Implmenting feedback

dcpena · dcpena · commit a120fcf5766d · 2024-11-13T15:04:02.000-06:00
diff --git a/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx b/src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx
@@ -11,12 +11,12 @@ Some common mTLS use cases are:
 - Protect and verify legitimate API traffic by verifying Client Certificates they provide during TLS/SSL handshakes.
 - Check IoT devices' identity by verifying Client Certificates they provide during TLS/SSL handshakes.
 
-There are two main ways to use mTLS at Cloudflare, either by using [API Shield](https://developers.cloudflare.com/api-shield/) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences:
+There are two main ways to use mTLS at Cloudflare, either by using the Application Security offering (optionally including [API Shield](api-shield/)) or [Cloudflare Access](/cloudflare-one/policies/access/). Below is a non-exhaustive overview table of their differences:
 
-| Feature | API Shield (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
+| Feature | Application Security (Client Certificate \+ WAF) | Cloudflare Access (mTLS) |
 | :---- | :---- | :---- |
 | Mainly used for | External Authentication (that is, APIs) | Internal Authentication (that is, employees) |
-| Availability | By default, 100 Client Certificates per Zone are included. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
+| Availability | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team. | Zero Trust Enterprise only feature. |
 | [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca)  | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability). | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access). |
 | Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
 | Client Certificates Revocation | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [*cf.tls\_client\_auth.cert\_revoked*](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker. |
diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
@@ -1,5 +1,5 @@
 ---
-title: mTLS with API Shield
+title: mTLS with Application Security
 pcx_content_type: overview
 sidebar:
   order: 1
@@ -22,6 +22,14 @@ By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA. Clo
 
 3. Select **Create Certificate** to generate the private key (usually referred to as Private Certificate) and Certificate Signing Request (CSR) with Cloudflare (which includes the Public Certificate), or use your own private key and CSR. Using your own allows you to also [label client certificates](/ssl/client-certificates/label-client-certificate/).
 
+To generate and use your own CSR, you can run a command like the following:
+
+```txt
+openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -subj '/C=GB/ST=London/L=London/O=Organization/CN=CommonName'
+```
+
+Or use a script like this one from [Github](https://github.com/erfianugrah/rootcatest/blob/main/fullgenerator.py).
+
 ## 2. Install the client certificate
 
 In order for a client to utilize the Client Certificate you created, it must be on the devices that you want to use them on. You will want to place them in the same directory as your process / script that targets your APIs / hostnames.
diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx
@@ -66,12 +66,12 @@ The recommended TLS versions for mTLS are:
 Using outdated versions like TLS 1.0 or 1.1 is not recommended due to known vulnerabilities.
 
 :::note
-For modern mTLS implementations, Elliptic Curve Cryptography (EC) is recommended because it offers faster handshakes and better performance, uses smaller key sizes result in reduced computational overhead while maintaining strong security, and EC is more scalable for large-scale deployments, such as in cloud-native applications, microservices, and mobile networks. RSA is only recommended if you have legacy systems that cannot support EC or if you require compatibility with systems that only work with RSA.
+For modern mTLS implementations, Elliptic Curve Cryptography (EC) and [modern Cipher Suites](/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/) are recommended because it offers faster handshakes and better performance, uses smaller key sizes result in reduced computational overhead while maintaining strong security, and EC is more scalable for large-scale deployments, such as in cloud-native applications, microservices, and mobile networks. RSA is only recommended if you have legacy systems that cannot support EC or if you require compatibility with systems that only work with RSA.
 :::
 
 ## TLS Session Resumption
 
-Browsers connecting to a domain with a [wildcard](/dns/manage-dns-records/reference/wildcard-dns-records/) [Edge Certificate](ssl/edge-certificates/) in place, connecting to the same domain's mTLS subdomain could cause a non-authentication event, due to TLS Session Resumption.
+Browsers connecting to a domain with a [wildcard](/dns/manage-dns-records/reference/wildcard-dns-records/) [Edge Certificate](ssl/edge-certificates/) in place, connecting to the same domain's mTLS subdomain could cause a non-authentication event, due to TLS Session Resumption, or also called [Connection Resumption](/speed/optimization/protocol/0-rtt-connection-resumption/).
 
 It is generally not recommended to use wildcard certificates.
 
@@ -83,7 +83,7 @@ Review the [troubleshooting documentation](/ssl/client-certificates/troubleshoot
 Resumption and renegotiation are essentially opposites. Resumption re-establishes a previous TLS session over a new TCP connection, keeping the same TLS parameters. In contrast, renegotiation updates certain TLS parameters within an existing session, continuing over the same TCP connection.
 :::
 
-If you need to use Client Certificates after the TLS handshake via renegotiation, you'll need to use a prior version. This is because TLS 1.3 doesn't support renegotiation.
+If you need to use Client Certificates after the TLS handshake via renegotiation, you'll need to use a prior TLS version than 1.3. This is because TLS 1.3 doesn't support renegotiation.
 
 For example, if you're using mTLS and you're restricting requests to certain folders, based on a URL path in the request, rather than all content on your origin server, a TLS renegotiation may be triggered. Connections using TLS 1.3 don't support renegotiation.
 
