cloudflare · maxvp · Oct 22, 2024 · Oct 21, 2024 · Oct 21, 2024 · Oct 21, 2024
@@ -11,6 +11,8 @@ Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/po
 
 Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/).
 
+## Certificate status
+
 Zero Trust will indicate if a certificate is ready for use in inspection based on its deployment status:
 
 | Deployment status | Description                                                                                                    |
@@ -22,10 +24,6 @@ Zero Trust will indicate if a certificate is ready for use in inspection based o
 
 ## Generate a Cloudflare root certificate
 
-:::note[Certificate generation limitation]
-Each Zero Trust account can generate a new root certificate a maximum of three times per day.
-:::
-
 To generate a new Cloudflare root certificate for your Zero Trust organization:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
@@ -34,7 +32,9 @@ To generate a new Cloudflare root certificate for your Zero Trust organization:
 4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days.
 5. Select **Generate certificate**.
 
-The certificate will appear in your list of certificates as **Inactive**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate).
+The certificate will appear in your list of certificates as **Inactive**. To download a generated certificate, select it, then choose **Download .pem** and/or **Download .crt**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate).
+
+Each Zero Trust account can generate a new root certificate a maximum of three times per day.
 
 ## Activate a root certificate
 
@@ -58,6 +58,6 @@ The status of the certificate will change to **Pending** while it deploys. Once
 3. Select the certificate you want to turn on.
 4. In **Basic information**, select **Confirm and turn on certificate**.
 
-Only one certificate can be turned on for inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again.
+You can set multiple certificates to **Active**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again.
 
 Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/).
@@ -34,21 +34,22 @@ The certificate is required if you want to [apply HTTP policies to encrypted web
 ## Install the certificate using WARP
 
 1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare.
-2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP client**.
-3. Enable **Install CA to system certificate store**.
+2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
+3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store).
 4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device.
 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization.
+6. (Optional) If the device is running macOS Ventura `13.5` or newer, [manually trust the certificate](#manually-trust-the-certificate).
 
-If a custom certificate is not provided, WARP will install the default [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#download-the-cloudflare-root-certificate) in the system keychain for all users. If you uploaded a custom certificate, the WARP client will deploy your custom certificate instead of the Cloudflare certificate.
-
-Next, [verify](#access-the-installed-certificate) that the certificate was successfully installed.
+WARP will install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). This certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices.
 
 :::note[Important]
-WARP only installs the system certificate — it does not install the certificate on individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) to applications that rely on their own certificate store.
+WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) to applications that rely on their own certificate store.
 :::
 
 ## Access the installed certificate
 
+After installing the certificate using WARP, you can verify successful installation by accessing the device's system certificate store.
+
 ### Windows
 
 To access the installed certificate in Windows:
@@ -59,7 +60,7 @@ To access the installed certificate in Windows:
 
 The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**.
 
-The certificate is also placed in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools.
+The WARP client will also place the certificate in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools.
 
 ### macOS
 
@@ -70,16 +71,16 @@ To access the installed certificate in macOS:
 3. Open your certificate. The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**.
 4. If the certificate is trusted by all users, Keychain Access will display **This certificate is marked as trusted for all users**.
 
-:::note
-Certain macOS versions (such as macOS Ventura `13.5`) do not allow WARP to automatically trust the certificate. To manually trust the certificate:
+The WARP client will also place the certificate in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools.
+
+#### Manually trust the certificate
+
+macOS Ventura `13.5` and newer do not allow WARP to automatically trust the certificate. To manually trust the certificate:
 
 1. Select **Trust**.
 2. Set **When using this certificate** to _Always Trust_.
 
 Alternatively, you can configure your mobile device management (MDM) to automatically trust the certificate on all of your organization's devices.
-:::
-
-The certificate is also placed in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools.
 
 ### Linux
 
@@ -105,10 +106,10 @@ If you cannot find the certificate, run the following commands to update the sys
    sudo update-ca-certificates
    ```
 
-The certificate is also placed in `/var/lib/cloudflare-warp/installed_cert.pem` for reference by scripts or tools.
+The WARP client will also place the certificate in `/var/lib/cloudflare-warp/installed_cert.pem` for reference by scripts or tools.
 
 ## Uninstall the certificate
 
-If the certificate was installed by the WARP client, it is automatically removed when you disable **Install CA to system certificate store** or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications).
+If the certificate was installed by the WARP client, it is automatically removed when you turn on another certificate for inspection in Zero Trust, turn off **Install CA to system certificate store**, or [uninstall WARP](/cloudflare-one/connections/connect-devices/warp/remove-warp/). WARP does not remove certificates that were installed manually (for example, certificates added to third-party applications).
 
 To manually remove the certificate, refer to the instructions supplied by your operating system or the third-party application.
@@ -20,12 +20,16 @@ If your device does not support [certificate installation via WARP](/cloudflare-
 
 ## Download the Cloudflare root certificate
 
+:::note[Download limitation]
+You can only download certificates from the Zero Trust dashboard.
+:::
+
 First, [generate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) and download the Cloudflare certificate. The certificate is available in both `.pem` and `.crt` file format. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
 2. In **Certificates**, select **Manage**.
 3. Select the certificate you want to download.
-4. Select either **Download .pem** or **Download .crt**.
+4. Depending on which format you want, choose **Download .pem** and/or **Download .crt**.
 
 ### Verify the downloaded certificate