cloudflare · maxvp · Nov 18, 2024 · Nov 15, 2024 · Nov 15, 2024 · Nov 15, 2024
@@ -1785,6 +1785,7 @@
 /cloudflare-one/connections/connect-apps/use_cases/* /cloudflare-one/connections/connect-networks/use-cases/:splat 301
 /cloudflare-one/connections/connect-apps/* /cloudflare-one/connections/connect-networks/:splat 301
 /cloudflare-one/connections/connect-devices/warp/exclude-traffic/* /cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/:splat 301
+/cloudflare-one/connections/connect-devices/warp/user-side-certificates/* /cloudflare-one/connections/connect-devices/user-side-certificates/:splat 301
 /cloudflare-one/examples/* /cloudflare-one/api-terraform/access-api-examples/:splat 301
 /cloudflare-one/faq/teams-* /cloudflare-one/faq/:splat 301
 /cloudflare-one/learning-paths/* /cloudflare-one/implementation-guides/:splat 301

@@ -8,7 +8,7 @@ entries:
   - publish_date: "2024-10-17"
     title: Per-account Cloudflare root certificate
     description: |-
-      Gateway users can now generate [unique root CAs](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) for their Zero Trust account. Both generated certificate and custom certificate users must [activate a root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#activate-a-root-certificate) to use it for inspection. Per-account certificates replace the default Cloudflare certificate, which is set to expire on 2025-02-02.
+      Gateway users can now generate [unique root CAs](/cloudflare-one/connections/connect-devices/user-side-certificates/) for their Zero Trust account. Both generated certificate and custom certificate users must [activate a root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate) to use it for inspection. Per-account certificates replace the default Cloudflare certificate, which is set to expire on 2025-02-02.
   - publish_date: "2024-10-10"
     title: Time-based policy duration
     description: |-

@@ -2,15 +2,14 @@
 pcx_content_type: concept
 title: Agentless options
 sidebar:
-  order: 2
-
+  order: 3
 ---
 
 If you are unable to install the WARP client on your devices (for example, Windows Server does not support the WARP client), you can use agentless options to enable a subset of Zero Trust features.
 
-* **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)**
-* **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture
-* **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections
-* **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/)
-* **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/)**
-* **[Data Loss Prevention (DLP)](/cloudflare-one/applications/scan-apps/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB
+- **[Gateway DNS policies](/cloudflare-one/connections/connect-devices/agentless/dns/)**
+- **[Gateway HTTP policies](/cloudflare-one/connections/connect-devices/agentless/pac-files/)** without user identity and device posture
+- **[Access policies](/cloudflare-one/policies/access/)** without device posture for [web applications](/cloudflare-one/applications/configure-apps/) and [browser-rendered](/cloudflare-one/applications/non-http/browser-rendering/) SSH and VNC connections
+- **[Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/)** via an [Access policy](/cloudflare-one/policies/access/isolate-application/), [prefixed URLs](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/policies/browser-isolation/setup/non-identity/)
+- **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/scan-apps/)**
+- **[Data Loss Prevention (DLP)](/cloudflare-one/applications/scan-apps/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB
@@ -21,7 +21,7 @@ When end users visit a website, their browser will send the request to a Cloudfl
 
 ## Prerequisites
 
-Install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/) on your device.
+Install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/) on your device.
 
 ## 1. Generate a proxy endpoint
 

@@ -29,23 +29,23 @@ import { Details } from "~/components";
 <sup>*</sup> Only supported on Debian-based systems.
 </Details>
 
-The WARP client can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/).
+The [WARP client](/cloudflare-one/connections/connect-devices/warp/) can automatically install a Cloudflare certificate or [custom root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) on Windows, macOS, and Debian/Ubuntu Linux devices. On mobile devices and Red Hat-based systems, you will need to [install the certificate manually](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/).
 
-The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), display custom block pages, and more.
+The certificate is required if you want to [apply HTTP policies to encrypted websites](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), display custom [block pages](/cloudflare-one/policies/gateway/block-page/), and more.
 
 ## Install a certificate using WARP
 
-1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare.
+1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare.
 2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**.
 3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store).
 4. [Install](/cloudflare-one/connections/connect-devices/warp/download-warp/) the WARP client on the device.
 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization.
 6. (Optional) If the device is running macOS Ventura or newer, [manually trust the certificate](#manually-trust-the-certificate).
 
-WARP will install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#certificate-status). This certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices.
+WARP will install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). This certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices.
 
 :::note[Important]
-WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store.
+WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store.
 :::
 
 ## Access the installed certificate

@@ -16,7 +16,7 @@ import { Render, Tabs, TabItem } from "~/components";
 Only available on Enterprise plans.
 :::
 
-Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/).
+Enterprise customers who do not wish to install a [Cloudflare certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/) have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the [block page](/cloudflare-one/policies/gateway/block-page/).
 
 You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team.
 
@@ -161,7 +161,7 @@ When you upload a private key to Zero Trust, Cloudflare encrypts the key and sto
 
 ## Use a custom root certificate
 
-To use a custom root certificate you generated and uploaded to Cloudflare, refer to [Activate a root certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#activate-a-root-certificate).
+To use a custom root certificate you generated and uploaded to Cloudflare, refer to [Activate a root certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate).
 
