From 56addd5cf09dcfda7c9c463605460213c58f23ca Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 15:17:56 -0500 Subject: [PATCH 1/3] Rename manual-deployment --- public/_redirects | 1 + .../connections/connect-devices/warp/remove-warp.mdx | 2 +- .../connect-devices/warp/troubleshooting/common-issues.mdx | 6 +++--- .../warp/user-side-certificates/custom-certificate.mdx | 2 +- .../connect-devices/warp/user-side-certificates/index.mdx | 2 +- .../warp/user-side-certificates/install-cert-with-warp.mdx | 4 ++-- .../{install-cloudflare-cert.mdx => manual-deployment.mdx} | 0 .../policies/gateway/application-app-types.mdx | 2 +- .../docs/cloudflare-one/policies/gateway/block-page.mdx | 4 ++-- .../policies/gateway/http-policies/common-policies.mdx | 2 +- .../policies/gateway/http-policies/tls-decryption.mdx | 2 +- .../docs/magic-wan/zero-trust/cloudflare-gateway.mdx | 2 +- 12 files changed, 15 insertions(+), 14 deletions(-) rename src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/{install-cloudflare-cert.mdx => manual-deployment.mdx} (100%) diff --git a/public/_redirects b/public/_redirects index 903e3e3c58c2547..aab837bcc8543d7 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1631,6 +1631,7 @@ /cloudflare-one/connections/connect-devices/warp/deployment/macOS-Teams/ /cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/ 301 /cloudflare-one/connections/connect-devices/warp/device-enrollment/ /cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/ 301 /cloudflare-one/connections/connect-devices/warp/warp-settings/ /cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/ 301 +/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/ /cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/ 301 /cloudflare-one/connections/connect-networks/locations/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301 /cloudflare-one/connections/connect-networks/monitor-tunnels/grafana/ /cloudflare-one/tutorials/grafana/ 301 /cloudflare-one/connections/connect-networks/use-cases/kubectl/ /cloudflare-one/tutorials/many-cfd-one-tunnel/ 301 diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/remove-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/remove-warp.mdx index 0eb835513dd7299..604a72dac363bac 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/remove-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/remove-warp.mdx @@ -55,5 +55,5 @@ sudo apt remove cloudflare-warp :::note -If you [manually deployed the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/), remember to manually delete the certificate from the device. +If you [manually deployed the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/), remember to manually delete the certificate from the device. ::: diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues.mdx index c4dda2203eacc41..bb9e411d0634f45 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/troubleshooting/common-issues.mdx @@ -126,11 +126,11 @@ If the root CA is not installed on the device, you will see untrusted certificat #### Solution -[Install the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) on all of your devices, or [upload your own certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) to Cloudflare. +[Install the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/) on all of your devices, or [upload your own certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) to Cloudflare. :::note -More and more applications (including browsers) are relying on their own certificate stores. In addition to ensuring the root certificate is trusted at the device level, you may also need to [add the certificate to individual applications](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications). For example, to use Firefox on Linux, you must install the certificate on both the system and on Firefox. +More and more applications (including browsers) are relying on their own certificate stores. In addition to ensuring the root certificate is trusted at the device level, you may also need to [add the certificate to individual applications](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). For example, to use Firefox on Linux, you must install the certificate on both the system and on Firefox. ::: @@ -156,7 +156,7 @@ Some applications do not support SSL inspection or are otherwise [incompatible w Applications such as Firefox, Docker, Python, and npm rely on their own certificate store and the Cloudflare root certificate must be trusted in each. -Refer to [our instructions](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) for adding the root certificate to common applications. For applications not on our list, try searching the Internet for ` proxy support` or ` proxy certificate`. +Refer to [our instructions](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) for adding the root certificate to common applications. For applications not on our list, try searching the Internet for ` proxy support` or ` proxy certificate`. #### Solution (last resort) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx index c7787e58cc1c8ca..fa1513ff3444d68 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate.mdx @@ -14,7 +14,7 @@ import { Render, Tabs, TabItem } from "~/components"; Only available on Enterprise plans. ::: -Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/). +Enterprise customers who do not wish to install the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required the Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/). :::caution Custom certificates are limited to use between your users and the Gateway proxy. Connections between Gateway and the origin server will use the Cloudflare certificate. