diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index 03d913a4fbfd01d..131e8762e76ad0c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -35,6 +35,12 @@ The certificate is required if you want to [apply HTTP policies to encrypted web ## Install a certificate using WARP +:::caution[Out of date certificates] +WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use** and automatically remove any other WARP-installed certificates from your users' devices. To ensure your users' devices have all of your available certificates installed, [update WARP](/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp). +::: + +To configure WARP to install a root certificate on your organization's devices: + 1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare. 2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. 3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store). @@ -42,13 +48,11 @@ The certificate is required if you want to [apply HTTP policies to encrypted web 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. 6. (Optional) If the device is running macOS Big Sur or newer, [manually trust the certificate](#manually-trust-the-certificate). -WARP versions after 2024.12.554.0 will install all [**Available** certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). These certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly Available certificates to download onto end user devices. +WARP will now download any [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate). It may take up to 24 hours for newly available certificates to download to your users' devices. -Older WARP versions will only install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices. +After download, WARP will add the certificates to the device's system certificate store in `installed_certs/.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the individual files in the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31. -:::note[Important] -WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store. -::: +WARP does not install certificates to individual applications. You will need to [manually add certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store instead of the system certificate store. ## Access the installed certificate @@ -86,28 +90,31 @@ To access the installed certificate in Windows: The WARP client will also place the certificate in `%PROGRAMDATA%\Cloudflare\installed_cert.pem` for reference by scripts or tools. -### Linux - -On Linux, the certificate is stored in `/usr/local/share/ca-certificates`. The default Cloudflare certificate name is `managed-warp.pem`. +### Debian-based Linux distributions -If you cannot find the certificate, run the following commands to update the system store: +On Debian-based Linux distributions, the certificate is stored in `/usr/local/share/ca-certificates`. The default installed Cloudflare certificate name is `managed-warp.pem`. The WARP client will create a symbolic link named `managed-warp.crt` to use as its root certificate. If your system is not using `managed-warp.crt`, run the following commands to update the system store: -1. Go to the system certificate store. +1. Update your list of custom CA certificates. ```sh - cd /usr/local/share/ca-certificates + sudo update-ca-certificates ``` -2. Rename the certificate, changing the file extension to `.crt`. +2. Go to the system certificate store. ```sh - sudo mv managed-warp.pem managed-warp.crt + cd /usr/local/share/ca-certificates ``` -3. Update your list of custom CA certificates. +3. Verify your system has both the `managed-warp.pem` file and the `managed-warp.crt` symbolic link. For example: ```sh - sudo update-ca-certificates + ls -l + ``` + + ```sh output + lrwxrwxrwx 1 root root 49 Jan 3 21:46 managed-warp.crt -> /usr/local/share/ca-certificates/managed-warp.pem + -rw-r--r-- 1 root root 1139 Jan 3 21:46 managed-warp.pem ``` The WARP client will also place the certificate in `/var/lib/cloudflare-warp/installed_cert.pem` for reference by scripts or tools. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 88a19567666b248..3f2fa387d1f522a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -15,12 +15,12 @@ Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) fo Zero Trust will indicate if a certificate is ready for use in inspection based on its deployment status: -| Deployment status | Description | -| -------------------- | -------------------------------------------------------------------------------------------------------------- | -| Inactive | The certificate has been generated by or uploaded to Cloudflare but is not deployed across the global network. | -| Pending | The certificate is being activated or deactivated for use. | -| Available | The certificate is deployed across the Cloudflare global network and ready to be turned on. | -| Available and In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | +| Deployment status | Description | +| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Inactive | The certificate has been generated by or uploaded to Cloudflare but is not deployed across the global network. | +| Pending | The certificate is being activated or deactivated for use. | +| Available | The certificate is deployed across the Cloudflare global network and ready to be turned on. The WARP client will install the certificate on your users' devices. | +| Available and In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | ## Generate a Cloudflare root certificate