[SSL] More details on cert expiration and renewal (#18290)

RebeccaTamachiro · web-flow · commit 85b003a77529 · 2024-11-26T17:20:32.000Z
* Add note about leaf cert and Cf handling of chain expiration

* Link to cert-validity-periods from USSL glossary definition

* Fix typo and spell out auto renewal 30 days before expiration

* Add link from index and enable-universal-ssl for discoverability

* Add mention to DCV in relation to renewal as well

* Process PCX review suggestions
diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx
@@ -36,6 +36,10 @@ Each custom certificate you upload must:
 
 ## Upload a custom certificate
 
+:::caution
+When using `compatible` or `modern` [bundling](/ssl/edge-certificates/custom-certificates/bundling-methodologies), make sure to upload only the leaf certificate. This will allow Cloudflare to properly handle [the expiration of intermediate and root certificates](/ssl/edge-certificates/custom-certificates/bundling-methodologies/#intermediate-and-root-certificates).
+:::
+
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
 To upload a custom SSL certificate in the dashboard:
diff --git a/src/content/docs/ssl/edge-certificates/universal-ssl/enable-universal-ssl.mdx b/src/content/docs/ssl/edge-certificates/universal-ssl/enable-universal-ssl.mdx
@@ -10,6 +10,8 @@ import { GlossaryDefinition, Render } from "~/components"
 
 <GlossaryDefinition term="Universal SSL certificate" />
 
+---
+
 The process for activating a Universal SSL certificate depends on your domain's DNS setup.
 
 ## Full DNS setup
@@ -40,6 +42,16 @@ For non-authoritative or [partial domains](/dns/zone-setups/partial-setup/), Uni
 
 Unless you cover and validate multiple subdomains with an [advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/), you will need to proxy and validate new subdomains as they are added.
 
+---
+
 ## Verify your certificate is active
 
 Once you enable Universal SSL, you can review the [activation status](/ssl/reference/certificate-statuses/) in the dashboard at **SSL/TLS** > **Edge Certificates** or via the API with a [GET request](/api/operations/certificate-packs-list-certificate-packs).
+
+---
+
+## Universal SSL renewal
+
+<Render file="universal-ssl-validity" />
+
+If you are on a [partial setup](/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup), make sure [Domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/) is configured correctly. Refer to [Troubleshooting DCV](/ssl/edge-certificates/changing-dcv-method/troubleshooting/) for further help.
diff --git a/src/content/docs/ssl/edge-certificates/universal-ssl/index.mdx b/src/content/docs/ssl/edge-certificates/universal-ssl/index.mdx
@@ -27,6 +27,7 @@ If your website or application requires an SSL certificate prior to migrating tr
 
 <FeatureTable id="ssl.universal_certificates" />
 
-## Backup certificates
+## Related resources
 
-For more details, refer to [backup certificates](/ssl/edge-certificates/backup-certificates/).
+- [Backup certificates](/ssl/edge-certificates/backup-certificates/)
+- [Validity period and renewal](/ssl/reference/certificate-validity-periods/#universal-ssl)
diff --git a/src/content/glossary/ssl.yaml b/src/content/glossary/ssl.yaml
@@ -160,7 +160,7 @@ entries:
 
   - term: Universal SSL certificate
     general_definition: |-
-      by default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains [added to](/fundamentals/setup/manage-domains/add-site/) and [activated on](/dns/zone-setups/reference/domain-status/) Cloudflare.
+      by default, Cloudflare issues — and [renews](/ssl/reference/certificate-validity-periods/#universal-ssl) — free, unshared, publicly trusted SSL certificates to all domains [added to](/fundamentals/setup/manage-domains/add-site/) and [activated on](/dns/zone-setups/reference/domain-status/) Cloudflare.
 
   - term: validation level
     general_definition: |-
diff --git a/src/content/partials/ssl/universal-ssl-validity.mdx b/src/content/partials/ssl/universal-ssl-validity.mdx
@@ -3,6 +3,8 @@
 
 ---
 
-For Universal certificates, Cloudflare controls the validity periods and certificate autorities (CAs), making sure that renewal always occur.
+For Universal certificates, Cloudflare controls the validity periods and certificate authorities (CAs), making sure that renewal always occur.
 
-Universal certificates issued by Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.
+Universal certificates issued by Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.
+
+For 90-day certificates, the auto renewal period starts 30 days before expiration.
