From a5fb713f2e5997a013039f808b43215850fb338c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 21 Oct 2024 15:36:55 -0500 Subject: [PATCH 01/11] Set multiple certs as active --- .../connect-devices/warp/user-side-certificates/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 048ecb878397e0..96dc593ad54bdf 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -58,6 +58,6 @@ The status of the certificate will change to **Pending** while it deploys. Once 3. Select the certificate you want to turn on. 4. In **Basic information**, select **Confirm and turn on certificate**. -Only one certificate can be turned on for inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. +You can set multiple certificates to **Active** at a time, but you can only turn on one certificate for use in inspection. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). From a6b3f88746aea26e11642650669362dc694c4515 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 21 Oct 2024 16:32:19 -0500 Subject: [PATCH 02/11] Add download cert limitation --- .../connect-devices/warp/user-side-certificates/index.mdx | 8 ++++---- .../user-side-certificates/install-cert-with-warp.mdx | 6 +++--- .../user-side-certificates/install-cloudflare-cert.mdx | 4 ++++ 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 96dc593ad54bdf..0ef0d4535c31f4 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -11,6 +11,8 @@ Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/po Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). +## Certificate status + Zero Trust will indicate if a certificate is ready for use in inspection based on its deployment status: | Deployment status | Description | @@ -22,10 +24,6 @@ Zero Trust will indicate if a certificate is ready for use in inspection based o ## Generate a Cloudflare root certificate -:::note[Certificate generation limitation] -Each Zero Trust account can generate a new root certificate a maximum of three times per day. -::: - To generate a new Cloudflare root certificate for your Zero Trust organization: 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. @@ -36,6 +34,8 @@ To generate a new Cloudflare root certificate for your Zero Trust organization: The certificate will appear in your list of certificates as **Inactive**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate). +Each Zero Trust account can generate a new root certificate a maximum of three times per day. + ## Activate a root certificate :::note diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 94660a758c33a4..3f9e67f61c4487 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -35,7 +35,7 @@ The certificate is required if you want to [apply HTTP policies to encrypted web 1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare. 2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP client**. -3. Enable **Install CA to system certificate store**. +3. Turn on **Install CA to system certificate store**. 4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device. 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. @@ -44,7 +44,7 @@ If a custom certificate is not provided, WARP will install the default [Cloudfla Next, [verify](#access-the-installed-certificate) that the certificate was successfully installed. :::note[Important] -WARP only installs the system certificate — it does not install the certificate on individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) to applications that rely on their own certificate store. +WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) to applications that rely on their own certificate store. ::: ## Access the installed certificate @@ -109,6 +109,6 @@ The certificate is also placed in `/var/lib/cloudflare-warp/installed_cert.pem` ## Uninstall the certificate -If the certificate was installed by the WARP client, it is automatically removed when you disable **Install CA to system certificate store** or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications). +If the certificate was installed by the WARP client, it is automatically removed when you turn off **Install CA to system certificate store** or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications). To manually remove the certificate, refer to the instructions supplied by your operating system or the third-party application. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx index 432164f8b58b21..f7f47e3e866779 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx @@ -20,6 +20,10 @@ If your device does not support [certificate installation via WARP](/cloudflare- ## Download the Cloudflare root certificate +:::note[Certificate download limitation] +You can only download certificates from the Zero Trust dashboard. +::: + First, [generate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) and download the Cloudflare certificate. The certificate is available in both `.pem` and `.crt` file format. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case. 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. From 486f081dec51e3e4533713edc590f77985a232f9 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 21 Oct 2024 16:48:09 -0500 Subject: [PATCH 03/11] Update download cert limitation --- .../warp/user-side-certificates/install-cloudflare-cert.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx index f7f47e3e866779..e97ba2b0175656 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx @@ -20,7 +20,7 @@ If your device does not support [certificate installation via WARP](/cloudflare- ## Download the Cloudflare root certificate -:::note[Certificate download limitation] +:::note[Download limitation] You can only download certificates from the Zero Trust dashboard. ::: @@ -29,7 +29,7 @@ First, [generate](/cloudflare-one/connections/connect-devices/warp/user-side-cer 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. 