From 8c65e044810d470e7f91afd12697cbc4bc25ca5b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 3 Jan 2025 15:55:16 -0600 Subject: [PATCH 1/6] Add Linux instructions --- .../automated-deployment.mdx | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index 03d913a4fbfd01d..5220d60fe1e0d1a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -86,28 +86,31 @@ To access the installed certificate in Windows: The WARP client will also place the certificate in `%PROGRAMDATA%\Cloudflare\installed_cert.pem` for reference by scripts or tools. -### Linux +### Debian-based Linux distributions -On Linux, the certificate is stored in `/usr/local/share/ca-certificates`. The default Cloudflare certificate name is `managed-warp.pem`. +On Debian-based Linux distributions, the certificate is stored in `/usr/local/share/ca-certificates`. The default installed Cloudflare certificate name is `managed-warp.pem`. The WARP client will create a symbolic link named `managed-warp.crt` to use as its root certificate. If your system is not using `managed-warp.crt`, run the following commands to update the system store: -If you cannot find the certificate, run the following commands to update the system store: - -1. Go to the system certificate store. +1. Update your list of custom CA certificates. ```sh - cd /usr/local/share/ca-certificates + sudo update-ca-certificates ``` -2. Rename the certificate, changing the file extension to `.crt`. +2. Go to the system certificate store. ```sh - sudo mv managed-warp.pem managed-warp.crt + cd /usr/local/share/ca-certificates ``` -3. Update your list of custom CA certificates. +3. Verify your system has both the `managed-warp.pem` file and the `managed-warp.crt` symbolic link. For example: ```sh - sudo update-ca-certificates + ls -l + ``` + + ```sh output + lrwxrwxrwx 1 root root 49 Jan 3 21:46 managed-warp.crt -> /usr/local/share/ca-certificates/managed-warp.pem + -rw-r--r-- 1 root root 1139 Jan 3 21:46 managed-warp.pem ``` The WARP client will also place the certificate in `/var/lib/cloudflare-warp/installed_cert.pem` for reference by scripts or tools. From e52e0ac026662bde95757226a946a37cec677dab Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Fri, 3 Jan 2025 17:03:26 -0600 Subject: [PATCH 2/6] Fix wording and typos for install --- .../user-side-certificates/automated-deployment.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index 5220d60fe1e0d1a..7cf4f432f3ca770 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -42,9 +42,9 @@ The certificate is required if you want to [apply HTTP policies to encrypted web 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. 6. (Optional) If the device is running macOS Big Sur or newer, [manually trust the certificate](#manually-trust-the-certificate). -WARP versions after 2024.12.554.0 will install all [**Available** certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). These certificate can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly Available certificates to download onto end user devices. +WARP version 2024.12.554.0 and later will install all of your [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). These certificates can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly available certificates to download to your users' devices. -Older WARP versions will only install the [certificate set to **In-Use**](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices. +WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use**. If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices. :::note[Important] WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store. From bd8441d1a3471a82405244e48a17c20a47ccfb03 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 6 Jan 2025 12:01:52 -0600 Subject: [PATCH 3/6] Add updates --- .../user-side-certificates/automated-deployment.mdx | 2 +- .../connect-devices/user-side-certificates/index.mdx | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index 7cf4f432f3ca770..abe1d7753899046 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -44,7 +44,7 @@ The certificate is required if you want to [apply HTTP policies to encrypted web WARP version 2024.12.554.0 and later will install all of your [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). These certificates can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly available certificates to download to your users' devices. -WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use**. If you turn on a new certificate for inspection, WARP will automatically install the new certificate and remove the old certificate from your users' devices. +WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use** and automatically remove old certificates from your users' devices. :::note[Important] WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx index 88a19567666b248..3f2fa387d1f522a 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/index.mdx @@ -15,12 +15,12 @@ Gateway [generates a unique root CA](#generate-a-cloudflare-root-certificate) fo Zero Trust will indicate if a certificate is ready for use in inspection based on its deployment status: -| Deployment status | Description | -| -------------------- | -------------------------------------------------------------------------------------------------------------- | -| Inactive | The certificate has been generated by or uploaded to Cloudflare but is not deployed across the global network. | -| Pending | The certificate is being activated or deactivated for use. | -| Available | The certificate is deployed across the Cloudflare global network and ready to be turned on. | -| Available and In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | +| Deployment status | Description | +| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Inactive | The certificate has been generated by or uploaded to Cloudflare but is not deployed across the global network. | +| Pending | The certificate is being activated or deactivated for use. | +| Available | The certificate is deployed across the Cloudflare global network and ready to be turned on. The WARP client will install the certificate on your users' devices. | +| Available and In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | ## Generate a Cloudflare root certificate From c5fb5abe4de96e8fc0621d44c355862fad5ff99c Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 8 Jan 2025 17:17:36 -0600 Subject: [PATCH 4/6] Add new details for WARP --- .../user-side-certificates/automated-deployment.mdx | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index abe1d7753899046..5f0ec6900ec28a0 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -35,6 +35,8 @@ The certificate is required if you want to [apply HTTP policies to encrypted web ## Install a certificate using WARP +To configure WARP to install a root certificate on your organization's devices: + 1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare. 2. