Review enable-mtls leveraging LP and new content in this PR

Author: RebeccaTamachiro

src/content/docs/ssl/client-certificates/enable-mtls.mdx

@@ -21,8 +21,19 @@ The domain (`example.com`) is automatically appended for you, so if you want to
 :::
 5. Select **Save** to confirm.
 
+## CAs in use
+
+As explained in [Overview](/ssl/client-certificates/#how-it-works), Cloudflare validates the client certificate against CAs set at account level. This means that these certificates can be used for validation across multiple zones/domains (`example.com`), as long as the zones are under the same Cloudflare account and you have enabled mTLS for the host.
+
+:::note[Bring your own CA]
+If you need to use your own CA (instead of the Cloudflare Managed CA), refer to [BYOCA](/ssl/client-certificates/byo-ca/). This is an API-only option, available on Enterprise accounts. In this case, certificates and hostname associations are **not** listed on your dashboard.
+:::
+
 ## Next steps
 
-After enabling mTLS for your host, you can enforce mTLS with [API Shield](/api-shield/security/mtls/configure/). While API Shield is **not required** to use mTLS, many teams may use mTLS to protect their APIs.
+After enabling mTLS for your host, you can:
+
+- Enforce mTLS with a WAF custom rule. Select **Create mTLS Rule** on the dashboard to use a template, or refer to our [learning path](/learning-paths/mtls/mtls-app-security/#3-validate-the-client-certificate-in-the-waf) for further guidance.
+- Enforce mTLS with [API Shield](/api-shield/security/mtls/configure/). While API Shield is **not required** to use mTLS, many teams may use mTLS to protect their APIs.
 
-<Render file="cloudflare-managed-client-cert" />
+<Render file="cloudflare-managed-client-cert" />