So I wont go through setting up Cloudflare, creating accounts and how to setup a tunnel, there are plenty of write ups out there to show you how.

There are two parts.. Part 1 is creating the certificate and part 2 is Cloudflare WAF

1. So log into you Cloudflare site and navigate to the SSL/TLS.
2. Make sure that your Hosts are configurated to you site.. ie *.example.com and example.com
3. Click Create Certificate

On this page, I only altered the validity period to 15 years and click Create

Next is to create the certificate files

Create a directory to store both these files we will create..

1. Copy each item Certificate and Private Key (shown above) and create a file for each. The easist way is copy the text and head to a command prompt and type in something like nano client.cert and paste in the Certifiate text. Do not leave any blank or extra spaces/text after the -----END CERTIFICATE-----
2. Click Control + O and enter to save, then Control + X for close nano back the to prompt
3. Repeat the same for the Private Key with something like nano client.key *Do no loose these files as this is the only time Cloudlfare will display for you the Private Key (if you loose it you need to start again)

Now that you have these two file you need to create this for iOS format using OpenSSL. MacOS and iOS will not accept certs make with OpenSSL without the -legacy flag. If you do not add this Apple devices will just repeat asking you for the password over and over. I do not have Android so I do not know if this legacy key is needed or not.

At the command prompt type openssl version and you might see something like OpenSSL 3.1.3 19 Sep 2023 (Library: OpenSSL 3.1.3 19 Sep 2023) If you do not see an output then you most likely do not have OpenSSL installed and will need to do that now. Just google how to install openssl on xxx where xxx is windows or mac

Make sure that the directory you are in contains the two files type in openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out device.p12 -legacy

Do not worry about any warnings and you should be presented with Enter Export Password:. Enter in something not too hard as you have to be able to type this in on the device.. Verifying - Enter Export Password: type it again, and the prompt should end with no errors that you didnt retype the same password

This device.p12 is your file to install on the device. On MacOS just double click to install it.. on your iOS device, email, txt, icloud file copy.. anymeans :)

On iOS when you click the file you will see a message

Go you you Settings and click the Profile Downloaded

Click Install and follow the prompts

In Cloudflare where we created the certificate click Create mTLS Rule.

Create the rule for it looks something like this. You can add more rules if you like. Things like Country != <your country> this will weed out all the smapping bots etc from china etc from going any further. Make sure the rules are correct with AND and County is NOT EQUAL because this rule is to BLOCK so if you have Country EQUALS your country and you try to connect you will get blocked.

Shown here, the rule mean is the client certificate is blank/nothing/missing the rule is BLOCK

Click Deploy to use the rule