[SSL, CF4SaaS] Clarify CA cert is validated and CNAME config with mTLS (#25667)

RebeccaTamachiro · web-flow · commit 158b0adfcfa1 · 2025-10-08T15:59:14.000+01:00
* Explicitly call out that uploaded CA certs are validated

* Add note about where to enforce mTLS when CNAME is in place

* Improve excessive passive voice
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx
@@ -28,6 +28,8 @@ Once you have [added a custom hostname](/cloudflare-for-platforms/cloudflare-for
 
 :::note
 Currently, you cannot add mTLS policies for custom hostnames using [API Shield](/api-shield/security/mtls/).
+
+Also make sure to enforce mTLS on the specific custom hostname where it should be checked. It is not enough to have it set on the CNAME target.
 :::
 
 ## Minimum TLS Version
diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
@@ -69,6 +69,10 @@ Example WAF Custom Rule with action block:
 
 ![Example of a WAF custom rule with an action block in the Cloudflare dashboard during the validate client certificate step](~/assets/images/learning-paths/mtls/waf-custom-rule-action-block.png)
 
+:::note
+When using CNAME, enforce mTLS on the specific hostname where it should be checked. It is not enough to have it set on the CNAME target.
+:::
+
 ## Demo
 
 :::note
diff --git a/src/content/docs/ssl/client-certificates/byo-ca.mdx b/src/content/docs/ssl/client-certificates/byo-ca.mdx
@@ -23,6 +23,8 @@ Bring your own CA (BYOCA) is especially useful if you already have mTLS implemen
 
 ## CA certificate requirements
 
+When you upload your CA, Cloudflare validates the certificate according to certain requirements.
+
 <Render file="byo-ca-mtls-cert-requirements" product="ssl" />
 
 :::note
@@ -71,6 +73,10 @@ Uploading the CA private key is only required if you wish to use [Zero Trust's b
   "action": "block"
 ```
 
+:::note
+When using CNAME, enforce mTLS on the specific hostname where it should be checked. It is not enough to have it set on the CNAME target.
+:::
+
 ### Multiple CAs for one hostname
 
 There can be multiple CAs (Cloudflare-managed or BYOCA) associated with the same hostname. For BYOCA certificates, the most recently deployed certificate will be prioritized.
