You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx
+62-1Lines changed: 62 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,8 @@ banner:
7
7
content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
8
8
---
9
9
10
+
import { Tabs, TabItem } from"~/components";
11
+
10
12
Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.
11
13
12
14
Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/).
@@ -26,38 +28,97 @@ Zero Trust will indicate if a certificate is ready for use in inspection based o
26
28
27
29
To generate a new Cloudflare root certificate for your Zero Trust organization:
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
30
34
2. In **Certificates**, select **Manage**.
31
35
3. Select **Generate certificate**.
32
36
4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days.
33
37
5. Select **Generate certificate**.
34
38
39
+
</TabItem>
40
+
41
+
<TabItemlabel="API">
42
+
43
+
Send a `POST` request to the [Create Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/create/) endpoint.
The API will respond with the ID and contents of the new certificate.
52
+
53
+
</TabItem> </Tabs>
54
+
35
55
The certificate will appear in your list of certificates as **Inactive**. To download a generated certificate, select it, then choose **Download .pem** and/or **Download .crt**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate).
36
56
37
57
Each Zero Trust account can generate a new root certificate a maximum of three times per day.
38
58
39
59
## Activate a root certificate
40
60
41
61
:::note
42
-
Zero Trust accounts using the Cloudflare certificate prior to 2024-10-17 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after 2024-10-17 will use an available certificate by default.
62
+
Zero Trust accounts using the default Cloudflare certificate prior to 2024-10-17 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after 2024-10-17 will use an available certificate by default.
43
63
:::
44
64
45
65
Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network. You can have up to 25 available certificates at once.
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
50
72
2. In **Certificates**, select **Manage**.
51
73
3. Select the certificate you want to activate.
52
74
4. Select **Activate**.
53
75
76
+
</TabItem>
77
+
78
+
<TabItemlabel="API">
79
+
80
+
Send a `POST` request to the [Activate a Zero Trust certificate](/api/resources/zero_trust/subresources/gateway/subresources/certificates/methods/activate/) endpoint.
The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Available**, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/).
55
91
56
92
Once you deploy and install your certificate, you can turn it on for use in inspection:
1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
59
97
2. In **Certificates**, select **Manage**.
60
98
3. Select the certificate you want to turn on.
61
99
4. In **Basic information**, select **Confirm and turn on certificate**.
62
100
101
+
</TabItem>
102
+
103
+
<TabItemlabel="API">
104
+
105
+
Send a `PUT` request to the [Update Zero Trust account configuration](/api/resources/zero_trust/subresources/gateway/subresources/configurations/methods/update/) endpoint. For example:
You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Available** and prevent them from being used for inspection until turned on again.
0 commit comments