3. Select the certificate you want to download. -4. Select either **Download .pem** or **Download .crt**. +4. Depending on which format you want, select **Download .pem** and/or **Download .crt**. ### Verify the downloaded certificate From 627929c86c76a6ea8dbead5bafe5b8f65223a28f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 21 Oct 2024 17:12:07 -0500 Subject: [PATCH 04/11] Refine instructions --- .../connect-devices/warp/user-side-certificates/index.mdx | 2 +- .../warp/user-side-certificates/install-cert-with-warp.mdx | 6 ++++-- .../warp/user-side-certificates/install-cloudflare-cert.mdx | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 0ef0d4535c31f4..65b3c807a8548e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -32,7 +32,7 @@ To generate a new Cloudflare root certificate for your Zero Trust organization: 4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days. 5. Select **Generate certificate**. -The certificate will appear in your list of certificates as **Inactive**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate). +The certificate will appear in your list of certificates as **Inactive**. To download a generated certificate, select it, then choose **Download .pem** and/or **Download .crt**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate). Each Zero Trust account can generate a new root certificate a maximum of three times per day. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 3f9e67f61c4487..93619cff513421 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -34,13 +34,15 @@ The certificate is required if you want to [apply HTTP policies to encrypted web ## Install the certificate using WARP 1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare. -2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP client**. -3. Turn on **Install CA to system certificate store**. +2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. +3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store). 4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device. 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. If a custom certificate is not provided, WARP will install the default [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#download-the-cloudflare-root-certificate) in the system keychain for all users. If you uploaded a custom certificate, the WARP client will deploy your custom certificate instead of the Cloudflare certificate. +WARP will only install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). If you turn on a new certificate for inspection, WARP will automatically install that certificate to your users' devices. + Next, [verify](#access-the-installed-certificate) that the certificate was successfully installed. :::note[Important] diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx index e97ba2b0175656..e802453749e1ef 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx @@ -29,7 +29,7 @@ First, [generate](/cloudflare-one/connections/connect-devices/warp/user-side-cer 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**. 2. In **Certificates**, select **Manage**. 3. Select the certificate you want to download. -4. Depending on which format you want, select **Download .pem** and/or **Download .crt**. +4. Depending on which format you want, choose **Download .pem** and/or **Download .crt**. ### Verify the downloaded certificate From 2887e15427b77072774b3338a74d19d5f403ef21 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 21 Oct 2024 17:13:46 -0500 Subject: [PATCH 05/11] Disambiguate multiple active certs --- .../connect-devices/warp/user-side-certificates/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 65b3c807a8548e..9df2535f8d9d31 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -58,6 +58,6 @@ The status of the certificate will change to **Pending** while it deploys. Once 3. Select the certificate you want to turn on. 4. In **Basic information**, select **Confirm and turn on certificate**. -You can set multiple certificates to **Active** at a time, but you can only turn on one certificate for use in inspection. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. +You can set multiple certificates to **Active**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). From 14662f92496876bafcceb1cea083b36aa7031910 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 10:39:28 -0500 Subject: [PATCH 06/11] Make macOS version more emcompassing --- .../warp/user-side-certificates/install-cert-with-warp.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 93619cff513421..7761da4b81c6b8 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -73,7 +73,7 @@ To access the installed certificate in macOS: 4. If the certificate is trusted by all users, Keychain Access will display **This certificate is marked as trusted for all users**. :::note -Certain macOS versions (such as macOS Ventura `13.5`) do not allow WARP to automatically trust the certificate. To manually trust the certificate: +Certain macOS versions (including macOS Ventura `13.5` and newer) do not allow WARP to automatically trust the certificate. To manually trust the certificate: 1. Select **Trust**. 2. Set **When using this certificate** to _Always Trust_. From 0b0ece0cb81792e72c5588829279754ec4e866ab Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 10:45:33 -0500 Subject: [PATCH 07/11] Improve WARP cert install location wording --- .../warp/user-side-certificates/install-cert-with-warp.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 7761da4b81c6b8..73b3a45f1916c5 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -61,7 +61,7 @@ To access the installed certificate in Windows: The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**. -The certificate is also placed in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools. +The WARP client will also place the certificate in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools. ### macOS @@ -81,7 +81,7 @@ Certain macOS versions (including macOS Ventura `13.5` and newer) do not allow W Alternatively, you can configure your mobile device management (MDM) to automatically trust the certificate on all of your organization's devices. ::: -The certificate is also placed in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools. +The WARP client will also place the certificate in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools. ### Linux @@ -107,7 +107,7 @@ If you cannot find the certificate, run the following commands to update the sys sudo update-ca-certificates ``` -The certificate is also placed in `/var/lib/cloudflare-warp/installed_cert.pem` for reference by scripts or tools. +The WARP client will also place the certificate in `/var/lib/cloudflare-warp/installed_cert.pem` for reference by scripts or tools. ## Uninstall the certificate From 4baf3e8f16aca373f47891026c04f2c3f6834e1f Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 11:56:43 -0500 Subject: [PATCH 08/11] Improve macOS guidance --- .../install-cert-with-warp.mdx | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 73b3a45f1916c5..4da930855c0f11 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -38,10 +38,11 @@ The certificate is required if you want to [apply HTTP policies to encrypted web 3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store). 