Install the Cloudflare certificate
If your device does not support certificate installation via WARP, you can manually install the Cloudflare certificate. You must add the certificate to both the system keychain and to individual application stores. These steps must be performed on each new device that is to be subject to HTTP filtering.
Download the Cloudflare root certificate
First, download the Cloudflare certificate. The certificate is available both as a .pem
and as a .crt
file. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.
Verify the certificate fingerprint
To verify your download, check that the certificate’s thumbprint matches:
SHA1
BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
➜ ~ openssl x509 -noout -fingerprint -sha1 -inform der -in <Cloudflare_CA.crt>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
➜ ~ openssl x509 -noout -fingerprint -sha1 -inform pem -in <Cloudflare_CA.pem>
SHA1 Fingerprint=BB:2D:B6:3D:6B:DE:DA:06:4E:CA:CB:40:F6:F2:61:40:B7:10:F0:6C
SHA256
F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
➜ ~ openssl x509 -noout -fingerprint -sha256 -inform der -in <Cloudflare_CA.crt>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
➜ ~ openssl x509 -noout -fingerprint -sha256 -inform pem -in <Cloudflare_CA.pem>
sha256 Fingerprint=F5:E1:56:C4:89:78:77:AD:79:3A:1E:83:FA:77:83:F1:9C:B0:C6:1B:58:2C:2F:50:11:B3:37:72:7C:62:3D:EF
Add the certificate to operating systems
macOS
In macOS, you can choose the keychain in which you want to install the certificate. Each keychain impacts which users will be affected by trusting the root certificate.
Keychain | Access scope |
---|---|
login | The logged in user |
Local Items | Users with access to cached iCloud passwords |
System | All users on the system |
To install the Cloudflare certificate in macOS, you can use either the Keychain Access application or a terminal. Both methods require you to download the Cloudflare certificate in .crt
format.
Download the Cloudflare certificate.
Open the
.crt
file in Keychain Access. If prompted, enter your local password.In Keychain, choose the access option that suits your needs and select Add.
In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select Get Info.
Select Trust. Under When using this certificate, select Always Trust.
The root certificate is now installed and ready to be used.
- Download the Cloudflare certificate.
- Open Terminal.
- Add the certificate to your keychain:
$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <path-to-Cloudflare_CA.crt>
This keychain will allow all users on the system access to the certificate. If you want to install the certificate to a different keychain, replace System.keychain
with the name of that keychain.
- Update the OpenSSL CA Store to include the Cloudflare certificate:
$ echo | sudo tee -a /etc/ssl/cert.pem < Cloudflare_CA.pem
The root certificate is now installed and ready to be used.
Windows
Windows offers two locations to install the certificate, each impacting which users will be affected by trusting the root certificate.
Store location | Access scope |
---|---|
Current User Store | The logged in user |
Local Machine Store | All users on the system |
Right-click the certificate file.
Select Open. If a security warning appears, choose Open to proceed.
The Certificate window will appear. Select Install Certificate.
Now choose a Store Location. If a security warning appears, choose Yes to proceed.
On the next screen, select Browse.
In the list, choose the Trusted Root Certification Authorities store.
Select OK, then select Finish.
The root certificate is now installed and ready to be used.
Linux
The location where the root certificate should be installed is different depending on your Linux distribution. Follow the specific instructions for your distribution.
Debian-based distributions
The following procedure applies to Debian-based systems, such as Debian, Ubuntu, and Kali Linux.
- Download the
.pem
certificate. - Install the
ca-certificates
package.
$ sudo apt-get install ca-certificates
- Copy the certificate to the system, changing the file extension to
.crt
.
$ sudo cp Cloudflare_CA.pem /usr/share/ca-certificates/Cloudflare_CA.crt
- Import the certificate.
$ sudo dpkg-reconfigure ca-certificates
Red Hat-based distributions
The following procedure applies to Red Hat-based systems, such as Red Hat Enterprise Linux (RHEL), Fedora, Rocky Linux, and AlmaLinux.
