[Learning Path] Added implementation guide for mTLS (#17997)

* Added content and images

* Apply suggestions from code review

Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>

* Implmenting feedback

* Update src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx

Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>

* Added missing slashes to relative links

* Adding in last bits of feedback

* Implementing additional feedback

* Apply suggestions from code review

Co-authored-by: Rebecca Tamachiro <[email protected]>

* Additional feedback edits

* Implementing Rebecca's feedback

* Apply suggestions from code review

Co-authored-by: Maddy <[email protected]>

---------

Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com>
Co-authored-by: Rebecca Tamachiro <[email protected]>
Co-authored-by: Maddy <[email protected]>

Author: 4 people

src/assets/images/learning-paths/mtls/certification-revocation-custom-rule.png

@@ -0,0 +1,14 @@
+---
+title: Benefits of mTLS
+pcx_content_type: overview
+sidebar:
+  order: 2
+---
+
+- **Stronger authentication**: mTLS ensures mutual verification between the client and server, confirming that both parties are who they claim to be. This two-way authentication mechanism prevents impersonation and man-in-the-middle attacks, significantly enhancing the overall security.
+
+- **End-to-end encryption**: All communication between the client and server is encrypted, providing robust protection against eavesdropping and interception. Even if the data is captured by unauthorized parties, it remains secure and unreadable due to encryption.
+
+- **Preserved data integrity**: mTLS ensures that data remains unaltered during transit. The protocol verifies the integrity of transmitted information, protecting it from tampering or manipulation by malicious actors, ensuring the data's authenticity.
+
+- **Defense against insider threats**: mTLS strengthens internal network security by adding protection against insider threats. Unlike traditional "castle-and-moat" networking, which trusts anything inside the perimeter, mTLS enforces mutual authentication, ensuring all internal communications are verified and secure.

src/assets/images/learning-paths/mtls/configure-waf-custom-rule.png

@@ -0,0 +1,13 @@
+---
+title: Introducing mTLS
+pcx_content_type: overview
+sidebar:
+  label: Introducing mTLS
+  order: 1
+---
+
+Mutual TLS [mTLS](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) authentication uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource.
+
+[TLS (Transport Layer Security)](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) is a widely-used protocol to ensure secure communication over a network. It ensures confidentiality and integrity by encrypting data and validating the server using digital certificates.
+
+Mutual TLS (mTLS) adds an extra layer by authenticating both parties involved in the communication. The client presents a certificate to the server (in this case Cloudflare) and vice versa.

src/assets/images/learning-paths/mtls/expose-mtls-workers.png

@@ -0,0 +1,22 @@
+---
+title: mTLS at Cloudflare
+pcx_content_type: overview
+sidebar:
+  order: 3
+---
+
+In this implementation guide we will be focusing on the L7 / Application Layer security for HTTP/S requests targeting [proxied](/dns/manage-dns-records/reference/proxied-dns-records/) hostnames, including the [first connection](/ssl/origin-configuration/ssl-modes/) between client and Cloudflare.
+
+Some common mTLS use cases are:
+- Protect and verify legitimate API traffic by verifying Client Certificates provided during TLS/SSL handshakes.
+- Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes.
+
+There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](/api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences:
+
+| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
+| :---- | :---- | :---- |
+| Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
+| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
+| [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca)  | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
+| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
+| Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [*cf.tls\_client\_auth.cert\_revoked*](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |