[ZT] Cert troubleshooting section (#19615)

Author: maxvp

src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx

@@ -13,6 +13,13 @@ Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/po
 
 Zero Trust [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/).
 
+:::caution[Default WARP certificate expiring on 2025-02-02]
+
+The default Cloudflare certificate will expire on 2025-02-02.
+
+Review how this change will impact certificate propagation to your end-user devices and how to address browser issues in [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning).
+:::
+
 ## Certificate status
 
 Zero Trust will indicate if a certificate is ready for use in inspection based on its deployment status:

src/content/docs/cloudflare-one/faq/troubleshooting.mdx

@@ -186,3 +186,80 @@ Gateway does not support this downgrade mechanism. When receiving the `HTTP_1_1_
 If you see an error with the title `This site can't provide a secure connection` and a subtitle of `<hostname> uses an unsupported protocol`, you must [order an Advanced Certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate).
 
 If you added a [multi-level subdomain](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-connect-an-application) (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#2a-connect-an-application) as Cloudflare's Universal certificate will not cover the public hostname by default.
+
+## As of February 2, 2025, my end-user device's browser is returning a `Your connection is not private` warning.
+
+### Why am I getting this error?
+
+The default global Cloudflare root certificate expires on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must [generate a new certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) and activate it for your Zero Trust organization to avoid inspection errors. If you did not generate a new certificate before February 2, 2025, you will encounter browser warnings like `Your connection is not private`.
+
+Starting with WARP client version 2024.12.554.0 and later, the WARP client will automatically install Cloudflare certificates in an end-user device's certificate store as soon as the Cloudflare certificates appear as **Available** in the Cloudflare dashboard.
+
+For WARP client versions prior to 2024.12.554.0, certificates had to be marked as **In-Use** in the Cloudflare dashboard before the WARP client could push the Cloudflare certificates to an end-user device's certificate store.
+
+### What do I need to do?
+
+Before deploying a new certificate, [update WARP](/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp) to version 2024.12.554.0 or newer.
+
+For WARP client versions before and after 2024.12.554.0, certificate propagation will only occur when the WARP client is responsible for automatically installing the certificate on the client device. To enable the WARP client to propogate certificates:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
+2. Turn on **Install CA to system certificate store**.
+
+If **Install CA to system certificate store** is turned off, you must [manually install the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/), use an [MDM solution](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP policies for HTTPS traffic.
+
+After enabling certificate propagation, you must update your certificate:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**, then select **Manage** next to **Cloudflare certificates**.
+2. Select **Generate certificate**.
+3. Select the expiration date for this new certificate (five years is the default, but this can be adjusted) and select **Generate certificate**.
+4. The new certificate will be marked **Inactive** at first. Select the **three dots** to the right of the certificate, then select **Activate** to activate the certificate.
+
+For WARP versions on or above 2024.12.554.0, selecting **Activate** will download the new certificate to end-user devices.
+
+Certificate propagation to end-user devices can take up to 24 hours, but can be expedited by resetting the encryption keys.
+
+To reset the encryption keys:
+
+1. Open the WARP GUI on your device.
+2. Select the gear icon on the top right > **Preferences**.
+3. Select **Connection**, then select **Reset Encryption Keys**.
+
+macOS Big Sur and newer releases do not allow WARP to automatically trust the certificate. You must either [manually trust the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/#macos) as the user or [use a MDM to trust the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software).
+
+After confirming that the certificate is installed and trusted on the end-user device, mark the certificate as **In-Use**. To mark the certificate as **In-Use**:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**, then select **Manage** next to **Cloudflare certificates**.
+2. Select a certificate.
+3. In the detailed menu under **Basic Information**, select **Confirm and turn on certificate**.
+4. Once turned on, the new certificate will now show as **In-Use** in Zero Trust. **In-Use** indicates that the certificate is being used for inspection.
+
+It is recommended to have end users disconnect and reconnect WARP to expedite this change being reflected on their local machine. To verify the new certificate is being used correctly:
+
+1. Connect to WARP.
+2. Visit an HTTPS site.
+3. Verify that no certificate error is enountered.
+
+Additionally, you can check the certificate used within your browser by viewing the certificate (steps vary by browser, but you can generally do this check by selecting the lock icon next to the URL) and verifying the Organizational Unit (OU) does not reference `ECC Certificate Authority`.
+
+The new certificate will be valid until the configured expiration date.
+
+### I followed all the instructions but I am still having problems with my certificate.
+
+If the new certificate is not activating on the end-user device or you are getting a `Certificate is missing` warning even though the certificate is marked **In-Use**. Refer to the following troubleshooting options:
+
+1. Rotate the keys used by WARP to force activate the new certificate by running:
+
+   ```sh
+   warp-cli tunnel rotate-keys
+   ```
+
+2. [Upgrade](/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp) to WARP version 2024.12.554.0.
+
+   Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade.
+
+3. Turn off TLS Decryption.
+
+If no measure is working quickly and you are encountering browser warnings that are blocking work, [turning off TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption) will prevent HTTP policies from being enforced and will ensure websites resolve until the certificate can be deployed to more user devices.
+
+Turning off TLS decryption should be a temporary measure. TLS decryption should be turned on if you need to enforce HTTP policies and log traffic for HTTPS traffic.