- Download both the
.crt
certificate and the.pem
certificate. - Install the
ca-certificates
package.
$ sudo dnf install ca-certificates
- Copy both certificates to the trust store.
$ sudo cp Cloudflare_CA.crt Cloudflare_CA.pem /etc/pki/ca-trust/source/anchors
- Import the certificate.
$ sudo update-ca-trust
NixOS
NixOS does not use the system certificate store for self updating and instead relies on the certificates found in ~/.nix-profile/etc/ssl/certs
or provided by NIX_SSL_CERT_FILE
at runtime.
iOS
iOS only allows the Safari browser to open and install certificates.
Open Safari and download the Cloudflare certificate. The device will show a message: This website is trying to download a configuration profile. Do you want to allow this?
Select Allow.
Go to Settings, where a new Profile Downloaded section will appear directly beneath your iCloud user account info.
Select Install. If the iOS device is passcode-protected, you will be prompted to enter the passcode.
Next, a certificate warning will appear. Select Install. If a second prompt appears, select Install again.
Next, the Profile Installed screen will appear. Select Done. The certificate is now installed. However, before it can be used, it must be trusted by the device.
Go to Settings > General > About > Certificate Trust Settings. The installed root certificates will be displayed under Enable full trust for root certificates.
Enable the Cloudflare certificate.
A security warning message will appear. Choose Continue.
The root certificate is now installed and ready to be used.
Android
Go to Settings > Security > Advanced > Encryption & credentials > Install a certificate.
Select CA certificate.
Select Install anyway.
Verify your identity.
Choose the certificate file you want to install.
The root certificate is now installed and ready to be used.
ChromeOS
ChromeOS devices use different methods to store and deploy root certificates. Certificates may fall under the VPN and apps or CA certificate settings. Follow the procedure that corresponds with your device.
Download the Cloudflare certificate in
.crt
format.Go to Settings > Apps > Google Play Store.
Select Manage Android preferences.
Go to Security & location > Credentials > Install from SD card.
In the file open dialog, choose the
Cloudflare_CA.crt
file you downloaded and select Open.Enter a name to identify the certificate. Ensure Credential use is set to VPN and apps. Select OK.
Download the Cloudflare certificate in
.crt
format.Go to Settings > Apps > Google Play Store.
Select Manage Android preferences.
Go to Security & location > Credentials > Install a certificate > CA certificate.
When prompted with a privacy warning, select Install anyway.
In the file open dialog, choose the
Cloudflare_CA.crt
file you downloaded and select Open.To verify the certificate is installed and trusted, go to Settings > Apps > Google Play Store > Manage Android Preferences > Security > Credentials > Trusted credentials > User.
After adding the Cloudflare certificate to ChromeOS, you may also have to install the certificate in your browser.
Add the certificate to applications
Some packages, development tools, and other applications provide options to trust root certificates that will allow for the traffic inspection features of Gateway to work without breaking the application.
All of the applications below first require downloading the Cloudflare certificate with the instructions above. On Mac, the default path is /Library/Keychains/System.keychain Cloudflare_CA.crt
. On Windows, the default path is \Cert:\CurrentUser\Root
.
Browsers
Chrome
Versions of Chrome before Chrome 113 use the operating system root store on macOS and Windows. Chrome 113 and newer on macOS and Windows – and all versions on Linux and ChromeOS – use the Chrome internal trust store.
To install the Cloudflare certificate to Chrome manually:
- Download the Cloudflare certificate in
.pem
format. - In Chrome, go to Settings > Privacy and security > Security.
- Select Manage certificates.
- Go to Authorities. Select Import.
- In the file open dialog, choose the
Cloudflare_CA.pem
file you downloaded. - In the dialog box, turn on Trust this certificate for identifying websites, Trust this certificate for identifying email users, and Trust this certificate for identifying software makers. Select OK.
- To verify the certificate was installed and trusted, locate it in Authorities.
For information on installing the Cloudflare certificate for organizations, refer to Google’s Chrome Enterprise and Education documentation.
