prompted, enter your local password.
      3. In Keychain , choose the access option that suits your needs and select Add .
      4. In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select Get Info .
      5. Select Trust . Under When using this certificate , select Always Trust .

      The root certificate is now installed and ready to be used.

      Windows

      Windows offers two locations to install the certificate, each impacting which users will be affected by trusting the root certificate.

      Store location Access scope
      Current User Store The logged in user
      Local Machine Store All users on the system
    7. Download a Cloudflare certificate .
    8. Right-click the certificate file.
    9. Select Open . If a security warning appears, choose Open to proceed.
    10. The Certificate window will appear. Select Install Certificate .
    11. Now choose a Store Location. If a security warning appears, choose Yes to proceed.
    12. On the next screen, select Browse .
    13. In the list, choose the Trusted Root Certification Authorities store.
    14. Select OK , then select Finish .

      15. The root certificate is now installed and ready to be used.

      Linux

      The location where the root certificate should be installed is different depending on your Linux distribution. Follow the specific instructions for your distribution.

      Debian-based distributions

      The following procedure applies to Debian-based systems, such as Debian, Ubuntu, and Kali Linux.

      Download a Cloudflare certificate in .pem format.

      Install the ca-certificates package.

      Terminal window 
      sudo apt-get install ca-certificates

      Copy the certificate to the system, changing the file extension to .crt .

      Terminal window 
      sudo cp certificate.pem /usr/share/ca-certificates/certificate.crt

      Import the certificate.

      Terminal window 
      sudo dpkg-reconfigure ca-certificates

      Red Hat-based distributions

      The following procedure applies to Red Hat-based systems, such as CentOS and Red Hat Enterprise Linux (RHEL).

      Download a Cloudflare certificate in both .crt and .pem format.

      Install the ca-certificates package.

      Terminal window 
      sudo dnf install ca-certificates

      Copy both certificates to the trust store.

      Terminal window 
      sudo cp certificate.crt certificate.pem /etc/pki/ca-trust/source/anchors

      Import the certificate.

      Terminal window 
      sudo update-ca-trust

      NixOS

      NixOS does not use the system certificate store for self updating and instead relies on the certificates found in ~/.nix-profile/etc/ssl/certs or provided by NIX_SSL_CERT_FILE at runtime.

    15. In Safari, download a Cloudflare certificate in .pem format.
    16. Open Files and go to Recents .
    17. Find and open the downloaded certificate file. A message will appear confirming the profile was downloaded. Select Close .
    18. Open Settings. Select the Profile Downloaded section beneath your Apple Account info. Alternatively, go to General > VPN & Device Management and select the Gateway CA - Cloudflare Managed G1 profile.
    19. Select Install . If the iOS device is passcode-protected, you will be prompted to enter the passcode.
    20. A certificate warning will appear. Select Install . If a second prompt appears, select Install again.
    21. The Profile Installed screen will appear. Select Done . The certificate is now installed. However, before it can be used, it must be trusted by the device.
    22. In Settings, go to General > About > Certificate Trust Settings . The installed root certificates will be displayed under Enable full trust for root certificates.
    23. Turn on the Cloudflare certificate.
    24. A security warning message will appear. Choose Continue .

      25. The root certificate is now installed and ready to be used.

      Android

    25. Download a Cloudflare certificate .
    26. In Settings, go to Security > Advanced > Encryption & credentials > Install a certificate .
    27. Select CA certificate .
    28. Select Install anyway .
    29. Verify your identity.
    30. Choose the certificate file you want to install.

      31. The root certificate is now installed and ready to be used.

      ChromeOS

      ChromeOS devices use different methods to store and deploy root certificates. Certificates may fall under the VPN and apps or CA certificate settings. Follow the procedure that corresponds with your device.

        Download a Cloudflare certificate in .crt format.

        Go to Settings > Apps > Google Play Store .

        Select Manage Android preferences .

        Go to Security & location > Credentials > Install from SD card .

      1. In the file open dialog, choose the certificate.crt file you downloaded. Select Open .
      2. Enter a name to identify the certificate. Ensure Credential use is set to VPN and apps .
      3. Select OK .

        4. Download a Cloudflare certificate in .crt format.

        Go to Settings > Apps > Google Play Store .

        Select Manage Android preferences .

        Go to Security & location > Credentials > Install a certificate > CA certificate .

      4. When prompted with a privacy warning, select Install anyway .
      5. In the file open dialog, choose the certificate.crt file you downloaded. Select Open .
      6. To verify the certificate is installed and trusted, go to Settings > Apps > Google Play Store > Manage Android Preferences > Security > Credentials > Trusted credentials > User .

        7. After adding the Cloudflare certificate to ChromeOS, you may also have to install the certificate in your browser .

        Add the certificate to applications

        Some packages, development tools, and other applications provide options to trust root certificates that will allow for the traffic inspection features of Gateway to work without breaking the application.

        All of the applications below first require downloading a Cloudflare certificate with the instructions above. On macOS, the default path to the system keychain database file is /Library/Keychains/System.keychain . On Windows, the default path is \Cert:\CurrentUser\Root .

