signing cert clarification

Author: deadlypants1973

src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate.mdx

@@ -78,7 +78,7 @@ openssl x509 -in <CUSTOM-ROOT-CERT>.pem -text
 
 <TabItem label="API">
 
-1. <Render file="upload-mtls-cert" params={{ one: " " }} />
+1. <Render file="upload-mtls-cert" params={{ one: " ", cert: "root CA" }} />
 
 2. Set the certificate as available for use in inspection with the [Activate a Zero Trust certificate endpoint](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/). This will deploy the certificate across the Cloudflare global network.
 

src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx

@@ -53,6 +53,7 @@ You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access
    	file="upload-mtls-cert"
    	params={{
    		one: "The private key is only required if you are using this custom certificate for Gateway HTTPS inspection.",
+   		cert: "signing certificate",
    	}}
    />
 
@@ -79,7 +80,7 @@ You can use the [Cloudflare PKI toolkit](/cloudflare-one/identity/devices/access
       	private key must be in `PEM` format. They can either be in two different
       	files or the same file.
       </Details>
-   4. **Certificate ID**: Enter the UUID of the root CA.
+   4. **Certificate ID**: Enter the UUID of the signing certificate.
    5. **Common name**: (Optional) To check for a specific common name on the client certificate, enter a string with optional `${serial_number}` and `${hostname}` variables (for example, `${serial_number}_mycompany`). WARP will search for an exact, case-insensitive match. If you do not specify a common name, WARP will ignore the common name field on the certificate.
    6. **Check for Extended Key Usage**: (Optional) Check whether the client certificate has one or more attributes set. Supported values are **Client authentication** (`1.3.6.1.5.5.7.3.2`) and/or **Email** (`1.3.6.1.5.5.7.3.4`).
    7. **Check for private key**: (Recommended) When enabled, WARP checks that the device has a private key associated with the client certificate.
@@ -192,4 +193,4 @@ Certificate:
 
 </Tabs>
 
-For the posture check to pass, a certificate must appear in the output that validates against the uploaded root CA.
+For the posture check to pass, a certificate must appear in the output that validates against the uploaded signing certificate.

src/content/partials/cloudflare-one/upload-mtls-cert.mdx

@@ -4,7 +4,7 @@ inputParameters: param1
 
 import { Markdown } from "~/components";
 
-Use the [Upload mTLS certificate endpoint](/api/resources/mtls_certificates/methods/create/) to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with `\n` replacing the line breaks. {props.one}
+Use the [Upload mTLS certificate endpoint](/api/resources/mtls_certificates/methods/create/) to upload the certificate and private key to Cloudflare. The certificate must be a {props.cert}, formatted as a single string with `\n` replacing the line breaks. {props.one}
 
 ```sh
 curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/mtls_certificates" \