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 9df2535f8d9d311..4fbeef119fe8b2e 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -60,4 +60,4 @@ The status of the certificate will change to **Pending** while it deploys. Once You can set multiple certificates to **Active**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. -Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). +Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx index 9b9a4c38243b56e..62c6e25a8226825 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx @@ -27,7 +27,7 @@ import { Details } from "~/components"; * Only supported on Debian-based systems. -The WARP client can automatically install the Cloudflare certificate (or a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/)) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). +The WARP client can automatically install the Cloudflare certificate (or a [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/)) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/). The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), display custom block pages, and more. @@ -43,7 +43,7 @@ The certificate is required if you want to [apply HTTP policies to encrypted web WARP will install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). This certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices. :::note[Important] -WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) to applications that rely on their own certificate store. +WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store. ::: ## Access the installed certificate diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx similarity index 100% rename from src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert.mdx rename to src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx diff --git a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx index 786e1bd1167198d..1a6f452c01e4eef 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx @@ -62,7 +62,7 @@ Gateway automatically groups applications incompatible with TLS decryption into :::note[Install Cloudflare certificate manually to allow TLS decryption] -Instead of creating a Do Not Inspect policy for an application, you may be able to configure the application to [trust the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications). Doing so will allow the application to function without losing visibility into your traffic. +Instead of creating a Do Not Inspect policy for an application, you may be able to configure the application to [trust the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). Doing so will allow the application to function without losing visibility into your traffic. ::: #### Microsoft 365 integration diff --git a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx index c437fdaa93c1d9e..43d80ee5f1b2d7c 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/block-page.mdx @@ -15,7 +15,7 @@ Gateway supports custom block pages for DNS and HTTP policies. ## Prerequisites -In order to display the block page as the URL of the blocked domain, your devices must have the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). +In order to display the block page as the URL of the blocked domain, your devices must have the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/) installed. Enterprise users can also [deploy their own root CA certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). ## Turn on the block page @@ -32,7 +32,7 @@ To turn on the block page and specify a custom block message: ## Troubleshoot the block page -If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/) on their devices. +If your users receive a security risk warning in their browser when visiting a blocked page, check that you have correctly [installed the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/) on their devices. ## Customize the block page diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx index 3cdc7512e815e1b..33e835c72201879 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/common-policies.mdx @@ -100,7 +100,7 @@ For more information on supported file types, refer to [Download and Upload File ## Block Google services -To enable Gateway inspection for Google Drive traffic, you must [add the Cloudflare certificate to Google Drive](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#google-drive-for-desktop). +To enable Gateway inspection for Google Drive traffic, you must [add the Cloudflare certificate to Google Drive](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#google-drive-for-desktop). ### Block Google Drive uploads diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx index 42880c1eaba4c50..cd0a811787042eb 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx @@ -39,7 +39,7 @@ Applications that use certificate pinning and mTLS authentication do not trust t If you try to perform TLS decryption, these applications may not load or may return an error. To resolve this issue, you can: -- Add the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/#add-the-certificate-to-applications) to supported applications. +- Add the [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to supported applications. - Create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) to exempt applications from inspection. The [Application selector](/cloudflare-one/policies/gateway/http-policies/#application) provides a list of trusted applications that are known to use embedded certificates. - Configure a [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/split-tunnels/) in Include mode to ensure Gateway will only inspect traffic destined for your IPs or domains. This is useful for organizations that deploy Zero Trust on users' personal devices or otherwise expect personal applications to be used. diff --git a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx index 18e33c619059dcc..f1d7ff52001f49a 100644 --- a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx +++ b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx @@ -14,7 +14,7 @@ You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magi ## HTTPS filtering -In order to inspect HTTPS traffic, you need to install the Cloudflare root certificate on each client device. You can use the [WARP client](/cloudflare-one/connections/connect-devices/warp/) to [automatically install the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) on supported devices. If your device or application does not support certificate installation