        Browsers

        Chrome

        Versions of Chrome before Chrome 113 use the operating system root store on macOS and Windows. Chrome 113 and newer on macOS and Windows -- and all versions on Linux and ChromeOS -- use the Chrome internal trust store .

        To install a Cloudflare certificate to Chrome manually:

      7. Download a Cloudflare certificate in .pem format.
      8. In Chrome, go to Settings > Privacy and security > Security .
      9. Select Manage certificates .
      10. Go to Authorities . Select Import .
      11. In the file open dialog, choose the certificate.pem file you downloaded.
      12. In the dialog box, turn on Trust this certificate for identifying websites , Trust this certificate for identifying email users , and Trust this certificate for identifying software makers . Select OK .
      13. To verify the certificate was installed and trusted, locate it in Authorities .

        14. For information on installing a Cloudflare certificate for organizations, refer to Google's Chrome Enterprise and Education documentation .

        Firefox

        To install a Cloudflare certificate to Firefox manually:

      14. Download a Cloudflare certificate in .pem format.
      15. In Firefox, go to Settings > Privacy & Security .
      16. In Security , select Certificates > View Certificates .
      17. In Authorities , select Import .
      18. In the file open dialog, choose the certificate.pem file you downloaded.
      19. In the dialog box, turn on Trust this CA to identify websites and Trust this CA to identify email users . Select OK .
      20. To verify the certificate was installed and trusted, locate it in the table under Cloudflare .

        21. For information on installing a Cloudflare certificate for organizations, refer to this Mozilla support article .

        Mobile device management (MDM) software

        Zero Trust integrates with several mobile device management (MDM) software partners to deploy WARP across devices.

        Microsoft Intune

        To upload and deploy a Cloudflare certificate in Microsoft Intune:

      21. Download and convert a Cloudflare certificate to DER format with the .cer file type.
      22. In Microsoft Intune, create a trusted certificate profile with your converted certificate.

        23. For more information, refer to the Microsoft documentation .

        Jamf Pro

        To upload and deploy a Cloudflare certificate in Jamf Pro:

      23. Download and convert a Cloudflare certificate to DER format with the .cer file type.
      24. In Jamf Pro, go to Computers > Configuration Profiles to create a computer configuration profile, or go to Devices > Configuration Profiles to create a mobile device configuration profile. Select New .
      25. Add a name and description for the profile.
      26. Choose whether you would like Jamf to install the certificate automatically or with self-service, and whether you would like to install the certificate for a single user or all users on the device.
      27. Select Add > Certificate . Choose the certificate file.
      28. Uncheck Allow export from keychain .
      29. Select Scope , then choose which devices or groups to deploy the certificate to.
      30. Select Save .

        31. For more information, refer to the Jamf Pro documentation .

        Kandji

        To upload and deploy a Cloudflare certificate in Kandji:

      31. Download a Cloudflare certificate in .crt format.
      32. In Kandji, upload the certificate as a PKCS #1-formatted certificate.

        33. Hexnode

        To upload and deploy a Cloudflare certificate in Hexnode:

      33. Download a Cloudflare certificate in .pem format.
      34. In Hexnode, follow the directions for adding the certificate to macOS , iOS , and/or Android devices.

        35. JumpCloud

        To upload and deploy a Cloudflare certificate in JumpCloud:

      35. Download a Cloudflare certificate in .pem format.
      36. In JumpCloud, upload the certificate .
      37. Configure a conditional access policy to deploy the certificate across devices.

        38. Python

        Depending on which version of Python you have installed and your configuration, you may need to use either the python or python3 command. If you use virtual environments , you will need to repeat the following steps within each virtual environment.

        Python on Windows

        The command to install the certificate with Python on Windows automatically includes pip and certifi (the default certificate bundle for certificate validation).

      38. Download a Cloudflare certificate in .crt format.
      39. In a PowerShell terminal, install the certifi package:
        PowerShell 
        python -m pip install certifi
      40. Identify the Python CA store:
        PowerShell 
        $CERT_PATH = python -c "import certifi; print(certifi.where())"
      41. Update the bundle to include the Cloudflare certificate:
        PowerShell 
        gc "$env:USERPROFILE\Downloads\certificate.crt" | ac $CERT_PATH
      42. (Optional) Configure your system variables to point to the CA store by adding them to PowerShell's configuration file:
        PowerShell 
        [System.Environment]::SetEnvironmentVariable('CERT_PATH', $CERT_PATH, 'Machine')
        [System.Environment]::SetEnvironmentVariable('SSL_CERT_FILE', $CERT_PATH, 'Machine')
        [System.Environment]::SetEnvironmentVariable('REQUESTS_CA_BUNDLE', $CERT_PATH, 'Machine')
      43. Restart your terminal.