 ## Troubleshoot HTTP errors
 

@@ -2,14 +2,14 @@
 pcx_content_type: get-started
 title: User-side certificates
 sidebar:
-  order: 4
+  order: 2
 banner:
   content: The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must <a href="#generate-a-cloudflare-root-certificate">generate a new certificate</a> and activate it for your Zero Trust organization to avoid inspection errors.
 ---
 
 Advanced security features such as [HTTPS traffic inspection](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/), [anti-virus scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/), and [Browser Isolation](/cloudflare-one/policies/browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare.
 
-Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/custom-certificate/).
+Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each Zero Trust account and deploys its across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/).
 
 ## Certificate status
 
@@ -51,7 +51,7 @@ To activate your root certificate:
 3. Select the certificate you want to activate.
 4. Select **Activate**.
 
-The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Active**, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/manual-deployment/).
+The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Active**, you can install it on your user's devices either [with WARP](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) or [manually](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/).
 
 Once you deploy and install your certificate, you can turn it on for use in inspection:
 

@@ -18,15 +18,15 @@ This procedure is only required to enable specific Cloudflare Zero Trust feature
 
 :::
 
-If your device does not support [certificate installation via WARP](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/), you can manually install a Cloudflare certificate. You must add the certificate to both the [system keychain](#add-the-certificate-to-operating-systems) and to [individual application stores](#add-the-certificate-to-applications). These steps must be performed on each new device that is to be subject to HTTP filtering.
+If your device does not support [certificate installation via WARP](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/), you can manually install a Cloudflare certificate. You must add the certificate to both the [system keychain](#add-the-certificate-to-operating-systems) and to [individual application stores](#add-the-certificate-to-applications). These steps must be performed on each new device that is to be subject to HTTP filtering.
 
 ## Download the Cloudflare root certificate
 
 :::note[Download limitation]
 You can only download certificates from the Zero Trust dashboard.
 :::
 
-First, [generate](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/#generate-a-cloudflare-root-certificate) and download a Cloudflare certificate. The certificate is available in both `.pem` and `.crt` file format. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.
+First, [generate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) and download a Cloudflare certificate. The certificate is available in both `.pem` and `.crt` file format. Certain applications require the certificate to be in a specific file type, so ensure you download the most appropriate file for your use case.
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Resources**.
 2. In **Certificates**, select **Manage**.

@@ -5,7 +5,14 @@ sidebar:
   order: 2
 ---
 
-import { Details, GlossaryTooltip, InlineBadge, Render, Tabs, TabItem} from "~/components";
+import {
+	Details,
+	GlossaryTooltip,
+	InlineBadge,
+	Render,
+	Tabs,
+	TabItem,
+} from "~/components";
 
 WARP settings define the WARP client modes and permissions available to end users.
 
@@ -61,7 +68,7 @@ The client will automatically reconnect after the [Auto connect period](#auto-co
 
 </Details>
 
-When `Enabled`, the WARP client will [automatically install](/cloudflare-one/connections/connect-devices/warp/user-side-certificates/automated-deployment/) your organization's root certificate on the device.
+When `Enabled`, the WARP client will [automatically install](/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment/) your organization's root certificate on the device.
 
 ### Override local interface IP <InlineBadge preset="beta" />
 
@@ -241,7 +248,8 @@ Creates [Split Tunnel](/cloudflare-one/connections/connect-devices/warp/configur
 | Android  | ✅           | 1.4                  |
 | ChromeOS | ✅           | 1.4                  |
 
-[^1]:  Current versions of iOS do not allow LAN traffic to route through the WARP tunnel. Therefore, this feature is not needed on iOS.
+[^1]: Current versions of iOS do not allow LAN traffic to route through the WARP tunnel. Therefore, this feature is not needed on iOS.
+
 </Details>
 
 This setting is intended as a workaround for users whose home network uses the same set of IP addresses as your corporate private network. To use this setting, **Split Tunnels** must be set to **Exclude IPs and domains**.
@@ -261,15 +269,20 @@ Enabling this setting comes with two major consequences:
 
 To turn on local network access in the WARP client:
 
-<Tabs> <TabItem label="Windows and macOS">
+<Tabs>
+
+<TabItem label="Windows and macOS">
 
 1. Select the Cloudflare logo in the menu bar.
 2. Select the gear icon.
 3. Select **Access Local Network**.
-</TabItem> <TabItem label="Linux">
 
-1. Open a terminal window.
-2. Run `warp-cli override local-network start`.
+</TabItem>
+
+<TabItem label="Linux">
+
+4. Open a terminal window.
+5. Run `warp-cli override local-network start`.
 
 </TabItem>
 
@@ -278,6 +291,7 @@ To turn on local network access in the WARP client:
 1. Open the Cloudflare One Agent app.
 2. Go to **Settings** > **Advanced** > **Connection Options**.
 3. Select **Access Local Network**.
+
 </TabItem>
 
 </Tabs>