via WARP, you can [manually install the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/). The certificate is required for Cloudflare to [decrypt TLS](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). +In order to inspect HTTPS traffic, you need to install the Cloudflare root certificate on each client device. You can use the [WARP client](/cloudflare-one/connections/connect-devices/warp/) to [automatically install the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) on supported devices. If your device or application does not support certificate installation via WARP, you can [manually install the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/). The certificate is required for Cloudflare to [decrypt TLS](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). If you cannot or do not want to install the certificate, you can create [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policies to exempt incompatible Magic WAN traffic from inspection or to disable TLS decryption entirely. Because Gateway cannot discern Magic WAN traffic, you must use [WARP client checks](/cloudflare-one/identity/devices/warp-client-checks/) or the IP addresses associated with Magic WAN to match traffic with Gateway policies. For example, if your organization onboards devices to Magic WAN via WARP, you can exempt devices not running WARP using [OS version checks](/cloudflare-one/identity/devices/warp-client-checks/os-version/): From b7f730eb665529f69b7c8e1b4f932b25047abb39 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 15:21:01 -0500 Subject: [PATCH 2/3] Rename automated-deployment --- public/_redirects | 1 + .../warp/configure-warp/warp-settings/index.mdx | 2 +- ...ert-with-warp.mdx => automated-deployment.mdx} | 0 .../warp/user-side-certificates/index.mdx | 2 +- .../user-side-certificates/manual-deployment.mdx | 2 +- .../docs/cloudflare-one/faq/troubleshooting.mdx | 2 +- .../enable-tls-decryption.mdx | 15 +++++++-------- .../build-http-policies/tls-inspection.mdx | 2 +- .../magic-wan/zero-trust/cloudflare-gateway.mdx | 2 +- 9 files changed, 14 insertions(+), 14 deletions(-) rename src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/{install-cert-with-warp.mdx => automated-deployment.mdx} (100%) diff --git a/public/_redirects b/public/_redirects index aab837bcc8543d7..01a1394c624ed1a 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1632,6 +1632,7 @@ /cloudflare-one/connections/connect-devices/warp/device-enrollment/ /cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/ 301 /cloudflare-one/connections/connect-devices/warp/warp-settings/ /cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/ 301 /cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cloudflare-cert/ /cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/ 301 +/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/ /cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/ 301 /cloudflare-one/connections/connect-networks/locations/ /cloudflare-one/connections/connect-devices/agentless/dns/locations/ 301 /cloudflare-one/connections/connect-networks/monitor-tunnels/grafana/ /cloudflare-one/tutorials/grafana/ 301 /cloudflare-one/connections/connect-networks/use-cases/kubectl/ /cloudflare-one/tutorials/many-cfd-one-tunnel/ 301 diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx index 0b176a7f03cd9c8..807bef791be3787 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx @@ -61,7 +61,7 @@ The client will automatically reconnect after the [Auto connect period](#auto-co -When `Enabled`, the WARP client will [automatically install](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) your organization's root certificate on the device. +When `Enabled`, the WARP client will [automatically install](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) your organization's root certificate on the device. ### Override local interface IP diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment.mdx similarity index 100% rename from src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp.mdx rename to src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment.mdx diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx index 4fbeef119fe8b2e..49972479172f8ae 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/index.mdx @@ -60,4 +60,4 @@ The status of the certificate will change to **Pending** while it deploys. Once You can set multiple certificates to **Active**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other turned on certificates as **Active** and prevent them from being used for inspection until turned on again. -Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/). +Once you deploy your certificate across Cloudflare and turn it on, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/). diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx index 7bcbf594ad013fc..8d832d540c926dc 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx @@ -16,7 +16,7 @@ This procedure is only required to enable specific Cloudflare Zero Trust feature ::: -If your device does not support [certificate installation via WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/), you can manually install the Cloudflare certificate. You must add the certificate to both the [system keychain](#add-the-certificate-to-operating-systems) and to [individual application stores](#add-the-certificate-to-applications). These steps must be performed on each new device that is to be subject to HTTP filtering. +If your device does not support [certificate installation via WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/), you can manually install the Cloudflare certificate. You must add the certificate to both the [system keychain](#add-the-certificate-to-operating-systems) and to [individual application stores](#add-the-certificate-to-applications). These steps must be performed on each new device that is to be subject to HTTP filtering. ## Download the Cloudflare root certificate diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx index 3aca3825c5c4efe..92aadee934a0c7f 100644 