Firefox
To install the Cloudflare certificate to Firefox manually:
- Download the Cloudflare certificate in
.pem
format. - In Firefox, go to Settings > Privacy & Security.
- In Security, select Certificates > View Certificates.
- In Authorities, select Import.
- In the file open dialog, choose the
Cloudflare_CA.pem
file you downloaded. - In the dialog box, turn on Trust this CA to identify websites and Trust this CA to identify email users. Select OK.
- To verify the certificate was installed and trusted, locate it in the table under Cloudflare.
For information on installing the Cloudflare certificate for organizations, refer to this Mozilla support article.
Python
Python on Windows
The command to install the certificate with Python on Windows automatically includes pip
and certifi
(the default certificate bundle for certificate validation).
In a PowerShell terminal, download the Cloudflare root certificate:
curl.exe -o Cloudflare_CA.crt https://developers.cloudflare.com/cloudflare-one/static/Cloudflare_CA.crtUpdate the bundle to include the Cloudflare certificate:
gc .\Cloudflare_CA.crt | ac C:\Python37\Lib\site-packages\pip\_vendor\certifi\cacert.pem
Python on Mac and Linux
In a terminal, install the
certifi
package:$ pip install certifiIdentify the CA store:
$ python -m certifi~/Library/Python/3.7/lib/python/site-packages/certifi/cert.pemDownload the Cloudflare root certificate:
$ wget https://developers.cloudflare.com/cloudflare-one/static/Cloudflare_CA.pemAppend the Cloudflare certificate to this CA store by running:
$ echo | cat - Cloudflare_CA.pem >> $(python -m certifi)If needed, configure system variables to point to this CA store:
$ export CERT_PATH=$(python -m certifi)$ export SSL_CERT_FILE=${CERT_PATH}$ export REQUESTS_CA_BUNDLE=${CERT_PATH}
Git
Git on Windows
Open PowerShell.
Run the following command:
git config -l
This command will output:
core.symlinks=false
core.autocrlf=true
core.fscache=true
color.diff=auto
color.status=auto
color.branch=auto
color.interactive=true
help.format=html
rebase.autosquash=true
http.sslcainfo=C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
http.sslbackend=openssl
diff.astextplain.textconv=astextplain
filter.lfs.clean=git-lfs clean -- %f
filter.lfs.smudge=git-lfs smudge -- %f
filter.lfs.process=git-lfs filter-process
filter.lfs.required=true
credential.helper=manager
- The
http.sslcainfo
defines the CA Certificate store. To append the Cloudflare certificate to the CA bundle, updatehttp.sslcainfo
.
gc .\Cloudflare_CA.pem | ac $(git config --get http.sslcainfo)
Git on Mac and Linux
Configure Git to trust the Cloudflare certificate.
$ git config --global http.sslcainfo [PATH_TO_CLOUDFLARE_CERT]
npm
The command below will set the cafile
configuration to use the Cloudflare certificate. Make sure to use the certificate in the .pem
file type.
$ npm config set cafile [PATH_TO_CLOUDFLARE_CERT.pem]
On some systems you may need to set the following in your path/export list:
$ export NODE_EXTRA_CA_CERTS='[PATH_TO_CLOUDFLARE_CERT.pem]'
Google Cloud
Google Cloud SDK
The commands below will set the Google Cloud SDK to use the Cloudflare certificate. For more information on configuring the Google Cloud SDK, refer to the Google Cloud documentation.
Get curl’s
cacert
bundle.$ curl -O https://curl.se/ca/cacert.pemGet the Cloudflare CA.
$ curl -O https://developers.cloudflare.com/cloudflare-one/static/Cloudflare_CA.pemCombine the certs into a single
.pem
file.$ cat cacert.pem Cloudflare_CA.pem > ~/ca.pemConfigure Google Cloud to use the combined
.pem
.$ gcloud config set core/custom_ca_certs_file ~/ca.pem
Kaniko
If you use Kaniko with Google Cloud SDK, you must install the Cloudflare certificate in the Kaniko CA store. For more information, refer to the gcloud
documentation.
