diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment.mdx index 2fa333385f88dfe..c89d7ce6fd09e76 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment.mdx @@ -40,7 +40,7 @@ The certificate is required if you want to [apply HTTP policies to encrypted web 3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store). 4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device. 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. -6. (Optional) If the device is running macOS Ventura `13.5` or newer, [manually trust the certificate](#manually-trust-the-certificate). +6. (Optional) If the device is running macOS Ventura or newer, [manually trust the certificate](#manually-trust-the-certificate). WARP will install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). This certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices. @@ -52,41 +52,41 @@ WARP only installs the system certificate -- it does not install the certificate After installing the certificate using WARP, you can verify successful installation by accessing the device's system certificate store. -### Windows - -To access the installed certificate in Windows: - -1. Open the Start menu and select **Run**. -2. Enter `certlm.msc`. -3. Go to **Trusted Root Certification Authority** > **Certificates**. - -The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**. - -The WARP client will also place the certificate in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools. - ### macOS To access the installed certificate in macOS: 1. Open Keychain Access. 2. In **System Keychains**, go to **System** > **Certificates**. -3. Open your certificate. The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**. +3. Open your certificate. The default Cloudflare certificate name is **Gateway CA - Cloudflare Managed G1**. 4. If the certificate is trusted by all users, Keychain Access will display **This certificate is marked as trusted for all users**. The WARP client will also place the certificate in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools. #### Manually trust the certificate -macOS Ventura `13.5` and newer do not allow WARP to automatically trust the certificate. To manually trust the certificate: +macOS Ventura and newer do not allow WARP to automatically trust the certificate. To manually trust the certificate: -1. Select **Trust**. -2. Set **When using this certificate** to _Always Trust_. +1. In Keychain Access, [find and open the certificate](#macos). +2. Open **Trust**. +3. Set **When using this certificate** to _Always Trust_. +4. (Optional) Restart the device to reset connections to Zero Trust. Alternatively, you can configure your mobile device management (MDM) to automatically trust the certificate on all of your organization's devices. +### Windows + +To access the installed certificate in Windows: + +1. Open the Start menu and select **Run**. +2. Enter `certlm.msc`. +3. Go to **Trusted Root Certification Authority** > **Certificates**. The default Cloudflare certificate name is **Gateway CA - Cloudflare Managed G1**. + +The WARP client will also place the certificate in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools. + ### Linux -On Linux, the certificate is stored in `/usr/local/share/ca-certificates`. The default Cloudflare certificate is named `managed-warp.pem`. +On Linux, the certificate is stored in `/usr/local/share/ca-certificates`. The default Cloudflare certificate name is `managed-warp.pem`. If you cannot find the certificate, run the following commands to update the system store: diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx index 912a4ac09f5301f..a41cf582e6dcc25 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx @@ -92,13 +92,9 @@ To install a Cloudflare certificate in macOS, you can use either the Keychain Ac 1. Download a Cloudflare certificate. - 2. Open the `.crt` file in Keychain Access. If prompted, enter your local password. - 3. In **Keychain**, choose the access option that suits your needs and select **Add**. - 4. In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select **Get Info**. - 5. Select **Trust**. Under **When using this certificate**, select _Always Trust_. The root certificate is now installed and ready to be used. @@ -143,19 +139,12 @@ Windows offers two locations to install the certificate, each impacting which us | Local Machine Store | All users on the system | 1. [Download a Cloudflare certificate](#download-the-cloudflare-root-certificate). - 2. Right-click the certificate file. - 3. Select **Open**. If a security warning appears, choose **Open** to proceed. - 4. The **Certificate** window will appear. Select **Install Certificate**. - 5. Now choose a Store Location. If a security warning appears, choose **Yes** to proceed. - 6. On the next screen, select **Browse**. - 7. In the list, choose the _Trusted Root Certification Authorities_ store. - 8. Select **OK**, then select **Finish**. The root certificate is now installed and ready to be used. @@ -216,24 +205,23 @@ NixOS does not use the system certificate store for self updating and instead re ### iOS -iOS only allows the Safari browser to open and install certificates. - -1. Open Safari and [download a Cloudflare certificate](#download-the-cloudflare-root-certificate). The device will display a confirmation dialog. -2. Select **Allow**. -3. Go to **Settings**, where a new **Profile Downloaded** section will appear directly beneath your iCloud user account info. Alternatively, you can go to **Settings** > **General** > **VPN & Device Management** and select the **Cloudflare for Teams ECC Certificate Authority** profile. -4. Select **Install**. If the iOS device is passcode-protected, you will be prompted to enter the passcode. -5. A certificate warning will appear. Select **Install**. If a second prompt appears, select **Install** again. -6. The Profile Installed screen will appear. Select **Done**. The certificate is now installed. However, before it can be used, it must be trusted by the device. -7. In **Settings**, go to **General** > **About** > **Certificate Trust Settings**. The installed root certificates will be displayed under Enable full trust for root certificates. -8. Turn on the Cloudflare certificate. -9. A security warning message will appear. Choose **Continue**. +1. In Safari, [download a Cloudflare certificate](#download-the-cloudflare-root-certificate) in `.pem` format. +2. Open Files and go to **Recents**. +3. Find and open the downloaded certificate file. A message will appear confirming the profile was downloaded. Select **Close**. +4. Open Settings. Select the **Profile Downloaded** section beneath your Apple Account info. Alternatively, go to **General** > **VPN & Device Management** and select the **Gateway CA - Cloudflare Managed G1** profile. +5. Select **Install**. If the iOS device is passcode-protected, you will be prompted to enter the passcode. +6. A certificate warning will appear. Select **Install**. If a second prompt appears, select **Install** again. +7. The Profile Installed screen will appear. Select **Done**. The certificate is now installed. However, before it can be used, it must be trusted by the device. +8. In Settings, go to **General** > **About** > **Certificate Trust Settings**. The installed root certificates will be displayed under Enable full trust for root certificates. +9. Turn on the Cloudflare certificate. +10. A security warning message will appear. Choose **Continue**. The root certificate is now installed and ready to be used. ### Android 1. [Download a Cloudflare certificate](#download-the-cloudflare-root-certificate). -2. In **Settings**, go to **Security** > **Advanced** > **Encryption & credentials** > **Install a certificate**. +2. In Settings, go to **Security** > **Advanced** > **Encryption & credentials** > **Install a certificate**. 3. Select **CA certificate**. 4. Select **Install anyway**. 5. Verify your identity.