cloudflare · ranbel · Oct 22, 2024 · Oct 8, 2024 · Oct 8, 2024 · Oct 8, 2024
@@ -37,7 +37,6 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
 
 - [Connect your private network](/cloudflare-one/connections/connect-networks/private-net/) to Cloudflare using `cloudflared` or WARP Connector.
 - [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on user devices in Gateway with WARP mode.
-- Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on user devices.
 
 ## 1. Add a target
 

@@ -25,7 +25,7 @@ import { Tabs, TabItem, Badge, Render } from "~/components";
 To connect your devices to Cloudflare:
 
 1. [Deploy the WARP client](/cloudflare-one/connections/connect-devices/warp/deployment/) on your devices in Gateway with WARP mode.
-2. Install and trust the [Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your devices.
+2. [Enable the Gateway proxy for TCP](/cloudflare-one/policies/gateway/proxy/#enable-the-gateway-proxy).
 3. [Create device enrollment rules](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/) to determine which devices can enroll to your Zero Trust organization.
 
 ## 3. Route private network IPs through WARP
@@ -58,6 +58,14 @@ To generate a Cloudflare SSH CA and get its public key:
 ### Modify your SSHD config
 <Render file="ssh/modify-sshd" />
 
+:::note
+For certain distributions, such as Amazon Linux 1 (based on RHEL), the certificate file permissions must be set to `600`. You can set file permissions with the following command:
+
+```sh
+chmod 600 /etc/ssh/ca.pub
+```
+:::
+
 ### Restart your SSH server
 <Render file="ssh/restart-server" />
 
@@ -69,6 +77,8 @@ Users can use any SSH client to connect to the target, as long as they are logge
 ssh <username>@<target IP>
 ```
 
+SSH with Access for Infrastructure also supports `scp` and `rsync` commands. At this time, `sftp` is not supported.
+
 For more information, refer to the [Access for Infrastructure documentation](/cloudflare-one/applications/non-http/infrastructure-apps/#connect-as-a-user).
 
 ## SSH command logs

@@ -11,12 +11,12 @@ To create a new target:
 
 <Tabs syncKey="dashPlusAPI">
 <TabItem label="Dashboard">
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Network** > **Targets**.
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Networks** > **Targets**.
 2. Select **Add a target**.
 3. In **Target hostname**, enter a user-friendly name for the target resource. We recommend using the server hostname, for example `production-server`. The hostname does not need to be unique and can be reused for multiple targets. Hostnames are used to define the subset of targets included in an infrastructure application and are not used in DNS address resolution.
 	<Details header="Format restrictions">
 			- Case insensitive
-			- Contain no more than 255 characters
+			- Contain no more than 253 characters
 			- Contain only alphanumeric characters, `-`, or `.` (no spaces allowed)
 			- Start and end with an alphanumeric character
 	</Details>

@@ -3,15 +3,27 @@
 
 ---
 
-import { Render } from "~/components"
+import { Render, Details } from "~/components"
 
-1. Make a `POST` request to the Cloudflare API with your email address and [API key](/fundamentals/api/get-started/keys/) as request headers.
+1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
 
-   ```bash
-   curl --request POST \
-   "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \
-   --header "X-Auth-Email: <EMAIL>" \
-   --header "X-Auth-Key: <API_KEY>"
-   ```
+		| Type    | Item             | Permission |
+		| ------- | ---------------- | ---------- |
+		| Account | Access: SSH Auditing | Edit       |
 
-2. Copy the `public_key` value returned in the response.
+2. If you have not yet generated a Cloudflare SSH CA, make a `POST` request to the Cloudflare API:
+
+		```bash
+		curl --request POST \
+		"https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca" \
+		--header "Authorization: Bearer <API_TOKEN>"
+		```
+
+3. If you have already created a Cloudflare SSH CA or receive the error message `access.api.error.gateway_ca_already_exists`, make a `GET` request instead:
+
+		```bash
+		curl https://api.cloudflare.com/client/v4/accounts/{account_id}/access/gateway_ca \
+		--header "Authorization: Bearer <API_TOKEN>"
+		```
+
+4. Copy the `public_key` value returned in the response.