Skip to content

[ZT] Update macOS and iOS cert guidance #17781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 24, 2024
Merged

[ZT] Update macOS and iOS cert guidance #17781

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fd008c5
Update iOS guidance
maxvp Oct 24, 2024
c6748cb
Remove specific Ventura version
maxvp Oct 24, 2024
b09a61a
Update default cert name
maxvp Oct 24, 2024
ddd9fc3
Expand manual trust macOS
maxvp Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 18 additions & 18 deletions ...onnections/connect-devices/warp/user-side-certificates/automated-deployment.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ The certificate is required if you want to [apply HTTP policies to encrypted web
3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store).
4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device.
5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization.
6. (Optional) If the device is running macOS Ventura `13.5` or newer, [manually trust the certificate](#manually-trust-the-certificate).
6. (Optional) If the device is running macOS Ventura or newer, [manually trust the certificate](#manually-trust-the-certificate).

WARP will install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). This certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices.

Expand All @@ -52,41 +52,41 @@ WARP only installs the system certificate -- it does not install the certificate

After installing the certificate using WARP, you can verify successful installation by accessing the device's system certificate store.

### Windows

To access the installed certificate in Windows:

1. Open the Start menu and select **Run**.
2. Enter `certlm.msc`.
3. Go to **Trusted Root Certification Authority** > **Certificates**.

The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**.

The WARP client will also place the certificate in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools.

### macOS

To access the installed certificate in macOS:

1. Open Keychain Access.
2. In **System Keychains**, go to **System** > **Certificates**.
3. Open your certificate. The default Cloudflare certificate is named **Cloudflare for Teams ECC Certificate Authority**.
3. Open your certificate. The default Cloudflare certificate name is **Gateway CA - Cloudflare Managed G1**.
4. If the certificate is trusted by all users, Keychain Access will display **This certificate is marked as trusted for all users**.

The WARP client will also place the certificate in `/Library/Application Support/Cloudflare/installed_cert.pem` for reference by scripts or tools.

#### Manually trust the certificate

macOS Ventura `13.5` and newer do not allow WARP to automatically trust the certificate. To manually trust the certificate:
macOS Ventura and newer do not allow WARP to automatically trust the certificate. To manually trust the certificate:

1. Select **Trust**.
2. Set **When using this certificate** to _Always Trust_.
1. In Keychain Access, [find and open the certificate](#macos).
2. Open **Trust**.
3. Set **When using this certificate** to _Always Trust_.
4. (Optional) Restart the device to reset connections to Zero Trust.

Alternatively, you can configure your mobile device management (MDM) to automatically trust the certificate on all of your organization's devices.

### Windows

To access the installed certificate in Windows:

1. Open the Start menu and select **Run**.
2. Enter `certlm.msc`.
3. Go to **Trusted Root Certification Authority** > **Certificates**. The default Cloudflare certificate name is **Gateway CA - Cloudflare Managed G1**.

The WARP client will also place the certificate in `%ProgramData%\Cloudflare\installed_cert.pem` for reference by scripts or tools.

### Linux

On Linux, the certificate is stored in `/usr/local/share/ca-certificates`. The default Cloudflare certificate is named `managed-warp.pem`.
On Linux, the certificate is stored in `/usr/local/share/ca-certificates`. The default Cloudflare certificate name is `managed-warp.pem`.

If you cannot find the certificate, run the following commands to update the system store:

Expand Down
34 changes: 11 additions & 23 deletions ...e/connections/connect-devices/warp/user-side-certificates/manual-deployment.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,13 +92,9 @@ To install a Cloudflare certificate in macOS, you can use either the Keychain Ac
<TabItem label="Keychain Access">

1. Download a Cloudflare certificate.

2. Open the `.crt` file in Keychain Access. If prompted, enter your local password.

3. In **Keychain**, choose the access option that suits your needs and select **Add**.

4. In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select **Get Info**.

5. Select **Trust**. Under **When using this certificate**, select _Always Trust_.

The root certificate is now installed and ready to be used.
Expand Down Expand Up @@ -143,19 +139,12 @@ Windows offers two locations to install the certificate, each impacting which us
| Local Machine Store | All users on the system |

1. [Download a Cloudflare certificate](#download-the-cloudflare-root-certificate).

2. Right-click the certificate file.

3. Select **Open**. If a security warning appears, choose **Open** to proceed.

4. The **Certificate** window will appear. Select **Install Certificate**.

5. Now choose a Store Location. If a security warning appears, choose **Yes** to proceed.

6. On the next screen, select **Browse**.

7. In the list, choose the _Trusted Root Certification Authorities_ store.

8. Select **OK**, then select **Finish**.

The root certificate is now installed and ready to be used.
Expand Down Expand Up @@ -216,24 +205,23 @@ NixOS does not use the system certificate store for self updating and instead re

### iOS

iOS only allows the Safari browser to open and install certificates.

1. Open Safari and [download a Cloudflare certificate](#download-the-cloudflare-root-certificate). The device will display a confirmation dialog.
2. Select **Allow**.
3. Go to **Settings**, where a new **Profile Downloaded** section will appear directly beneath your iCloud user account info. Alternatively, you can go to **Settings** > **General** > **VPN & Device Management** and select the **Cloudflare for Teams ECC Certificate Authority** profile.
4. Select **Install**. If the iOS device is passcode-protected, you will be prompted to enter the passcode.
5. A certificate warning will appear. Select **Install**. If a second prompt appears, select **Install** again.
6. The Profile Installed screen will appear. Select **Done**. The certificate is now installed. However, before it can be used, it must be trusted by the device.
7. In **Settings**, go to **General** > **About** > **Certificate Trust Settings**. The installed root certificates will be displayed under Enable full trust for root certificates.
8. Turn on the Cloudflare certificate.
9. A security warning message will appear. Choose **Continue**.
1. In Safari, [download a Cloudflare certificate](#download-the-cloudflare-root-certificate) in `.pem` format.
2. Open Files and go to **Recents**.
3. Find and open the downloaded certificate file. A message will appear confirming the profile was downloaded. Select **Close**.
4. Open Settings. Select the **Profile Downloaded** section beneath your Apple Account info. Alternatively, go to **General** > **VPN & Device Management** and select the **Gateway CA - Cloudflare Managed G1** profile.
5. Select **Install**. If the iOS device is passcode-protected, you will be prompted to enter the passcode.
6. A certificate warning will appear. Select **Install**. If a second prompt appears, select **Install** again.
7. The Profile Installed screen will appear. Select **Done**. The certificate is now installed. However, before it can be used, it must be trusted by the device.
8. In Settings, go to **General** > **About** > **Certificate Trust Settings**. The installed root certificates will be displayed under Enable full trust for root certificates.
9. Turn on the Cloudflare certificate.
10. A security warning message will appear. Choose **Continue**.

The root certificate is now installed and ready to be used.

### Android

1. [Download a Cloudflare certificate](#download-the-cloudflare-root-certificate).
2. In **Settings**, go to **Security** > **Advanced** > **Encryption & credentials** > **Install a certificate**.
2. In Settings, go to **Security** > **Advanced** > **Encryption & credentials** > **Install a certificate**.
3. Select **CA certificate**.
4. Select **Install anyway**.
5. Verify your identity.
Expand Down
Loading