This is pretty simple but one can easily get confused. Let me explain.

• The WARP client certificate check requires the ZT admin to upload the signing CA to Cloudflare. The endpoint to upload is - /accounts/{account_id}/mtls_certificates
• That's where one can find it confusing. because theres a mtls option avaliable within ZT dashboard but totally different to the /accounts/{account_id}/mtls_certificatesendpoint.

• The right way is to use the API endpoint - /accounts/{account_id}/mtls_certificateshttps://developers.cloudflare.com/api/resources/mtls_certificates/methods/create/

• Make sure necessary permissions are in place to upload the certificate.

• Once the POST request is done, expect a response something like below with UUID info.

  

  ---

• Use the ID in the WARP client certificate check config.

• If you're enabling the checkbox to check for private key, ensure the client certificate on macos is imported in p12 format.
• Dashboard log

---

---

Another area that might cause confusion is Settings > Resources > Certificates. Even though you've already added your CA certificate via the mtls_certificates endpoint, you'll see the same certificate listed in the Zero Trust dashboard under Certificates — but marked as "inactive."

This is expected behavior, as the CA certificate doesn't include a private key. The key difference lies in the intended use cases:

- - The mtls_certificates endpoint is used solely for certificate validation. - The Zero Trust {....} > Certificates section is designed for scenarios like presenting block pages or performing deep packet inspection, which require both the certificate and its private key.