GitHub - willswire/dod-cac-auth-cloudflare-workers: Enable DoD CAC (Common Access Card) authentication for Cloudflare Workers using mTLS and BYOCA (Bring Your Own CA).

3 min read Original article ↗

DoD CAC Authentication with Cloudflare Workers

Enable DoD CAC (Common Access Card) authentication for Cloudflare Workers using mTLS and BYOCA (Bring Your Own CA).

Prerequisites

  • Cloudflare Enterprise account
  • Wrangler CLI (npm install -g wrangler)
  • API Token with Account → SSL and Certificates → Edit and Zone → SSL and Certificates → Edit permissions

How It Works

Cloudflare's mTLS prompts browsers to present a client certificate. The browser only offers certificates whose issuing CA is in Cloudflare's acceptable list. CAC certificates are issued by intermediate CAs (e.g., DOD ID CA-72), not root CAs directly — so you must upload the intermediate.

Step 1: Determine Your Intermediate CA

Check which CA issued your CAC certificate in Google Chrome by navigating to: chrome://settings/certificates → Your certificates → Click your DoD cert → View details → "Issued By"

Or check in your preferred browser's certificate viewer — look for the "Issued By" field (e.g., DOD ID CA-72).

Step 2: Download the Intermediate CA

Download from DISA's CRL distribution point:

# Replace XX with your CA number (e.g., 72)
curl -o dod_id_ca.cer "http://crl.disa.mil/sign/DODIDCA_XX.cer"

# Convert from DER to PEM format
openssl x509 -in dod_id_ca.cer -inform DER -out dod_id_ca.pem -outform PEM

# Verify
openssl x509 -in dod_id_ca.pem -noout -subject -issuer

Common intermediate CA URLs:

  • http://crl.disa.mil/sign/DODIDCA_72.cer
  • http://crl.disa.mil/sign/DODIDCA_73.cer
  • http://crl.disa.mil/sign/DODIDCA_78.cer
  • http://crl.disa.mil/sign/DODIDCA_79.cer

Step 3: Upload CA and Configure mTLS

Set your environment variables:

export CLOUDFLARE_ACCOUNT_ID="your-account-id"
export CLOUDFLARE_ZONE_ID="your-zone-id"
export CLOUDFLARE_API_TOKEN="your-api-token"

Run the setup script:

./setup-dod-mtls.sh dod_id_ca.pem cac.yourdomain.com

Step 4: Enable mTLS in Dashboard

This step is required — BYOCA alone doesn't enable mTLS.

  1. Go to Cloudflare Dashboard → Your Zone → SSL/TLSClient Certificates
  2. In the Hosts section, click Edit
  3. Add your hostname (e.g., cac for cac.yourdomain.com)
  4. Click Save

Step 5: Deploy Worker

Verify Setup

Test that Cloudflare is requesting client certificates:

openssl s_client -connect cac.yourdomain.com:443 -servername cac.yourdomain.com 2>&1 | grep -A 20 "Acceptable client certificate CA names"

You should see your intermediate CA (e.g., DOD ID CA-72) in the list.

Troubleshooting

Issue Solution
Browser doesn't prompt for certificate Ensure the intermediate CA (not just root) is uploaded
CA uploaded but not in acceptable list Enable mTLS in dashboard (Step 4)
"Authentication error" on upload Token needs Account-level SSL permissions
Certificate parse error Ensure PEM format with only -----BEGIN/END CERTIFICATE----- lines

Refer to the following resources for more information:

Files

  • setup-dod-mtls.sh — Uploads CA and associates hostname
  • index.js — Worker that returns client certificate info
  • wrangler.jsonc — Wrangler configuration

Limitations

  • Enterprise accounts: max 5 BYOCA certificates
  • BYOCA associations are API-only (not visible in dashboard)