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx @@ -100,7 +100,7 @@ If you see this warning, you may have to disable DNS over HTTPS setting in Firef ## Chrome shows `NET::ERR_CERT_AUTHORITY_INVALID` when I use the WARP client. -Advanced security features including HTTPS traffic inspection require you to deploy a [root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on the device. If [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) is enabled, the WARP client will automatically install a new root certificate whenever you install or update WARP. +Advanced security features including HTTPS traffic inspection require you to deploy a [root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on the device. If [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) is enabled, the WARP client will automatically install a new root certificate whenever you install or update WARP. Certain web browsers (such as Chrome and Microsoft Edge) load and cache root certificates when they start. Therefore, if you install a root certificate while the browser is already running, the browser may not detect the new certificate. To resolve the error, restart the browser. diff --git a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx index 3f7d45d810264ef..4fb60b1c6bd3b82 100644 --- a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx +++ b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx @@ -3,16 +3,15 @@ title: Enable TLS decryption (optional) pcx_content_type: overview sidebar: order: 4 - --- -import { Render } from "~/components" +import { Render } from "~/components"; [TLS decryption](https://www.cloudflare.com/learning/security/what-is-https-inspection/) allows Cloudflare Gateway to inspect HTTPS requests to your private network applications. ## Should I enable TLS decryption? -With TLS decryption enabled, you will be able to apply advanced policies such as scanning for sensitive data, starting a remote browser isolation session, and filtering based on the complete URL and path of requests. These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policy or an [Untrusted certificate *Pass through*](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). +With TLS decryption enabled, you will be able to apply advanced policies such as scanning for sensitive data, starting a remote browser isolation session, and filtering based on the complete URL and path of requests. These features can increase the security posture of sensitive systems, but TLS decryption can also break your users' access to certain resources. For instance, if your internal applications use self-signed certificates, you will need to either configure a [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policy or an [Untrusted certificate _Pass through_](/cloudflare-one/policies/gateway/http-policies/#untrusted-certificates) policy to allow users to connect. To learn more, refer to [TLS decryption limitations](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#inspection-limitations). With TLS decryption disabled, Gateway can only inspect unencrypted HTTP requests. However, you can still apply policies to HTTPS traffic based on user identity, device posture, IP, resolved domain, SNI, and other attributes that support a Zero Trust security implementation. Refer to the [Gateway HTTP policies documentation](/cloudflare-one/policies/gateway/http-policies/) for more information. @@ -24,7 +23,7 @@ Next, choose a [user-side certificate](#configure-user-side-certificates) to use ## Configure user-side certificates -When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a certificate on the user device. You can either [install the certificate provided by Cloudflare](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) (default option) or [upload a custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) to Cloudflare (Enterprise-only option). +When you enable TLS decryption, Gateway will decrypt all traffic sent over HTTPS, apply your HTTP policies, and then re-encrypt the request with a certificate on the user device. You can either [install the certificate provided by Cloudflare](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) (default option) or [upload a custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) to Cloudflare (Enterprise-only option). ### Best practices @@ -32,11 +31,11 @@ Deploying the Cloudflare root certificate is the simplest way to get started wit If you already have a certificate that you use for other inspection or trust purposes, we recommend uploading your own root certificate for the following reasons: -* Using a single certificate streamlines IT management. -* If other services (such as git workflows, other cli tools, or thick client applications) rely on an existing certificate store, presenting the same certificate in inspection is far less likely to interrupt their traffic flow. -* If you are using WARP Connector to connect devices to Cloudflare, those devices will not be able to leverage HTTP policies that require decrypting TLS unless they have a certificate that matches either your uploaded certificate or the Cloudflare root certificate. It is more likely that your network infrastructure already has your own device certificates deployed, so using the existing PKI infrastructure for inspection will reduce the number of steps needed to deploy Zero Trust. +- Using a single certificate streamlines IT management. +- If other services (such as git workflows, other cli tools, or thick client applications) rely on an existing certificate store, presenting the same certificate in inspection is far less likely to interrupt their traffic flow. +- If you are using WARP Connector to connect devices to Cloudflare, those devices will not be able to leverage HTTP policies that require decrypting TLS unless they have a certificate that matches either your uploaded certificate or the Cloudflare root certificate. It is more likely that your network infrastructure already has your own device certificates deployed, so using the existing PKI infrastructure for inspection will