[SSL] Cert replacement status and API Access requirement (#21917)

RebeccaTamachiro · Oxyjun · web-flow · commit f453eb4c66a1 · 2025-04-23T14:02:52.000Z
* Add dedicated section for cert replacement

* Add API Access note to Origin CA setup page

* Apply suggestions from code review

Co-authored-by: Jun Lee &lt;junlee@cloudflare.com&gt;

---------

Co-authored-by: Jun Lee &lt;junlee@cloudflare.com&gt;
diff --git a/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx b/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx
@@ -36,6 +36,9 @@ To create an Origin CA certificate in the dashboard:
 2. Choose a domain.
 3. Go to **SSL/TLS** > **Origin Server**.
 4. Select **Create Certificate**.
+:::note[API Access required]
+Users who do not have [**API Access**](https://dash.cloudflare.com/?to=/:account/members) will receive an error while trying to perform this action. Refer to [Troubleshooting](/ssl/origin-configuration/origin-ca/troubleshooting/#this-zone-is-either-not-part-of-your-account-or-you-do-not-have-access-to-it) for guidance.
+:::
 5. Choose either:
    * **Generate private key and CSR with Cloudflare**: Private key type can be RSA or ECC.
    * **Use my private key and CSR**: Paste the Certificate Signing Request into the text field.
diff --git a/src/content/docs/ssl/reference/certificate-statuses.mdx b/src/content/docs/ssl/reference/certificate-statuses.mdx
@@ -9,7 +9,7 @@ description: Understand certificate statuses in Cloudflare SSL/TLS, including st
 Certificates statuses show which stage of the issuance process each certificate is in.
 ## New certificates
 
-When you order a new certificate, either an [edge certificate](/ssl/edge-certificates/) or a certificate used for a [custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/), its status will move through various stages as it progresses to Cloudflare’s global network:
+When you order a new certificate, either an [edge certificate](/ssl/edge-certificates/) or a certificate used for a [custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/), its status will move through various stages as it progresses to Cloudflare's global network:
 
 1. Initializing
 2. Pending Validation
@@ -21,6 +21,12 @@ Once you issue a certificate, it should be in **Pending Validation**, but change
 
 If you deactivate a certificate, it will become a **Deactivating** and then an **Inactive** status.
 
+### Certificate replacement
+
+When replacing a certificate, you may note a **Pending Cleanup** status. Old certificates are not deleted until the replacement has been successfully issued. This ensures TLS will not break for the hostname while the certificate is being replaced.
+
+When the new certificate is successfully issued and activated, the status for the old certificate will transition from **Pending Cleanup**, and the certificate will be deleted.
+
 ## Custom certificates
 
 If you are using a [custom certificate](/ssl/edge-certificates/custom-certificates/) and your [zone status](/dns/zone-setups/reference/domain-status/) is **Pending** or **Moved**, your certificate may have a status of **Holding Deployment**.
