Deprecation of public client EKU and cloudflare

Does cloudflare AOP check for client EKU on a custom certificate? up thus far we've been uploading letsencrypt certificates and things worked, but there's a pending change. Non-browser entities have traditionally not respected the client EKU requirement, but does cloudflare?

SuperHelpflare•9/10/25, 1:29 PM

Support AI

According to the Cloudflare documentation, I couldn't find any explicit information on whether Cloudflare AOP checks for client EKU (Extended Key Usage) on a custom certificate.

However, I can suggest that you refer to the Cloudflare documentation on Authenticated Origin Pulls (AOP) and Client Authenticated TLS Handshake for more information on how AOP works.

Additionally, you may want to check the documentation on Custom Certificates to see if there are any specific requirements or restrictions on using custom certificates with AOP.

If you're unsure about the impact of the pending change on your setup, I recommend reviewing the Cloudflare documentation and reaching out to Cloudflare support for further guidance.

Source:

Sources

This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.

sd1970xOP•9/10/25, 1:31 PM

I went ahead and checked - it's not in the docs (If it was, then you would have found it already... )

Deprecation of public client EKU and cloudflare

Similar Threads

Similar Threads

Similar Threads