update mtls device enrollment

ranbel · ranbel · commit 0dda5d77fa2b · 2025-08-05T12:06:59.000-04:00
diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
@@ -33,25 +33,7 @@ The mTLS certificate is used only to verify the client certificate. It does not
 
 ### Add mTLS to your Access application
 
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Service auth** > **Mutual TLS**.
-
-2. Select **Add mTLS Certificate**.
-
-3. Enter any name for the root CA.
-
-4. In **Certificate content**, paste the contents of your root CA.
-
-	If the client certificate is directly signed by the root CA, you only need to upload the root. If the client certificate is signed by an intermediate certificate, you must upload the entire CA chain (intermediate and root). For example:
-	```txt
-	-----BEGIN CERTIFICATE-----
-	<intermediate.pem>
-	-----END CERTIFICATE-----
-	-----BEGIN CERTIFICATE-----
-	<rootCA.pem>
-	-----END CERTIFICATE-----
-	```
-
-	Do not include any SSL/TLS server certificates; Access only uses the CA chain to verify the connection between the user's device and Cloudflare.
+<Render file="access/add-mtls-cert"  product="cloudflare-one" params={{ product: "access"}}/>
 
 5. In **Associated hostnames**, enter the fully-qualified domain names (FQDN) that will use this certificate.
 
diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx
@@ -44,7 +44,7 @@ The Client Certificate device posture attribute checks if the device has a valid
 
 :::note
 
-You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki) to generate a sample root CA for testing.
+To generate a sample root CA for testing, refer to [Generate mTLS certificates](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#generate-mtls-certificates).
 :::
 
 ## Configure the client certificate check
diff --git a/src/content/partials/cloudflare-one/access/add-mtls-cert.mdx b/src/content/partials/cloudflare-one/access/add-mtls-cert.mdx
@@ -0,0 +1,24 @@
+---
+params:
+  - product
+---
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Service auth** > **Mutual TLS**.
+
+2. Select **Add mTLS Certificate**.
+
+3. Enter any name for the root CA.
+
+4. In **Certificate content**, paste the contents of your root CA.
+
+	If the client certificate is directly signed by the root CA, you only need to upload the root. If the client certificate is signed by an intermediate certificate, you must upload the entire CA chain (intermediate and root). For example:
+	```txt
+	-----BEGIN CERTIFICATE-----
+	<intermediate.pem>
+	-----END CERTIFICATE-----
+	-----BEGIN CERTIFICATE-----
+	<rootCA.pem>
+	-----END CERTIFICATE-----
+	```
+
+	{ props.product === "access" && (<> Do not include any SSL/TLS server certificates; Access only uses the CA chain to verify the connection between the user's device and Cloudflare. </>)}
diff --git a/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx b/src/content/partials/cloudflare-one/warp/device-enrollment-mtls.mdx
@@ -3,23 +3,27 @@
 
 ---
 
-import { GlossaryTooltip, Tabs, TabItem } from "~/components"
+import { GlossaryTooltip, Tabs, TabItem, Render, Details } from "~/components"
+
+<Details header="Certificate requirements">
+   <Render file="byo-ca-mtls-cert-requirements" product="ssl" />
+</Details>
 
 To check for an mTLS certificate:
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
-1. [Add an mTLS certificate](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#add-mtls-authentication-to-your-access-configuration) to your account. You can generate a sample certificate using the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-mtls-using-cloudflare-pki).
+<Render file="access/add-mtls-cert"  product="cloudflare-one" params={{ product: "warp"}}/>
 
-2. In **Associated hostnames**, enter your Zero Trust <GlossaryTooltip term="team domain">team domain</GlossaryTooltip>: `<team-name>.cloudflareaccess.com`
+5. In **Associated hostnames**, enter your Zero Trust <GlossaryTooltip term="team domain">team domain</GlossaryTooltip>: `<team-name>.cloudflareaccess.com`
 
-3. In your [device enrollment permissions](#set-device-enrollment-permissions), add a *Common Name* or *Valid Certificate* rule. For example, the following policy requires a client certificate with a specific common name:
+6. In your [device enrollment permissions](#set-device-enrollment-permissions), add a *Common Name* or *Valid Certificate* rule. For example, the following policy requires a client certificate with a specific common name:
 
    | Action | Rule type | Selector    | Value                |
    | ------ | --------- | ----------- | -------------------- |
    | Allow  | Require   | Common Name | `<CERT-COMMON-NAME>` |
 
-4. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
+7. On your device, add the client certificate to the [system keychain](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#test-in-the-browser).
 
 </TabItem> <TabItem label="Terraform (v5)">
 