Google Drive for desktop
To trust the Cloudflare root certificate in the Google Drive desktop application, follow the procedure for your operating system. These steps require you to download the .pem certificate. In the Finder menu bar, go to Go > Go to Folder. Enter Find Append the contents of Apply the newly created root certificate to your Google Drive application. You can verify the update with the following command. In File Explorer, go to Find Append the contents of Update the Google Drive registry key. You can verify the update with the following command.macOS
/Applications/Google Drive.app/Contents/Resources
.roots.pem
and copy it to a permanent location, such as your Documents folder.cloudflare.pem
to the end of roots.pem
.Windows
\Program Files\Google\Drive File Stream\<version>\config\
.roots.pem
and copy it to a permanent location, such as your Documents folder.cloudflare.pem
to the end of roots.pem
.
For more information, refer to the Google documentation for the TrustedRootCertsFile
setting.
Google Apps Manager (GAM)
Google Apps Manager (GAM) uses its own certificate store. To add the Cloudflare certificate to GAM, refer to the GAM documentation.
AWS CLI
If you’re using the AWS CLI, you need to set the AWS_CA_BUNDLE
environment variable to use the Cloudflare root certificate. Commands are available for different operating systems in the AWS instructions.
PHP Composer
The command below will set the cafile
configuration inside of composer.json
to use the Cloudflare root certificate. Make sure to use the certificate in the .pem
file type.
$ composer config cafile [PATH_TO_CLOUDFLARE_CERT.pem]
Alternatively, you can add this manually to your composer.json
file under the config
key.
JetBrains
To install the Cloudflare root certificate on JetBrains products, refer to the links below:
Eclipse
To install the Cloudflare root certificate on Eclipse IDE for Java Developers, you must add the certificate to the Java virtual machine (JVM) used by Eclipse.
Find the
java.home
value for your Eclipse installation.- In Eclipse, go to Eclipse > About Eclipse (or Help > About Eclipse IDE on Windows and Linux)
- Select Installation Details, then go to Configuration.
- Search for
java.home
, then locate the value. For example:
*** System properties:java.home=/Users/<username>/.p2/pool/plugins/org.eclipse.justj.openjdk.hotspot.jre.full.macosx.aarch64_17.0.8.v20230831-1047/jre- Copy the full path after
java.home=
.
Add the Cloudflare certificate to Eclipse’s JVM.
macOS and Linux
In a terminal, add the
java.home
value you copied as an environment variable.$ export JAVA_HOME=$(echo /path/to/java.home)Run
keytool
to install and trust the Cloudflare certificate.$ "$JAVA_HOME/bin/keytool" -import -file ~/Downloads/Cloudflare_CA.crt -alias CloudflareRootCA -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -trustcacerts -nopromptRestart Eclipse.
Windows
- In a terminal, add the
java.home
value you copied as an environment variable.
set JAVA_HOME="\path\to\java.home"
- Run
keytool
to install and trust the Cloudflare certificate.
"%JAVA_HOME%\bin\keytool.exe" -import -file "%UserProfile%\Downloads\Cloudflare_CA.crt" -alias CloudflareRootCA -keystore "%JAVA_HOME%\lib\security\cacerts" -storepass changeit -trustcacerts -noprompt
- Restart Eclipse.
For more information on adding certificates to Eclipse with keytool
, refer to IBM’s documentation.
RubyGems
To trust the Cloudflare root certificate in RubyGems, follow the procedure for your operating system. These steps require you to download the .pem certificate. Install OpenSSL. In a terminal, format the Cloudflare certificate for Ruby. Add your RubyGems directory as an environment variable. Copy the Cloudflare certificate to your RubyGems certificate store. Restart RubyGems. Install OpenSSL for Windows. In a terminal, format the Cloudflare certificate for Ruby. Add your RubyGems directory as an environment variable. Copy the Cloudflare certificate to your RubyGems certificate store. Restart RubyGems.macOS and Linux
Windows
Minikube
To trust the Cloudflare root certificate in Minikube, refer to x509: certificate signed by unknown authority.