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **WARP Client**. 3. Turn on [**Install CA to system certificate store**](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#install-ca-to-system-certificate-store). @@ -42,12 +44,14 @@ The certificate is required if you want to [apply HTTP policies to encrypted web 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. 6. (Optional) If the device is running macOS Big Sur or newer, [manually trust the certificate](#manually-trust-the-certificate). -WARP version 2024.12.554.0 and later will install all of your [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#certificate-status). These certificates can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly available certificates to download to your users' devices. +WARP will download any [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate), then add the files to the `installed_certs/` directory and to the `installed_cert.pem` file in the device's system certificate store. These certificates can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly available certificates to download to your users' devices. + +Cloudflare recommends you set any scripts using the `installed_cert.pem` to use the `installed_certs/` directory instead. `installed_certs.pem` will be removed by 31-06-2025. -WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use** and automatically remove old certificates from your users' devices. +WARP only installs certificates to the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store. -:::note[Important] -WARP only installs the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store. +:::caution[Out of date certificates] +WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use** and automatically remove old certificates from your users' devices. To ensure your users' devices have the most up-to-date certificates installed, [update WARP](/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp). ::: ## Access the installed certificate From 6b4cfdd2bfc655d4ba6e84f62a267366450c4144 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 9 Jan 2025 13:56:07 -0600 Subject: [PATCH 5/6] Fix wording for install locations --- .../automated-deployment.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index 5f0ec6900ec28a0..d02cd9ed79acfd7 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -35,6 +35,10 @@ The certificate is required if you want to [apply HTTP policies to encrypted web ## Install a certificate using WARP +:::caution[Out of date certificates] +WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use** and automatically remove any other WARP-installed certificates from your users' devices. To ensure your users' devices have all of your available certificates installed, [update WARP](/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp). +::: + To configure WARP to install a root certificate on your organization's devices: 1. (Optional) [Upload](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/) a custom root certificate to Cloudflare. @@ -44,15 +48,11 @@ To configure WARP to install a root certificate on your organization's devices: 5. [Enroll the device](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/) in your Zero Trust organization. 6. (Optional) If the device is running macOS Big Sur or newer, [manually trust the certificate](#manually-trust-the-certificate). -WARP will download any [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate), then add the files to the `installed_certs/` directory and to the `installed_cert.pem` file in the device's system certificate store. These certificates can be either a [Cloudflare-generated certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/#generate-a-cloudflare-root-certificate) or a [custom certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/custom-certificate/). It may take up to 24 hours for newly available certificates to download to your users' devices. +WARP will now download any [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate). It may take up to 24 hours for newly available certificates to download to your users' devices. -Cloudflare recommends you set any scripts using the `installed_cert.pem` to use the `installed_certs/` directory instead. `installed_certs.pem` will be removed by 31-06-2025. +After download, WARP will add the certificates to the device's system certificate store in `installed_certs/.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31. -WARP only installs certificates to the system certificate -- it does not install the certificate to individual applications. You will need to [manually add the certificate](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store. - -:::caution[Out of date certificates] -WARP versions prior to 2024.12.554.0 will only install the certificate set to **In-Use** and automatically remove old certificates from your users' devices. To ensure your users' devices have the most up-to-date certificates installed, [update WARP](/cloudflare-one/connections/connect-devices/warp/download-warp/update-warp/#how-to-update-warp). -::: +WARP does not install certificates to individual applications. You will need to [manually add certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store instead of the system certificate store. ## Access the installed certificate From 7d007aff8460389fbdbaa0399ca3810c334214a2 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Thu, 9 Jan 2025 15:48:06 -0600 Subject: [PATCH 6/6] Make cert wording more precise --- .../user-side-certificates/automated-deployment.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx index d02cd9ed79acfd7..131e8762e76ad0c 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/user-side-certificates/automated-deployment.mdx @@ -50,7 +50,7 @@ To configure WARP to install a root certificate on your organization's devices: WARP will now download any [certificates set to **Available**](/cloudflare-one/connections/connect-devices/user-side-certificates/#activate-a-root-certificate). It may take up to 24 hours for newly available certificates to download to your users' devices. -After download, WARP will add the certificates to the device's system certificate store in `installed_certs/.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31. +After download, WARP will add the certificates to the device's system certificate store in `installed_certs/.pem` and append the contents to the `installed_cert.pem` file. If you have any scripts using `installed_cert.pem`, Cloudflare recommends you set them to use the individual files in the `installed_certs/` directory instead. `installed_certs.pem` will be deprecated by 2025-06-31. WARP does not install certificates to individual applications. You will need to [manually add certificates](/cloudflare-one/connections/connect-devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) to applications that rely on their own certificate store instead of the system certificate store.