[CF1] signing cert clarification

Author: deadlypants1973

src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx

@@ -30,6 +30,15 @@ The Client Certificate device posture attribute checks if the device has a valid
 ## Prerequisites
 
 - A CA that issues client certificates for your devices. WARP does not evaluate the certificate trust chain; this needs to be the issuing certificate.
+
+  :::caution[Upload the signing certificate that directly issued the client certificate]
+
+  When uploading a certificate to use in posture checks, Cloudflare does not differentiate between root and intermediate certificates. You must upload the actual signing certificate – the one that directly signed the client certificate.
+
+  The signing certificate might be an intermediate CA, not the root CA. If you upload the wrong certificate (for example, a root that did not sign the client cert), the posture check will fail.
+
+  :::
+
 - Cloudflare WARP client is [deployed](/cloudflare-one/connections/connect-devices/warp/deployment/) on the device.
 - A client certificate is [installed and trusted](#configure-the-client-certificate-check) on the device.