Enable TLS decryption (optional)
TLS decryption ↗ allows Cloudflare Gateway to inspect HTTPS requests to your private network applications.
With TLS decryption enabled, you will be able to apply advanced policies such as scanning for sensitive data, starting a remote browser isolation session, and filtering based on the complete URL and path of requests. These features can increase the security posture of sensitive systems, but TLS decryption can also break your users’ access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a Do Not Inspect policy or an Untrusted certificate Pass through policy to allow users to connect. To learn more, refer to TLS decryption limitations.
With TLS decryption disabled, Gateway can only inspect unencrypted HTTP requests. However, you can still apply policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. Refer to the Gateway HTTP policies documentation for more information.
- In Zero Trust ↗, go to Settings > Network.
- Turn on TLS decryption.
Next, choose a user-side certificate to use for inspection.
When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a certificate on the user device. You can either install the certificate provided by Cloudflare (default option) or upload a custom root certificate to Cloudflare (Enterprise-only option).
Deploying the Cloudflare root certificate is the simplest way to get started with TLS decryption and is usually appropriate for testing or proof of concept conditions.
If you already have a certificate that you use for other inspection or trust purposes, we recommend uploading your own root certificate for the following reasons:
- Using a single certificate streamlines IT management.
- If other services (such as git workflows, other cli tools, or thick client applications) rely on an existing certificate store, presenting the same certificate in inspection is far less likely to interrupt their traffic flow.
- If you are using WARP Connector to connect devices to Cloudflare, those devices will not be able to leverage HTTP policies that require decrypting TLS unless they have a certificate that matches either your uploaded certificate or the Cloudflare root certificate. It is more likely that your network infrastructure already has your own device certificates deployed, so using the existing PKI infrastructure for inspection will reduce the number of steps needed to deploy Zero Trust.