Deprecation of public client EKU and cloudflare | Cloudflare Developers | Page 1

frosty whale · 2025-09-10T13:29:20.018Z

Does cloudflare AOP check for client EKU on a custom certificate? up thus far we've been uploading letsencrypt certificates and things worked, but there's a pending change. Non-browser entities have traditionally not respected the client EKU requirement, but does cloudflare?

Support AI

According to the Cloudflare documentation, I couldn't find any explicit information on whether Cloudflare AOP checks for client EKU (Extended Key Usage) on a custom certificate.

However, I can suggest that you refer to the Cloudflare documentation on Authenticated Origin Pulls (AOP) and Client Authenticated TLS Handshake for more information on how AOP works.

Additionally, you may want to check the documentation on Custom Certificates to see if there are any specific requirements or restrictions on using custom certificates with AOP.

If you're unsure about the impact of the pending change on your setup, I recommend reviewing the Cloudflare documentation and reaching out to Cloudflare support for further guidance.

Source:

https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/
https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/explanation/#client-authenticated-tls-handshake
https://developers.cloudflare.com/ssl/origin-configuration/custom-certificates/

Sources

How Authenticated Origin Pulls works - Cloudflare SSL/TLS docs
Zone-level authenticated origin pulls - Cloudflare SSL/TLS docs
Authenticated Origin Pulls (mTLS) - Cloudflare SSL/TLS docs

#Deprecation of public client EKU and cloudflare