Prerequisites for Cloudflare - AppViewX CLM

Cloudflare - AppViewX CLM refers to an integration between Cloudflare's services and AppViewX's Certificate Lifecycle Management (CLM) solution. This integration would combine Cloudflare's robust security and performance capabilities with AppViewX's comprehensive certificate management features.

Prerequisites

  • Must have an active Cloudflare SAAS account
  • Internet/ Proxy connection is required at AppViewX environment for communication between Cloudflare and AppViewX and it happens through the Rest API.
  • AppViewX public ip should be whitelisted in the firewall.
  • Valid Cloudflare account details like API Tokens/API Keys.
  • Supported Certificate Format: PEM.

Roles and Permissions

  • The API Tokens/ API Keys must have Zone edit and Zone SSL Certificates-editaccess permissions.

Rest API Endpoints

  • The API is accessed by making HTTPS requests to a specific version endpoint URL, using GET, POST, PUT, PATCH, and DELETE methods to interact with the available information.
  • Every endpoint is accessed only via the SSL-enabled HTTPS (port 443) protocol. The latest version is Version 4.
  • The stable base URL for all Version 4 HTTPS endpoints is https://api.cloudflare.com/client/v4/.
  • Requests can be authenticated using either of the following methods:
    • API Tokens: Include Authorization: Bearer accessToken in the request header.
      curl -X GET "https://api.cloudflare.com/client/v4/zones/cd7d0123e3012345da9420df9514dad0" \
     -H "Content-Type:application/json" \
     -H "Authorization: Bearer YQSn-xWAQiiEh9qM58wZNnyQS7FUdoqGIUAbrh7T"
    • API Keys: Include X-Auth-Key and X-Auth-Email in the request headers.
      curl -X GET "https://api.cloudflare.com/client/v4/zones/cd7d0123e3012345da9420df9514dad0" \
     -H "Content-Type:application/json" \
     -H "X-Auth-Key:1234567893feefc5f0q5000bfo0c38d90bbeb" \
     -H "X-Auth-Email:[email protected]"

Device Management

Navigate to Inventory > Device > WAF.

General Information for device addition:

  • Account name
  • Data center
  • Cert Sync (Monitored/ Managed/ Ignored )

Credential Types and Authentication Methods:

  • Credential Type: (Manual / AppViewX / CyberArk)
    • Manual: There are two methods of authentication for APIs.
      • Token-Based Authentication: Requires entering the API token.
      • Username & Password Authentication: Requires entering the username and password.
    • AppViewX: Integration with the AppViewX vault.
    • CyberArk: Integration with the CyberArk vault.
  • Secondary device addition is not applicable.

List of APIs Used at Backend

  • https://api.cloudflare.com/client/v4/user/tokens/verify: Used for credential validation and device communication.
  • https://api.cloudflare.com/client/v4/zones: Used to list account and zone details.
  • Account ID, account name, zone ID, zone name, custom certificate quota, and permission details are parsed and saved in AppViewX.
  • Device communication messages and other status messages are listed based on the above API responses:
    • Device communication and status messages
    • List of accounts and their details
    • List of zones and their details
    • Certificate quota and SSL permission details.

Discover Operation

  • Certificate content is not discovered from Cloudflare due to API restrictions.
  • Only specific certificate attributes are discovered: [Resource ID, Zone ID, Host Name, Issuer, Signature, Bundle Method, Priority, Uploaded, Modified, and Expiry time of SSL Certificate].
  • The following API is used to discover certificate attributes from a particular zone using the ZoneID in the request:
  • Device profiles are created based on the zone name in the format: [{AppViewX_AccountName}:@{CloudFlare_AccountName}:@{ZoneName}:@{ZoneId}]

Push Operation

  • Cloudflare only accepts publicly trusted certificates of the following types:
    • SHA256WithRSA
    • SHA1WithRSA
    • ECDSAWithSHA256.
  • Certificates are parsed and checked for validity before being accepted. Each certificate uploaded must:
    • Be encoded in PEM format.
    • Not expire in less than 14 days from the time of upload.
    • Have a Subject Alternative Name (SAN) matching at least one hostname in the zone where it’s being uploaded.
    • Use a private key with a minimum length (currently 2048 bits for RSA and 225 bits for ECDSA).
    • Be publicly trusted by a major browser unless the User Defined bundling method is used.

Backend APIs in Use

  1. POST Method API for Pushing New Certificates:
    • API Endpoint: https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/custom_certificates
    • This API endpoint is used to push new certificates.
      curl -X POST https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/custom_certificates \
   -H "Authorization: Bearer 17b9lxqsnSvQrnyvYdvur8h_Fu6N0iKOirMRuECk" \
   -H "Content-Type: application/json" \
   --data '{"certificate":"-----BEGIN CERTIFICATE-----\n cert content \n-----END CERTIFICATE-----\n","private_key":"-----BEGIN RSA PRIVATE KEY-----\n key content\n-----END RSA PRIVATE KEY-----\n" ,"bundle_method":"ubiquitous", "geo_restrictions":{"label":"us"},"type":"sni_custom"}'
  2. PATCH Method API for Replacing Existing Certificates:

Connectors Page Field Definitions

On the Connectors page, the following fields are defined:
  • Certificate Type: Only supports PEM format.

  • Bundle Method: Dropdown values include Compatible, Modern, and User Defined.

    • API Request Data Mapping Values for Bundle Method:
      • Compatible maps to ubiquitous
      • Modern maps to Optimal
      • User Defined maps to force.

  • Private Key Restriction: Dropdown values include:

    • Distribute to all Cloudflare data centers
    • Distribute only to U.S. data centers
    • Distribute only to E.U. data centers
    • Distribute only to highest security data centers.
    • API Request Data Mapping Values for Private Key Restriction:
      • No-input (Default), us, eu, highest_security.

  • Legacy Client Support: Dropdown values are Modern and Legacy.

    • API Request Data Mapping Values for Legacy Client Support: sni_custom & legacy_custom

  • Overwrite: Checkbox option.

    • If selected, it will replace the existing certificate.
    • If not selected, it will add a new certificate based on the quota value.

Certificate Operations

Bind Operation:

  • Since this process involves importing certificates at the zone level, the Bind operation is not applicable.

Backup Operation:

  • Since certificate content cannot be discovered from Cloudflare, the Backup operation is not applicable.

Rollback Operation:

  • Since the Backup operation is not applicable, reverting back to an existing certificate is not possible.
  • Currently, similar to other WAF devices, the rollback operation involves removing the pushed certificate. Users can then push the same certificate again through the connector if it exists in the AppViewX inventory.

Reference

For more information, visit Cloudflare API Documentation.