Post-quantum ML-DSA certificates for Authenticated Origin Pulls and Custom Origin Trust Store
Cloudflare now accepts ML-DSA ↗ (FIPS 204) post-quantum certificates on the connection between Cloudflare's edge and your origin server. Combined with our existing X25519MLKEM768 key agreement, this lets you establish end-to-end post-quantum authentication on the Cloudflare-to-origin connection.
ML-DSA is supported in two origin-facing features:
- Authenticated Origin Pulls (AOP) — upload an ML-DSA client certificate that Cloudflare will present during the mTLS handshake to your origin. Available at both zone-level and per-hostname scopes.
- Custom Origin Trust Store (COTS) — upload an ML-DSA certificate authority that Cloudflare will trust when validating your origin server certificate under Full (strict) encryption mode.
Refer to Post-quantum signatures for certificate generation and setup guidance, and to PQC in Cloudflare products for the current post-quantum deployment status across Cloudflare.