[ZT] Cert process updates (#19089)

Author: maxvp

src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx

@@ -35,20 +35,24 @@ The certificate is required if you want to [apply HTTP policies to encrypted web
 
 ## Install a certificate using WARP
 
+:::caution[Out of date certificates]
+WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use** and automatically remove any other WARP-installed certificates from your users' devices. To ensure your users' devices have all of your available certificates installed, [update WARP](/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp).
+:::
+
+To configure WARP to install a root certificate on your organization's devices:
+
 1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare.
 2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
 3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store).
 4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device.
 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization.
 6. (Optional) If the device is running macOS Big Sur or newer, [manually trust the certificate](#manually-trust-the-certificate).
 
-WARP versions after 2024.12.554.0 will install all [**Available** certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). These certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly Available certificates to download onto end user devices.
+WARP will now download any [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate). It may take up to 24 hours for newly available certificates to download to your users' devices.
 
-Older WARP versions will only install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices.
+After download, WARP will add the certificates to the device's system certificate store in `installed_certs/<certificate_id>.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the individual files in the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31.
 
-:::note[Important]
-WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store.
-:::
+WARP does not install certificates to individual applications. You will need to [manually add certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store instead of the system certificate store.
 
 ## Access the installed certificate
 
@@ -86,28 +90,31 @@ To access the installed certificate in Windows:
 
 The WARP client will also place the certificate in `%PROGRAMDATA%\Cloudflare\installed_cert.pem` for reference by scripts or tools.
 
-### Linux
-
-On Linux, the certificate is stored in `/usr/local/share/ca-certificates`. The default Cloudflare certificate name is `managed-warp.pem`.
+### Debian-based Linux distributions
 
-If you cannot find the certificate, run the following commands to update the system store:
+On Debian-based Linux distributions, the certificate is stored in `/usr/local/share/ca-certificates`. The default installed Cloudflare certificate name is `managed-warp.pem`. The WARP client will create a symbolic link named `managed-warp.crt` to use as its root certificate. If your system is not using `managed-warp.crt`, run the following commands to update the system store:
 
-1. Go to the system certificate store.
+1. Update your list of custom CA certificates.
 
    ```sh
-   cd /usr/local/share/ca-certificates
+   sudo update-ca-certificates
    ```
 
-2. Rename the certificate, changing the file extension to `.crt`.
+2. Go to the system certificate store.
 
    ```sh
-   sudo mv managed-warp.pem managed-warp.crt
+   cd /usr/local/share/ca-certificates
    ```
 
-3. Update your list of custom CA certificates.
+3. Verify your system has both the `managed-warp.pem` file and the `managed-warp.crt` symbolic link. For example:
 
    ```sh
-   sudo update-ca-certificates
+   ls -l
+   ```
+
+   ```sh output
+   lrwxrwxrwx 1 root root   49 Jan  3 21:46 managed-warp.crt -> /usr/local/share/ca-certificates/managed-warp.pem
+   -rw-r--r-- 1 root root 1139 Jan  3 21:46 managed-warp.pem
    ```
 
 The WARP client will also place the certificate in `/var/lib/cloudflare-warp/installed_cert.pem` for reference by scripts or tools.

src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx

@@ -15,12 +15,12 @@ Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) fo
 
 Zero Trust will indicate if a certificate is ready for use in inspection based on its deployment status:
 
-| Deployment status    | Description                                                                                                    |
-| -------------------- | -------------------------------------------------------------------------------------------------------------- |
-| Inactive             | The certificate has been generated by or uploaded to Cloudflare but is not deployed across the global network. |
-| Pending              | The certificate is being activated or deactivated for use.                                                     |
-| Available            | The certificate is deployed across the Cloudflare global network and ready to be turned on.                    |
-| Available and In-Use | The certificate is turned on. Gateway will use the certificate for inspection.                                 |
+| Deployment status    | Description                                                                                                                                                      |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Inactive             | The certificate has been generated by or uploaded to Cloudflare but is not deployed across the global network.                                                   |
+| Pending              | The certificate is being activated or deactivated for use.                                                                                                       |
+| Available            | The certificate is deployed across the Cloudflare global network and ready to be turned on. The WARP client will install the certificate on your users' devices. |
+| Available and In-Use | The certificate is turned on. Gateway will use the certificate for inspection.                                                                                   |
 
 ## Generate a Cloudflare root certificate