@@ -96,7 +96,7 @@ Contact your account team for more information.
 ## WAF for Client Certificates
 
 :::note
-[Revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates are not automatically blocked unless you have an active WAF Custom Rule specifically checking for and blocking them. This check only applies to Client Certificates issued by the Cloudflare-managed CA. Cloudflare currently does not check certificate revocation lists (CRL) for CAs that have been uploaded by the customer ([BYO CA](/ssl/client-certificates/byo-ca/)). One can opt for Workers to manage a custom business logic and block revoked Client Certificates. See the [Workers section](placeholder) for more information.
+[Revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates are not automatically blocked unless you have an active WAF Custom Rule specifically checking for and blocking them. This check only applies to Client Certificates issued by the Cloudflare-managed CA. Cloudflare currently does not check certificate revocation lists (CRL) for CAs that have been uploaded by the customer ([BYO CA](/ssl/client-certificates/byo-ca/)). One can opt for Workers to manage a custom business logic and block revoked Client Certificates. See the [Workers section](/learning-paths/mtls/mtls-workers/) for more information.
 :::
 
 In order to effectively implement mTLS with Cloudflare, it is strongly recommended to properly configure the [Cloudflare WAF](/waf/). Review the available []`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields.
@@ -119,6 +119,14 @@ Another example WAF Custom Rule with action block, using the [cf.tls_client_auth
 (http.request.uri.path in {"/headers"} and http.host in {"mtls.example.com" "mtls2.example.com"} and not cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_fingerprint_sha256 ne "ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT")
 ```
 
+Here's another example of a WAF custome rule to associate a serial number with a hostname: 
+
+```txt
+(http.host in {"mtls.example.com" "mtls2.example.com"} and cf.tls_client_auth.cert_serial ne "ADD_STRING_OF_CLIENT_CERT_SERIAL")
+```
+
+This expression will check for a specific [Client Certificate serial number](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_serial) linked to specific hostnames, allowing for more granular control. 
+
 ## Rate Limiting by Client Certificates
 
 By enabling [forwarding a certificate](/ssl/client-certificates/enable-mtls/#cloudflare-api) via the Cloudflare API, the first request of an mTLS connection will include the following headers:
@@ -140,8 +148,12 @@ With the same characteristics...
 
 ## Cloudflare API Shield
 
-In addition to mTLS, customers can purchase [API Shield](/api-shield/) features, such as API Discovery, API Routing, Volumetric Abuse Detection, Sequence Mitigation, JWT Validation, and Schema Validation.
+In addition to mTLS, customers can purchase [API Shield](/api-shield/) features, such as API Discovery, API Routing, Volumetric Abuse Detection, Sequence Mitigation, JWT Validation, Schema Validation, and more.
 
 ## Cloudflare Workers
 
-Cloudflare Workers can provide details around the Client Certificate, such as returning information via headers to the client or to the origin server. Learn more in the [mTLS with Workers section](placeholder) below.
+Cloudflare Workers can provide details around the Client Certificate, such as returning information via headers to the client or to the origin server. Learn more in the [mTLS with Workers section](/learning-paths/mtls/mtls-workers/) below.
+
+
+:::note
+Snippets do not support any [Bindings](/workers/runtime-apis/bindings/) and does not work with mTLS.
diff --git a/src/content/docs/learning-paths/mtls/mtls-implementation/index.mdx b/src/content/docs/learning-paths/mtls/mtls-implementation/index.mdx
@@ -11,6 +11,8 @@ There are different ways to implement mTLS authentication. The most common ones
 
 This version of mTLS is for device certificates, primarily focused on the number of IoT devices, not user devices.
 
+here we recommend using [mTLS with Application Security](/learning-paths/mtls/mtls-app-security/).
+
 ## Option 2: mTLS User Authentication
 
 When a user wants to establish a secure connection with a server, they present their certificate to the server, which verifies its authenticity. Once the certificate is authenticated, an encrypted connection is established between the user and the server, and all data transmitted between them is encrypted to protect against interception by third parties.
diff --git a/src/content/docs/learning-paths/mtls/mtls-workers/index.mdx b/src/content/docs/learning-paths/mtls/mtls-workers/index.mdx
@@ -49,9 +49,9 @@ The response when using the browser with a P12 Certificate to visit the mTLS hos
 
 ```txt
 {
-  "X-CERT-ISSUER-DN": "CN=Managed CA eb72da6777f630a3116117a141717763,OU=www.cloudflare.com,O=Cloudflare\\, Inc.,L=San Francisco,ST=California,C=US",
+  "X-CERT-ISSUER-DN": "CN=Managed CA abcdefghijklmnopq123456789,OU=www.cloudflare.com,O=Cloudflare\\, Inc.,L=San Francisco,ST=California,C=US",
   "X-CERT-SUBJECT-DN": "CN=Cloudflare,C=US",
-  "X-CERT-ISSUER-DN-L": "/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./OU=www.cloudflare.com/CN=Managed CA eb72da6777f630a3116117a141717763",
+  "X-CERT-ISSUER-DN-L": "/C=US/ST=California/L=San Francisco/O=Cloudflare, Inc./OU=www.cloudflare.com/CN=Managed CA abcdefghijklmnopq123456789",
   "X-CERT-SUBJECT-DN-L": "/C=US/CN=Cloudflare",
   "X-CERT-SERIAL": "37C52778E2F1820CC6342172A0E0ED33A4555F8B",
   "X-CERT-FINGER": "161e3a2089add0b2134ec43c9071f460e9f4b898",