reduce the number of steps needed to deploy Zero Trust. :::note[MDM deployments] -Many customers [deploy WARP](/learning-paths/replace-vpn/connect-devices/) onto devices in production using an MDM tool like JAMF or InTune. Cloudflare has the ability to deploy the root certificate along with the device, but this could be more consistently and holistically configured within the MDM, where other certificates are presumably managed, trusted, and stored. +Many customers [deploy WARP](/learning-paths/replace-vpn/connect-devices/) onto devices in production using an MDM tool like JAMF or InTune. Cloudflare has the ability to deploy the root certificate along with the device, but this could be more consistently and holistically configured within the MDM, where other certificates are presumably managed, trusted, and stored. ::: diff --git a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx index 52712abd43b5c95..1da178048f798c7 100644 --- a/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx +++ b/src/content/docs/learning-paths/secure-internet-traffic/build-http-policies/tls-inspection.mdx @@ -38,7 +38,7 @@ To turn on TLS inspection for your Zero Trust organization: ### 3. Determine the certificate used for inspection -TLS inspection requires a trusted private root certificate to be able to inspect and filter encrypted traffic. The [default Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) is a simple and common solution that is usually appropriate for testing or proof-of-concept conditions when deployed to your devices. +TLS inspection requires a trusted private root certificate to be able to inspect and filter encrypted traffic. The [default Cloudflare root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) is a simple and common solution that is usually appropriate for testing or proof-of-concept conditions when deployed to your devices. Alternatively, if you already have a root CA that you use for other inspection or trust applications, we recommend [using your own certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). A few reasons for this include: diff --git a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx index f1d7ff52001f49a..bc852a0c3ea6e06 100644 --- a/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx +++ b/src/content/docs/magic-wan/zero-trust/cloudflare-gateway.mdx @@ -14,7 +14,7 @@ You can apply network and HTTP Gateway policies alongside [Magic Firewall](/magi ## HTTPS filtering -In order to inspect HTTPS traffic, you need to install the Cloudflare root certificate on each client device. You can use the [WARP client](/cloudflare-one/connections/connect-devices/warp/) to [automatically install the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/install-cert-with-warp/) on supported devices. If your device or application does not support certificate installation via WARP, you can [manually install the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/). The certificate is required for Cloudflare to [decrypt TLS](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). +In order to inspect HTTPS traffic, you need to install the Cloudflare root certificate on each client device. You can use the [WARP client](/cloudflare-one/connections/connect-devices/warp/) to [automatically install the Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) on supported devices. If your device or application does not support certificate installation via WARP, you can [manually install the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/). The certificate is required for Cloudflare to [decrypt TLS](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). If you cannot or do not want to install the certificate, you can create [Do Not Inspect](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) policies to exempt incompatible Magic WAN traffic from inspection or to disable TLS decryption entirely. Because Gateway cannot discern Magic WAN traffic, you must use [WARP client checks](/cloudflare-one/identity/devices/warp-client-checks/) or the IP addresses associated with Magic WAN to match traffic with Gateway policies. For example, if your organization onboards devices to Magic WAN via WARP, you can exempt devices not running WARP using [OS version checks](/cloudflare-one/identity/devices/warp-client-checks/os-version/): From 1276feeb4f621425ec25708af2a41227ca198dde Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 22 Oct 2024 15:24:44 -0500 Subject: [PATCH 3/3] Fix typo --- .../configure-device-agent/enable-tls-decryption.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx index 4fb60b1c6bd3b82..18cedb448ec9ebc 100644 --- a/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx +++ b/src/content/docs/learning-paths/replace-vpn/configure-device-agent/enable-tls-decryption.mdx @@ -32,7 +32,7 @@ Deploying the Cloudflare root certificate is the simplest way to get started wit If you already have a certificate that you use for other inspection or trust purposes, we recommend uploading your own root certificate for the following reasons: - Using a single certificate streamlines IT management. -- If other services (such as git workflows, other cli tools, or thick client applications) rely on an existing certificate store, presenting the same certificate in inspection is far less likely to interrupt their traffic flow. +- If other services (such as `git` workflows, other CLI tools, or thick client applications) rely on an existing certificate store, presenting the same certificate in inspection is far less likely to interrupt their traffic flow. - If you are using WARP Connector to connect devices to Cloudflare, those devices will not be able to leverage HTTP policies that require decrypting TLS unless they have a certificate that matches either your uploaded certificate or the Cloudflare root certificate. It is more likely that your network infrastructure already has your own device certificates deployed, so using the existing PKI infrastructure for inspection will reduce the number of steps needed to deploy Zero Trust. :::note[MDM deployments]