4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device. 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. +6. (Optional) If the device is running macOS Ventura `13.5` or newer, [manually trust the certificate](#manually-trust-the-certificate). If a custom certificate is not provided, WARP will install the default [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#download-the-cloudflare-root-certificate) in the system keychain for all users. If you uploaded a custom certificate, the WARP client will deploy your custom certificate instead of the Cloudflare certificate. -WARP will only install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). If you turn on a new certificate for inspection, WARP will automatically install that certificate to your users' devices. +WARP will only install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). If you turn on a new certificate for inspection, WARP will automatically install the new certificate to your users' devices and remove the old certificate. Next, [verify](#access-the-installed-certificate) that the certificate was successfully installed. @@ -72,16 +73,16 @@ To access the installed certificate in macOS: 3. Open your certificate. The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**. 4. If the certificate is trusted by all users, Keychain Access will display **This certificate is marked as trusted for all users**. -:::note -Certain macOS versions (including macOS Ventura `13.5` and newer) do not allow WARP to automatically trust the certificate. To manually trust the certificate: +The WARP client will also place the certificate in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools. + +#### Manually trust the certificate + +macOS Ventura `13.5` and newer do not allow WARP to automatically trust the certificate. To manually trust the certificate: 1. Select **Trust**. 2. Set **When using this certificate** to _Always Trust_. Alternatively, you can configure your mobile device management (MDM) to automatically trust the certificate on all of your organization's devices. -::: - -The WARP client will also place the certificate in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools. ### Linux From 87bbc2cef52dfba11e8445a09845e1481512ec46 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 12:07:29 -0500 Subject: [PATCH 09/11] Improve OS flow --- .../user-side-certificates/install-cert-with-warp.mdx | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 4da930855c0f11..54ef5b0e570416 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -40,11 +40,7 @@ The certificate is required if you want to [apply HTTP policies to encrypted web 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. 6. (Optional) If the device is running macOS Ventura `13.5` or newer, [manually trust the certificate](#manually-trust-the-certificate). -If a custom certificate is not provided, WARP will install the default [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#download-the-cloudflare-root-certificate) in the system keychain for all users. If you uploaded a custom certificate, the WARP client will deploy your custom certificate instead of the Cloudflare certificate. - -WARP will only install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). If you turn on a new certificate for inspection, WARP will automatically install the new certificate to your users' devices and remove the old certificate. - -Next, [verify](#access-the-installed-certificate) that the certificate was successfully installed. +WARP will install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). This certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices. :::note[Important] WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) to applications that rely on their own certificate store. @@ -52,6 +48,8 @@ WARP only installs the system certificate -- it does not install the certificate ## Access the installed certificate +After installing the certificate using WARP, you can verify successful installation by accessing the device's system certificate store. + ### Windows To access the installed certificate in Windows: From 465a306eff13e954a7eb15354480faf64a23c0ab Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 12:18:06 -0500 Subject: [PATCH 10/11] Other style additions --- .../warp/user-side-certificates/install-cert-with-warp.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 54ef5b0e570416..82f980f93481c2 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -110,6 +110,6 @@ The WARP client will also place the certificate in `/var/lib/cloudflare-warp/ins ## Uninstall the certificate -If the certificate was installed by the WARP client, it is automatically removed when you turn off **Install CA to system certificate store** or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications). +If the certificate was installed by the WARP client, it is automatically removed when you turn on another certificate in Zero Trust, turn off **Install CA to system certificate store**, or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications). To manually remove the certificate, refer to the instructions supplied by your operating system or the third-party application. From 898ef219902c2f77b06d77fb0aa25575948e167c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 12:19:03 -0500 Subject: [PATCH 11/11] Clarify another cert --- .../warp/user-side-certificates/install-cert-with-warp.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 82f980f93481c2..9b9a4c38243b56 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -110,6 +110,6 @@ The WARP client will also place the certificate in `/var/lib/cloudflare-warp/ins ## Uninstall the certificate -If the certificate was installed by the WARP client, it is automatically removed when you turn on another certificate in Zero Trust, turn off **Install CA to system certificate store**, or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications). +If the certificate was installed by the WARP client, it is automatically removed when you turn on another certificate for inspection in Zero Trust, turn off **Install CA to system certificate store**, or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications). To manually remove the certificate, refer to the instructions supplied by your operating system or the third-party application.