        44. Python on Mac and Linux

      44. Download a Cloudflare certificate in .pem format.
      45. In a terminal, install the certifi package:
        Terminal window 
        python -m pip install certifi
      46. Append the Cloudflare certificate to this CA store by running:
        Terminal window 
        echo | cat - certificate.pem >> $(python -m certifi)
      47. (Optional) Configure your system variables to point to the CA store by adding them to your shell's configuration file (such as ~/.zshrc or ~/.bash_profile ). For example:
        Terminal window 
        echo 'export CERT_PATH=$(python -c "import certifi; print(certifi.where())")
        export SSL_CERT_FILE=${CERT_PATH}
        export REQUESTS_CA_BUNDLE=${CERT_PATH}' >> ~/.zshrc
      48. Restart your terminal.

        49. Git on Windows

        Open PowerShell.

        Run the following command:

        PowerShell 
        git config -l

        This command will output: 

        core.symlinks=false
        core.autocrlf=true
        core.fscache=true
        color.diff=auto
        color.status=auto
        color.branch=auto
        color.interactive=true
        help.format=html
        rebase.autosquash=true
        http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
        http.sslbackend=openssl
        diff.astextplain.textconv=astextplain
        filter.lfs.clean=git-lfs clean -- %f
        filter.lfs.smudge=git-lfs smudge -- %f
        filter.lfs.process=git-lfs filter-process
        filter.lfs.required=true
        credential.helper=manager

        The http.sslcainfo defines the CA Certificate store. To append the Cloudflare certificate to the CA bundle, update http.sslcainfo .

        PowerShell 
        gc .\certificate.pem | ac $(git config --get http.sslcainfo)

        Git on Mac and Linux

        To configure Git to trust a Cloudflare certificate, run the following command:

        Terminal window 
        git config --global http.sslcainfo [PATH_TO_CLOUDFLARE_CERT]
      49. Download a Cloudflare certificate in .pem format.
      50. Set the cafile configuration to use the Cloudflare certificate:
        Terminal window 
        npm config set cafile [PATH_TO_CLOUDFLARE_CERT.pem]

        On some systems you may need to set the following in your path/export list:

        Terminal window 
        export NODE_EXTRA_CA_CERTS='[PATH_TO_CLOUDFLARE_CERT.pem]'

        Docker

        To install a certificate for use in a Docker container:

        Download a Cloudflare certificate in .pem format.

        Create a directory for certificates in your Docker project:

        Terminal window 
        cd docker-project
        mkdir certs
        mv /path/to/downloaded/certificate.pem certs/

        Verify the certificate was moved to the directory correctly. Your project should have the following structure:

        Terminal window 
        docker-project/
        ├── Dockerfile
        └── certs/
            └── certificate.pem

        Add the certificate to your Docker image:

        To add the certificate to your Dockerfile to install it during the build process:

          Add the certificate install directions to your Dockerfile. For example:

          Red Hat-based images 
          FROM registry.access.redhat.com/ubi9/ubi:latest
          # Or FROM centos:7 or FROM fedora:38
          

          # Install necessary certificates package
          RUN dnf install -y ca-certificates
          

          # Copy and add Cloudflare root certificate
          COPY certs/certificate.pem /etc/pki/ca-trust/source/anchors/certificate.crt
          RUN update-ca-trust extract
          Debian-based images 
          FROM debian:12
          # Or FROM ubuntu:22.04
          

          # Install necessary certificates package
          RUN apt-get update && apt-get install -y ca-certificates
          

          # Copy and add Cloudflare root certificate
          COPY certs/certificate.pem /usr/local/share/ca-certificates/certificate.crt
          RUN update-ca-certificates
          Alpine-based images 
          FROM alpine:3.18
          

          # Install necessary certificates package
          RUN apk add --no-cache ca-certificates
          

          # Copy and add Cloudflare root certificate
          COPY certs/certificate.pem /usr/local/share/ca-certificates/certificate.crt
          RUN update-ca-certificates

          Build the Docker image:

          Terminal window 
          docker build -t <your-container-name> .

          Verify the certificate was installed:

          Red Hat-based images 
          docker run --rm your-image-name sh -c "cat /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | grep Cloudflare"
          Debian and Alpine-based images 
          docker run --rm your-image-name sh -c "cat /etc/ssl/certs/certificate.pem"
     
    推荐文章
    无邪的八宝粥  ·  Cloudflare 大崩溃后遗症? - 边缘证书签发延迟,或导致网站离线一天以上? - V2EX
    1 月前
    粗眉毛的松鼠  ·  免费CDN加速,零成本提升网站速度! - 工程师焱记
    1 月前
    刚分手的足球  ·  有遇到Flink CDC中oracle cdc 出现这个错的吗?cdc版本2.1.0 _问答-阿里云开发者社区
    1 年前
    打篮球的卤蛋  ·  Android之WebView 超时操作_android webview 加载多久会响应超时-CSDN博客
    1 年前
    神勇威武的领结  ·  C# 16进制与字符串、字节数组之间的转换 (转载) - PowerCoder - 博客园
    2 年前
    耍酷的柑橘  ·  试图在安卓系统上捕捉带有时间戳的视频
    2 年前
    含蓄的火柴  ·  java:html转pdf时,border不兼容_你好丶明天的博客-CSDN博客
    2 年前
    Link管理   ·   Sov5搜索   ·   小百科
    link管理 - 链接快照平台